fix(security): remove OAuth token values from debug log statements (#2440)

OAuth tokens and full OAuth responses were being logged at debug level,
which could expose bearer credentials in log files (CWE-532).

[sc-100058]

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: dpgaspar

flask_appbuilder/security/manager.py

@@ -134,7 +134,7 @@ def _oauth_tokengetter(token=None):
     from session cookie.
     """
     token = session.get("oauth")
-    log.debug("Token Get: %s", token)
+    log.debug("Token Get: retrieved OAuth token from session")
     return token
 
 

flask_appbuilder/security/views.py

@@ -698,7 +698,7 @@ def oauth_authorized(self, provider: str) -> WerkzeugResponse:
         if resp is None:
             flash("You denied the request to sign in.", "warning")
             return redirect(self.appbuilder.get_url_for_login)
-        log.debug("OAUTH Authorized resp: %s", resp)
+        log.debug("OAUTH Authorized resp received for provider: %s", provider)
         # Retrieves specific user info from the provider
         try:
             self.appbuilder.sm.set_oauth_session(provider, resp)