display partial hash of Vault key

internal/keystore/vault/log.go

@@ -1,9 +1,14 @@
 package vault
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
 	"log/slog"
 	"net/http"
 	"time"
+
+	vaultapi "github.com/hashicorp/vault/api"
 )
 
 type loggingTransport struct {
@@ -21,26 +26,27 @@ func (lt *loggingTransport) RoundTrip(req *http.Request) (*http.Response, error)
 
 	// don't log health checks
 	if req.URL.Path != "/v1/sys/health" {
+		auth := obfuscateToken(req.Header.Get(vaultapi.AuthHeaderName))
 		switch {
 		case err != nil:
 			slog.Debug("HTTP error",
 				slog.String("method", req.Method),
 				slog.String("url", req.URL.String()),
-				slog.String("auth", obfuscateToken(req.Header.Get("X-Vault-Token"))),
+				slog.String("auth", auth),
 				slog.Duration("duration", time.Since(start)),
 				slog.String("error", err.Error()))
 		case resp.StatusCode >= 300:
 			slog.Debug("HTTP error response",
 				slog.String("method", req.Method),
 				slog.String("url", req.URL.String()),
-				slog.String("auth", obfuscateToken(req.Header.Get("X-Vault-Token"))),
+				slog.String("auth", auth),
 				slog.Duration("duration", time.Since(start)),
 				slog.String("status", resp.Status))
 		default:
 			slog.Debug("HTTP success response",
 				slog.String("method", req.Method),
 				slog.String("url", req.URL.String()),
-				slog.String("auth", obfuscateToken(req.Header.Get("X-Vault-Token"))),
+				slog.String("auth", auth),
 				slog.Duration("duration", time.Since(start)),
 				slog.String("status", resp.Status))
 		}
@@ -50,12 +56,9 @@ func (lt *loggingTransport) RoundTrip(req *http.Request) (*http.Response, error)
 }
 
 func obfuscateToken(token string) string {
-	switch {
-	case len(token) == 0:
+	if len(token) == 0 {
 		return ""
-	case len(token) > 8:
-		return "***" + token[len(token)-4:]
-	default:
-		return "***"
 	}
+	hash := sha256.Sum256([]byte(token))
+	return fmt.Sprintf("%s (hashed)", hex.EncodeToString(hash[:16]))
 }