From 19b0e23c3d0af4a372194a6510281bd4ca3c1489 Mon Sep 17 00:00:00 2001
From: reivilibre <oliverw@element.io>
Date: Tue, 15 Apr 2025 14:58:30 +0000
Subject: Fix the token introspection cache logging access tokens when MAS
 integration is in use. (#18335)

The `ResponseCache` logs keys by default.

Let's not do that for access tokens.

---------

Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
---
 changelog.d/18335.bugfix              |  1 +
 synapse/api/auth/msc3861_delegated.py |  2 ++
 synapse/util/caches/response_cache.py | 33 +++++++++++++++++++++++----------
 3 files changed, 26 insertions(+), 10 deletions(-)
 create mode 100644 changelog.d/18335.bugfix

diff --git a/changelog.d/18335.bugfix b/changelog.d/18335.bugfix
new file mode 100644
index 0000000000..50df5a1b1d
--- /dev/null
+++ b/changelog.d/18335.bugfix
@@ -0,0 +1 @@
+Fix the token introspection cache logging access tokens when MAS integration is in use.
\ No newline at end of file
diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py
index 74e526123f..cc2c79fa96 100644
--- a/synapse/api/auth/msc3861_delegated.py
+++ b/synapse/api/auth/msc3861_delegated.py
@@ -201,6 +201,8 @@ class MSC3861DelegatedAuth(BaseAuth):
             self._clock,
             "token_introspection",
             timeout_ms=120_000,
+            # don't log because the keys are access tokens
+            enable_logging=False,
         )
 
         self._issuer_metadata = RetryOnExceptionCachedCall[OpenIDProviderMetadata](
diff --git a/synapse/util/caches/response_cache.py b/synapse/util/caches/response_cache.py
index 96b7ca83dc..54b99134b9 100644
--- a/synapse/util/caches/response_cache.py
+++ b/synapse/util/caches/response_cache.py
@@ -101,7 +101,13 @@ class ResponseCache(Generic[KV]):
     used rather than trying to compute a new response.
     """
 
-    def __init__(self, clock: Clock, name: str, timeout_ms: float = 0):
+    def __init__(
+        self,
+        clock: Clock,
+        name: str,
+        timeout_ms: float = 0,
+        enable_logging: bool = True,
+    ):
         self._result_cache: Dict[KV, ResponseCacheEntry] = {}
 
         self.clock = clock
@@ -109,6 +115,7 @@ class ResponseCache(Generic[KV]):
 
         self._name = name
         self._metrics = register_cache("response_cache", name, self, resizable=False)
+        self._enable_logging = enable_logging
 
     def size(self) -> int:
         return len(self._result_cache)
@@ -246,9 +253,12 @@ class ResponseCache(Generic[KV]):
         """
         entry = self._get(key)
         if not entry:
-            logger.debug(
-                "[%s]: no cached result for [%s], calculating new one", self._name, key
-            )
+            if self._enable_logging:
+                logger.debug(
+                    "[%s]: no cached result for [%s], calculating new one",
+                    self._name,
+                    key,
+                )
             context = ResponseCacheContext(cache_key=key)
             if cache_context:
                 kwargs["cache_context"] = context
@@ -269,12 +279,15 @@ class ResponseCache(Generic[KV]):
             return await make_deferred_yieldable(entry.result.observe())
 
         result = entry.result.observe()
-        if result.called:
-            logger.info("[%s]: using completed cached result for [%s]", self._name, key)
-        else:
-            logger.info(
-                "[%s]: using incomplete cached result for [%s]", self._name, key
-            )
+        if self._enable_logging:
+            if result.called:
+                logger.info(
+                    "[%s]: using completed cached result for [%s]", self._name, key
+                )
+            else:
+                logger.info(
+                    "[%s]: using incomplete cached result for [%s]", self._name, key
+                )
 
         span_context = entry.opentracing_span_context
         with start_active_span_follows_from(
-- 
cgit 1.5.1