GitHub Code Leak: Auth Logs Expose User Emails, Violating GDPR Data Minimization

A low-severity but critical compliance vulnerability has been identified in a production codebase, where user email addresses are being logged in plaintext. The exposure occurs within the authentication flow, specifically in the `src/app/actions/auth.ts` file. Every failed login attempt triggers a console warning that includes the full, unmasked email address, creating a persistent record of PII. In a production environment, these server logs are typically forwarded to centralized systems accessible to engineering, DevOps, and potentially other internal teams, directly contravening the core GDPR principle of data minimization outlined in Article 5.

The flaw is isolated to a single line of code: `console.warn(`[auth] login failed for ${email}`);`. While classified as 'LOW' severity from a pure security exploitation standpoint, its legal and compliance implications are significant. The logging of this identifiable personal data is unnecessary for the stated purpose of tracking failed logins and represents a clear privacy control failure. The issue has been tagged with a 'THIS MONTH' remediation priority in the security report, indicating urgent internal pressure to resolve it before a potential audit or data subject complaint.

Failure to address this promptly escalates regulatory risk. Under GDPR, authorities can scrutinize data processing practices, and the unnecessary collection of PII in logs could be cited in a violation, leading to scrutiny and potential fines. The recommended fixes are straightforward: either mask the email (e.g., `u***@example.com`) or replace it with a hashed or anonymized user identifier. This incident serves as a pointed reminder that compliance vulnerabilities often lurk in mundane, operational code like log statements, posing a silent threat to organizational data governance.