Is there a danger in leaking authenticity_token in logs? To put it differently: should I filter them out from logs?
Where are your logs located?
I do use Heroku and pipe logs to Papertrail (log aggregation service). Also, logs are stored in Amazon S3 for some time.
If these logs get compromised, can these tokens be used again (i.e. are these tokens reusable?)
It varies on each request https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef
They are only valid for 15 minutes and then they are never going to work again. They don't matter. I suppose if you had enough of them you could brute-force out what the secret key was, but that's a nation-state level of effort. Are your users (or their haters) in that league?