fix(web-api): redact response body in debug logs#2652
Conversation
Apply redact() to API response bodies before debug logging, consistent with how request bodies and headers are already handled. This prevents tokens returned in API responses (e.g., oauth.v2.access, openid.connect.token) from being written to logs in plaintext when debug logging is enabled. Fixes #2651
🦋 Changeset detectedLatest commit: 4fc31ac The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2652 +/- ##
==========================================
- Coverage 89.06% 89.04% -0.02%
==========================================
Files 65 65
Lines 10436 10436
Branches 471 468 -3
==========================================
- Hits 9295 9293 -2
Misses 1120 1120
- Partials 21 23 +2
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
WilliamBergamin
left a comment
There was a problem hiding this comment.
This is a solid change 💯
I think we might want to gate the redaction logic behind a try catch so that it does not raise an error if it fails and rather logs the problem 🤔 let me know what you think of this
If we could add some tests for this it would be nice
There was a problem hiding this comment.
thank you for reviewing @WilliamBergamin! i agree with these changes except that the existing debug lines on 702 and 721 don't include these guards. should we add them there too to stay consistent?
|
Ohh actually by bad, the object we pass to What do you think about just adding a unit test to make sure the redaction works 🙏 |
Adds a unit test verifying that tokens in API response bodies are redacted before being written to debug logs. Fixes #2651
|
added unit test and left redact changes as is! can i get a quick approve @WilliamBergamin? |
WilliamBergamin
left a comment
There was a problem hiding this comment.
Looking good 💯 left one suggestion for the test 🙏
Co-authored-by: William Bergamin <wbergamin@salesforce.com>
Co-authored-by: William Bergamin <wbergamin@salesforce.com>
The redact() function previously only operated on top-level keys, meaning nested tokens (e.g., authed_user.access_token in oauth.v2.access responses) would still appear in debug logs. Now recurses into nested objects to redact token keys at any depth.
Summary
redact()to API response bodies before debug logging, consistent with how request bodies and headers are already handledredact()parameter type fromRecord<string, unknown>toobjectso it acceptsWebAPICallResultwithout castingoauth.v2.access,openid.connect.token,tooling.tokens.rotate) from being written to logs in plaintext when debug logging is enabledTest plan
npm run build --workspace=packages/web-apipassesnpm test --workspace=packages/web-api— all 155 tests passLogLevel.DEBUG, calloauth.v2.access, confirmaccess_tokenshows as[[REDACTED]]in outputFixes #2651