Redact sensitive information (#1681)

Fixes OPS-3082

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Logging now automatically redacts sensitive information (passwords,
auth tokens, etc.) from all log outputs — including nested objects,
stringified JSON, error messages and stack traces — while preserving
existing truncation and numeric rounding behavior. Public APIs and
signatures remain unchanged.

* **Tests**
* Added tests validating redaction across various data formats, nesting
levels, circular structures, and error contexts.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: bigfluffycookie

packages/server/shared/src/lib/logger/log-cleaner.ts

@@ -4,6 +4,83 @@ import { ApplicationError } from '@openops/shared';
 
 export const maxFieldLength = 2048;
 
+const REDACTED = '[REDACTED]';
+
+const SENSITIVE_PATTERNS = [
+  'password',
+  'token',
+  'secret',
+  'authorization',
+  'apikey',
+  'privatekey',
+  'cookie',
+  'session',
+  'passphrase',
+];
+
+const SENSITIVE_FIELD_PATTERNS = SENSITIVE_PATTERNS.map(
+  (pattern) =>
+    new RegExp(String.raw`"[^"]*${pattern}[^"]*"\s*:\s*"[^"]*"`, 'gi'),
+);
+
+const isSensitiveField = (key: string): boolean => {
+  const lowerKey = key.toLowerCase();
+  return SENSITIVE_PATTERNS.some((pattern) => lowerKey.includes(pattern));
+};
+
+const redactSensitiveFields = (obj: any, visited = new WeakSet()): any => {
+  try {
+    if (obj === null || obj === undefined) {
+      return obj;
+    }
+
+    if (typeof obj !== 'object') {
+      return obj;
+    }
+
+    if (visited.has(obj)) {
+      return '[Circular]';
+    }
+
+    visited.add(obj);
+
+    if (Array.isArray(obj)) {
+      return obj.map((item) => redactSensitiveFields(item, visited));
+    }
+
+    const redacted: any = {};
+    for (const key in obj) {
+      if (isSensitiveField(key)) {
+        redacted[key] = REDACTED;
+      } else if (typeof obj[key] === 'object' && obj[key] !== null) {
+        redacted[key] = redactSensitiveFields(obj[key], visited);
+      } else {
+        redacted[key] = obj[key];
+      }
+    }
+    return redacted;
+  } catch (error) {
+    return `[Error redacting object: ${error}]`;
+  }
+};
+
+const redactSensitiveDataInString = (
+  value: string | undefined,
+): string | undefined => {
+  if (!value) {
+    return value;
+  }
+  let result = value;
+  SENSITIVE_FIELD_PATTERNS.forEach((pattern) => {
+    result = result.replace(pattern, (match) => {
+      const colonIndex = match.indexOf(':');
+      const keyPart = match.substring(0, colonIndex);
+      return `${keyPart}:"${REDACTED}"`;
+    });
+  });
+  return result;
+};
+
 export const truncate = (
   value: string | undefined,
   maxLength: number = maxFieldLength,
@@ -15,7 +92,7 @@ export const truncate = (
 
 export const cleanLogEvent = (logEvent: any) => {
   if (logEvent.message) {
-    logEvent.message = truncate(logEvent.message);
+    logEvent.message = redactSensitiveDataInString(truncate(logEvent.message));
   }
 
   if (!logEvent.event) {
@@ -34,14 +111,18 @@ export const cleanLogEvent = (logEvent: any) => {
       continue;
     }
 
-    if (key === 'res' && value && value.raw) {
+    if (isSensitiveField(key)) {
+      eventData[key] = REDACTED;
+    } else if (key === 'res' && value?.raw) {
       extractRequestFields(value, eventData, logEvent);
     } else if (value instanceof Error) {
       extractErrorFields(key, value, eventData, logEvent);
     } else if (typeof value === 'number') {
       eventData[key] = Math.round(value * 100) / 100;
     } else if (typeof value === 'object') {
-      eventData[key] = stringify(value);
+      eventData[key] = stringify(redactSensitiveFields(value));
+    } else if (typeof value === 'string') {
+      eventData[key] = redactSensitiveDataInString(truncate(value));
     } else {
       eventData[key] = truncate(value);
     }
@@ -76,19 +157,23 @@ function extractErrorFields(
 ) {
   const errorKey = key === 'err' ? 'error' : key;
   const { stack, message, name, ...context } = value;
-  eventData[errorKey + 'Stack'] = truncate(stack);
+  eventData[errorKey + 'Stack'] = redactSensitiveDataInString(truncate(stack));
   if (message) {
-    eventData[errorKey + 'Message'] = truncate(message);
+    eventData[errorKey + 'Message'] = redactSensitiveDataInString(
+      truncate(message),
+    );
     if (!logEvent.message) {
-      logEvent.message = truncate(message);
+      logEvent.message = redactSensitiveDataInString(truncate(message));
     }
   }
   eventData[errorKey + 'Name'] = truncate(name);
   if (value instanceof ApplicationError) {
     eventData[errorKey + 'Code'] = truncate(value.error.code);
-    eventData[errorKey + 'Params'] = stringify(value.error.params);
+    eventData[errorKey + 'Params'] = stringify(
+      redactSensitiveFields(value.error.params),
+    );
   } else if (context && Object.keys(context).length) {
-    eventData[errorKey + 'Context'] = stringify(context);
+    eventData[errorKey + 'Context'] = stringify(redactSensitiveFields(context));
   }
 }
 

packages/server/shared/test/log-cleaner.test.ts

@@ -129,14 +129,72 @@ describe('log-cleaner', () => {
 
     expect(result).toEqual({
       event: {
-        circularObject:
-          'Logger error - could not stringify object. TypeError: Converting circular structure to JSON\n' +
-          "    --> starting at object with constructor 'Object'\n" +
-          "    --- property 'circular' closes the circle",
+        circularObject: '{"key":"value","circular":"[Circular]"}',
       },
     });
   });
 
+  describe('sensitive data redaction', () => {
+    it('should redact password field', () => {
+      const logEvent = {
+        event: {
+          email: 'user@example.com',
+          password: 'secret',
+        },
+      };
+
+      const result = cleanLogEvent(logEvent);
+
+      expect(result.event.password).toBe('[REDACTED]');
+      expect(result.event.email).toBe('user@example.com');
+    });
+
+    it('should redact authorization field in objects', () => {
+      const logEvent = {
+        event: {
+          request: {
+            method: 'POST',
+            authorization: 'Bearer token',
+          },
+        },
+      };
+
+      const result = cleanLogEvent(logEvent);
+
+      expect(result.event.request).toContain('[REDACTED]');
+      expect(result.event.request).not.toContain('Bearer token');
+    });
+
+    it('should redact password in stringified JSON', () => {
+      const logEvent = {
+        event: {
+          body: '{"email":"user@example.com","password":"secret"}',
+        },
+      };
+
+      const result = cleanLogEvent(logEvent);
+
+      expect(result.event.body).toContain('[REDACTED]');
+      expect(result.event.body).not.toContain('secret');
+    });
+
+    it('should redact password in nested objects', () => {
+      const logEvent = {
+        event: {
+          request: {
+            email: 'user@example.com',
+            password: 'secret',
+          },
+        },
+      };
+
+      const result = cleanLogEvent(logEvent);
+
+      expect(result.event.request).toContain('[REDACTED]');
+      expect(result.event.request).not.toContain('secret');
+    });
+  });
+
   describe('error objects', () => {
     it('should map error object', () => {
       const error = new Error('test error');
@@ -276,8 +334,8 @@ describe('log-cleaner', () => {
 
       const result = cleanLogEvent(logEvent);
 
-      expect(result.event.errorContext).toMatch(
-        /^Logger error - could not stringify object\./,
+      expect(result.event.errorContext).toBe(
+        '{"key":"value","circular":{"key":"value","circular":"[Circular]"}}',
       );
     });
 
@@ -300,8 +358,8 @@ describe('log-cleaner', () => {
 
       const result = cleanLogEvent(logEvent);
 
-      expect(result.event.errorParams).toMatch(
-        /^Logger error - could not stringify object\./,
+      expect(result.event.errorParams).toBe(
+        '{"message":"test","data":{"circular":"[Circular]"}}',
       );
     });