Skip to content

fix: mask short API keys#208

Open
ahfoysal wants to merge 1 commit into
404-PF:mainfrom
ahfoysal:fix-mask-short-api-keys
Open

fix: mask short API keys#208
ahfoysal wants to merge 1 commit into
404-PF:mainfrom
ahfoysal:fix-mask-short-api-keys

Conversation

@ahfoysal

@ahfoysal ahfoysal commented Jul 5, 2026

Copy link
Copy Markdown

Closes #203.

Summary

  • prevent short API keys from being fully exposed in config output
  • keep the existing four-character prefix for longer keys
  • update maskApiKey coverage for short key lengths

Verification

  • npm run build
  • node dist/index.js --help
  • node --test tests/config-command.test.mjs
  • git diff --check

Summary by CodeRabbit

  • Bug Fixes
    • Updated API key masking so shorter keys are displayed more consistently and securely.
    • Adjusted the visible portion of masked keys based on key length, changing how 1–4 character keys are shown.
    • Aligned automated checks with the revised masking behavior.

@ahfoysal ahfoysal requested a review from 404-Page-Found as a code owner July 5, 2026 10:05
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1c0a84c5-7525-4804-a2ee-836d26a0248f

📥 Commits

Reviewing files that changed from the base of the PR and between 28e0049 and c113d75.

📒 Files selected for processing (2)
  • src/commands/config.ts
  • tests/config-command.test.mjs
📜 Recent review details
🧰 Additional context used
📓 Path-based instructions (2)
tests/**/*.mjs

📄 CodeRabbit inference engine (AGENTS.md)

tests/**/*.mjs: Use Node.js built-in node:test for test files in tests/ and tests/e2e/; do not use Jest or Mocha.
Write test assertions with node:assert/strict in test files under tests/ and tests/e2e/.

Files:

  • tests/config-command.test.mjs
src/**/*.ts

📄 CodeRabbit inference engine (AGENTS.md)

The project is ESM-only: use .js extensions in local imports and keep verbatimModuleSyntax-compatible TypeScript imports (for example, import type for type-only imports).

Files:

  • src/commands/config.ts
🔇 Additional comments (4)
src/commands/config.ts (3)

86-91: LGTM!


94-101: LGTM! The floor(length/2) clamp correctly limits the visible prefix for short keys (e.g. 1-char → 0 visible, 4-char → 2 visible) while preserving the 4-character cap for longer keys, matching the updated test expectations.


99-99: 🩺 Stability & Availability

Checked-in dist is rebuilt before publish prepublishOnly runs npm run build, so the package won’t ship the old masking logic from this file.

			> Likely an incorrect or invalid review comment.
tests/config-command.test.mjs (1)

146-158: LGTM! Test expectations correctly reflect the new floor(length/2) clamp.


📝 Walkthrough

Walkthrough

The masking calculation in maskApiKey was changed to reveal fewer leading characters for short API keys, using a half-length clamp instead of a max-2 clamp. Corresponding unit tests were updated. A generic function signature was reformatted without behavior change.

Changes

maskApiKey Security Fix

Layer / File(s) Summary
Visible-prefix calculation and tests
src/commands/config.ts, tests/config-command.test.mjs
maskApiKey now computes visible prefix as min(4, floor(apiKey.length/2)) instead of min(4, max(2, apiKey.length)), reducing exposure for short keys; tests updated for 1–4 character inputs to match new reveal behavior. updateConfigField's generic signature is reformatted to a single line with no behavior change.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

  • 404-PF/commit-echo#140: Both PRs modify maskApiKey in src/commands/config.ts and update corresponding test expectations.
  • 404-PF/commit-echo#164: Same masking rule validated via updated tests in tests/config-command.test.mjs.

Suggested reviewers: 404-Page-Found

Poem

A key so short, once bared to sight,
Now hides its digits, dots shining bright.
This rabbit hops with a satisfied grin,
Half the length revealed, the rest tucked in.
••••🐇 secure and snug, review's begun!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title concisely describes the main change: masking short API keys in config output.
Linked Issues check ✅ Passed The PR addresses #203 by preventing short keys from being fully exposed and adds short-key masking tests.
Out of Scope Changes check ✅ Passed No clearly unrelated changes are introduced; the formatting tweak and test updates stay within the masking fix.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@its-Sohan its-Sohan left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice fix, the logic is correct and addresses the issue well.

One note: the formatting change to updateConfigField (collapsed to one line) is unrelated to the bug fix — separating formatting from logic keeps PRs cleaner. Minor, not blocking.

The key change (Math.floor(apiKey.length / 2)) is clean and the tests cover all edge cases properly. LGTM.

@404-Page-Found 404-Page-Found left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] config output reveals full short API keys

3 participants