Even though sending the whole QR code to the server which contains sensitive personal data is not the best idea, you should definitely not log this data on your server.

https://github.com/philipptrenz/covidpass/blob/6dbffaf1b517f22429c5a9952638bd8f7b4714ed/server-middleware/rest.js#L57

https://github.com/philipptrenz/covidpass/blob/6dbffaf1b517f22429c5a9952638bd8f7b4714ed/server-middleware/rest.js#L66

If you log errors you should exclude everything that is related to the user or considered sensitive data

Hey @timokoenig thanks for the review, this is much appreciated!

As you already figured out in #23, only the hash values get sent to the server, as stated within the README. Sorry for the confusion about https://github.com/philipptrenz/covidpass/blob/90c90fbf82ef606eb4992a01fcf9180321daafec/plugins/src/pass.js#L41 I'll remove it with the next release.

As the manifestJson only contains SHA-1 hashes of the pass, icons and logos, I would say it is acceptable to log this data for detecting and comprehending potential errors and abuse of the API. Would you agree on this?

I get it why you're trying to log those cases but I would say for best practice you could remove the key/value for pass.json or replace the value with a random string. It's not that easy to get values from SHA-1 hashes but IMO this application should mitigate as many potential threads as possible.

I will have a look on the weekend if I can find anything else

Hey there, sorry for the late reply. You're right, SHA-1 collisions are possible, albeit expensive (estimated at about $43,000 USD for 2021; Source).

Nevertheless the hash value does not carry any helpful information, so that removing it is a good idea.