feat: redact x-addon-sso header and response from /sso endpoints from debug logs (#68)

* feat: redact x-addon-sso header

* feat: redact response from endpoints ending in /sso from debug logs

* fix: fix tests and add chalk dependency

* test: test fix

Author: k80bowman

.DS_Store

@@ -5,10 +5,12 @@
   "author": "Heroku",
   "bugs": "https://github.com/heroku/http-call/issues",
   "dependencies": {
+    "chalk": "^4.1.2",
     "content-type": "^1.0.5",
     "debug": "^4.4.0",
     "is-retry-allowed": "^2.2.0",
     "is-stream": "^2.0.0",
+    "sinon": "^20.0.0",
     "tunnel-agent": "^0.6.0"
   },
   "devDependencies": {
@@ -17,11 +19,13 @@
     "@types/jest": "^29.5.14",
     "@types/nock": "^10.0.3",
     "@types/node": "20.14.8",
+    "@types/sinon": "^17.0.4",
     "eslint": "^7.32.0",
     "eslint-config-oclif": "^4.0.0",
     "eslint-config-oclif-typescript": "^1.0.2",
     "jest": "^29.7.0",
     "nock": "^11.9.1",
+    "strip-ansi": "6.0.1",
     "ts-jest": "^29.2.5",
     "typescript": "4.8.4"
   },

package.json

@@ -1,5 +1,8 @@
 import * as nock from 'nock'
 import * as querystring from 'node:querystring'
+import * as sinon from 'sinon'
+const stripAnsi = require('strip-ansi')
+const debug = require('debug')
 
 // eslint-disable-next-line node/no-missing-import
 import {Global} from './global'
@@ -335,6 +338,36 @@ describe('HTTP.parseBody()', () => {
   })
 })
 
+describe('debug logs', () => {
+  let debugSpy: sinon.SinonSpy
+  beforeEach(() => {
+    debugSpy = sinon.spy(debug, 'log')
+    debug.enable('*')
+  })
+  afterEach(() => {
+    debug.disable('*')
+    debugSpy.restore()
+  })
+
+  it('redacts authorization header from debug logs', async () => {
+    api.get('/').reply(200, {message: 'ok'}, {authorization: '1234567890'})
+    await HTTP.get('https://api.jdxcode.com')
+    expect(stripAnsi(debugSpy.secondCall.firstArg)).toContain('authorization: \'[REDACTED]\'')
+  })
+
+  it('redacts x-addon-sso header from debug logs', async () => {
+    api.get('/').reply(200, {message: 'ok'}, {'x-addon-sso': '1234567890'})
+    await HTTP.get('https://api.jdxcode.com')
+    expect(stripAnsi(debugSpy.secondCall.firstArg)).toContain('x-addon-sso: \'[REDACTED]\'')
+  })
+
+  it('redacts the response from endpoints ending in /sso from debug logs', async () => {
+    api.get('/sso').reply(200, {message: 'ok'})
+    await HTTP.get('https://api.jdxcode.com/sso')
+    expect(stripAnsi(debugSpy.secondCall.firstArg)).toContain('[REDACTED]')
+  })
+})
+
 describe('HTTP.put()', () => {
   test('makes a PUT request', async () => {
     api.put('/', {foo: 'bar'}).reply(200, {message: 'ok'})

src/http.test.ts

@@ -8,6 +8,7 @@ import {Global} from './global'
 const pjson = require('../package.json')
 const debug = require('debug')('http')
 const debugHeaders = require('debug')('http:headers')
+const chalk = require('chalk')
 
 interface IErrorWithCode extends Error {
   code?: string
@@ -332,24 +333,18 @@ export class HTTP<T> {
     throw err
   }
 
-  private get _chalk(): any {
-    try {
-      return require('chalk')
-    } catch {}
-  }
-
   private _renderStatus(code: number) {
     if (code < 200) return code
-    if (code < 300) return this._chalk.green(code)
-    if (code < 400) return this._chalk.bold.cyan(code)
-    if (code < 500) return this._chalk.bgYellow(code)
-    if (code < 600) return this._chalk.bgRed(code)
+    if (code < 300) return chalk.green(code)
+    if (code < 400) return chalk.bold.cyan(code)
+    if (code < 500) return chalk.bgYellow(code)
+    if (code < 600) return chalk.bgRed(code)
     return code
   }
 
   private _debugRequest() {
     if (!debug.enabled) return
-    const output = [`${this._chalk.bold('→')} ${this._chalk.blue.bold(this.options.method)} ${this._chalk.bold(this.url)}`]
+    const output = [`${chalk.bold('→')} ${chalk.blue.bold(this.options.method)} ${chalk.bold(this.url)}`]
     if (this.options.agent) output.push(`  proxy: ${inspect(this.options.agent)}`)
     if (debugHeaders.enabled) output.push(this._renderHeaders(this.options.headers))
     if (this.options.body) output.push(this.options.body)
@@ -358,23 +353,28 @@ export class HTTP<T> {
 
   private _debugResponse() {
     if (!debug.enabled) return
-    const chalk = require('chalk')
-    const output = [`${this._chalk.white.bold('←')} ${this._chalk.blue.bold(this.method)} ${this._chalk.bold(this.url)} ${this._renderStatus(this.statusCode)}`]
+    const output = [`${chalk.white.bold('←')} ${chalk.blue.bold(this.method)} ${chalk.bold(this.url)} ${this._renderStatus(this.statusCode)}`]
     if (debugHeaders.enabled) output.push(this._renderHeaders(this.headers))
-    if (this.body) output.push(inspect(this.body))
+    if (this.body) {
+      if (this.options.path?.endsWith('/sso')) {
+        output.push('[REDACTED]')
+      } else output.push(inspect(this.body))
+    }
+
     debug(output.join('\n'))
   }
 
   private _renderHeaders(headers: http.IncomingHttpHeaders | http.OutgoingHttpHeaders): string {
     headers = {...headers}
     if (process.env.HTTP_CALL_REDACT !== '0' && headers.authorization) headers.authorization = '[REDACTED]'
+    if (process.env.HTTP_CALL_REDACT !== '0' && headers['x-addon-sso']) headers['x-addon-sso'] = '[REDACTED]'
     return Object.entries(headers)
       .sort(([a], [b]) => {
         if (a < b) return -1
         if (a > b) return 1
         return 0
       })
-      .map(([k, v]) => `  ${this._chalk.dim(k + ':')} ${this._chalk.cyan(inspect(v))}`)
+      .map(([k, v]) => `  ${chalk.dim(k + ':')} ${chalk.cyan(inspect(v))}`)
       .join('\n')
   }
 

src/http.ts

@@ -636,7 +636,7 @@
   resolved "https://registry.yarnpkg.com/@sinclair/typebox/-/typebox-0.27.8.tgz#6667fac16c436b5434a387a34dedb013198f6e6e"
   integrity sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA==
 
-"@sinonjs/commons@^3.0.0":
+"@sinonjs/commons@^3.0.0", "@sinonjs/commons@^3.0.1":
   version "3.0.1"
   resolved "https://registry.yarnpkg.com/@sinonjs/commons/-/commons-3.0.1.tgz#1029357e44ca901a615585f6d27738dbc89084cd"
   integrity sha512-K3mCHKQ9sVh8o1C9cxkwxaOmXoAMlDxC1mYyHrjqOWEcBjYr76t96zL2zlj5dUGZ3HSw240X1qgH3Mjf1yJWpQ==
@@ -650,6 +650,22 @@
   dependencies:
     "@sinonjs/commons" "^3.0.0"
 
+"@sinonjs/fake-timers@^13.0.5":
+  version "13.0.5"
+  resolved "https://registry.yarnpkg.com/@sinonjs/fake-timers/-/fake-timers-13.0.5.tgz#36b9dbc21ad5546486ea9173d6bea063eb1717d5"
+  integrity sha512-36/hTbH2uaWuGVERyC6da9YwGWnzUZXuPro/F2LfsdOsLnCojz/iSH8MxUt/FD2S5XBSVPhmArFUXcpCQ2Hkiw==
+  dependencies:
+    "@sinonjs/commons" "^3.0.1"
+
+"@sinonjs/samsam@^8.0.1":
+  version "8.0.2"
+  resolved "https://registry.yarnpkg.com/@sinonjs/samsam/-/samsam-8.0.2.tgz#e4386bf668ff36c95949e55a38dc5f5892fc2689"
+  integrity sha512-v46t/fwnhejRSFTGqbpn9u+LQ9xJDse10gNnPgAcxgdoCDMXj/G2asWAC/8Qs+BAZDicX+MNZouXT1A7c83kVw==
+  dependencies:
+    "@sinonjs/commons" "^3.0.1"
+    lodash.get "^4.4.2"
+    type-detect "^4.1.0"
+
 "@types/babel__core@^7.1.14":
   version "7.20.5"
   resolved "https://registry.yarnpkg.com/@types/babel__core/-/babel__core-7.20.5.tgz#3df15f27ba85319caa07ba08d0721889bb39c017"
@@ -756,6 +772,18 @@
   resolved "https://registry.yarnpkg.com/@types/normalize-package-data/-/normalize-package-data-2.4.4.tgz#56e2cc26c397c038fab0e3a917a12d5c5909e901"
   integrity sha512-37i+OaWTh9qeK4LSHPsyRC7NahnGotNuZvjLSgcPzblpHB3rrCJxAOgI5gCdKm7coonsaX1Of0ILiTcnZjbfxA==
 
+"@types/sinon@^17.0.4":
+  version "17.0.4"
+  resolved "https://registry.yarnpkg.com/@types/sinon/-/sinon-17.0.4.tgz#fd9a3e8e07eea1a3f4a6f82a972c899e5778f369"
+  integrity sha512-RHnIrhfPO3+tJT0s7cFaXGZvsL4bbR3/k7z3P312qMS4JaS2Tk+KiwiLx1S0rQ56ERj00u1/BtdyVd0FY+Pdew==
+  dependencies:
+    "@types/sinonjs__fake-timers" "*"
+
+"@types/sinonjs__fake-timers@*":
+  version "8.1.5"
+  resolved "https://registry.yarnpkg.com/@types/sinonjs__fake-timers/-/sinonjs__fake-timers-8.1.5.tgz#5fd3592ff10c1e9695d377020c033116cc2889f2"
+  integrity sha512-mQkU2jY8jJEF7YHjHvsQO8+3ughTL1mcnn96igfhONmR+fUPSKIkefQYpSe8bsly2Ep7oQbn/6VG5/9/0qcArQ==
+
 "@types/stack-utils@^2.0.0":
   version "2.0.3"
   resolved "https://registry.yarnpkg.com/@types/stack-utils/-/stack-utils-2.0.3.tgz#6209321eb2c1712a7e7466422b8cb1fc0d9dd5d8"
@@ -1092,7 +1120,7 @@ chalk@^2.0.0, chalk@^2.4.2:
     escape-string-regexp "^1.0.5"
     supports-color "^5.3.0"
 
-chalk@^4.0.0, chalk@^4.0.2:
+chalk@^4.0.0, chalk@^4.0.2, chalk@^4.1.2:
   version "4.1.2"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-4.1.2.tgz#aac4e2b7734a740867aeb16bf02aad556a1e7a01"
   integrity sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==
@@ -1246,6 +1274,11 @@ diff-sequences@^29.6.3:
   resolved "https://registry.yarnpkg.com/diff-sequences/-/diff-sequences-29.6.3.tgz#4deaf894d11407c51efc8418012f9e70b84ea921"
   integrity sha512-EjePK1srD3P08o2j4f0ExnylqRs5B9tJjcp9t1krH2qRi8CCdsYfwe9JgSLurFBWwq4uOlipzfk5fHNvwFKr8Q==
 
+diff@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/diff/-/diff-7.0.0.tgz#3fb34d387cd76d803f6eebea67b921dab0182a9a"
+  integrity sha512-PJWHUb1RFevKCwaFA9RlG5tCd+FO5iRh9A8HEtkmBH2Li03iJriB6m6JIN4rGz3K3JLawI7/veA1xzRKP6ISBw==
+
 dir-glob@^3.0.1:
   version "3.0.1"
   resolved "https://registry.yarnpkg.com/dir-glob/-/dir-glob-3.0.1.tgz#56dbf73d992a4a93ba1584f4534063fd2e41717f"
@@ -2416,6 +2449,11 @@ locate-path@^5.0.0:
   dependencies:
     p-locate "^4.1.0"
 
+lodash.get@^4.4.2:
+  version "4.4.2"
+  resolved "https://registry.yarnpkg.com/lodash.get/-/lodash.get-4.4.2.tgz#2d177f652fa31e939b4438d5341499dfa3825e99"
+  integrity sha512-z+Uw/vLuy6gQe8cfaFWD7p0wVv8fJl3mbzXh33RS+0oW2wvUqiRXiQ69gLWSLpgB5/6sU+r6BlQR0MBILadqTQ==
+
 lodash.memoize@^4.1.2:
   version "4.1.2"
   resolved "https://registry.yarnpkg.com/lodash.memoize/-/lodash.memoize-4.1.2.tgz#bcc6c49a42a2840ed997f323eada5ecd182e0bfe"
@@ -2904,6 +2942,17 @@ signal-exit@^3.0.3, signal-exit@^3.0.7:
   resolved "https://registry.yarnpkg.com/signal-exit/-/signal-exit-3.0.7.tgz#a9a1767f8af84155114eaabd73f99273c8f59ad9"
   integrity sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==
 
+sinon@^20.0.0:
+  version "20.0.0"
+  resolved "https://registry.yarnpkg.com/sinon/-/sinon-20.0.0.tgz#4b653468735f7152ba694d05498c2b5d024ab006"
+  integrity sha512-+FXOAbdnj94AQIxH0w1v8gzNxkawVvNqE3jUzRLptR71Oykeu2RrQXXl/VQjKay+Qnh73fDt/oDfMo6xMeDQbQ==
+  dependencies:
+    "@sinonjs/commons" "^3.0.1"
+    "@sinonjs/fake-timers" "^13.0.5"
+    "@sinonjs/samsam" "^8.0.1"
+    diff "^7.0.0"
+    supports-color "^7.2.0"
+
 sisteransi@^1.0.0:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/sisteransi/-/sisteransi-1.0.2.tgz#ec57d64b6f25c4f26c0e2c7dd23f2d7f12f7e418"
@@ -2991,7 +3040,7 @@ string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
     is-fullwidth-code-point "^3.0.0"
     strip-ansi "^6.0.1"
 
-strip-ansi@^6.0.0, strip-ansi@^6.0.1:
+strip-ansi@6.0.1, strip-ansi@^6.0.0, strip-ansi@^6.0.1:
   version "6.0.1"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
   integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
@@ -3020,7 +3069,7 @@ supports-color@^5.3.0:
   dependencies:
     has-flag "^3.0.0"
 
-supports-color@^7.1.0:
+supports-color@^7.1.0, supports-color@^7.2.0:
   version "7.2.0"
   resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-7.2.0.tgz#1b7dcdcb32b8138801b3e478ba6a51caa89648da"
   integrity sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==
@@ -3127,6 +3176,11 @@ [email protected]:
   resolved "https://registry.yarnpkg.com/type-detect/-/type-detect-4.0.8.tgz#7646fb5f18871cfbb7749e69bd39a6388eb7450c"
   integrity sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==
 
+type-detect@^4.1.0:
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/type-detect/-/type-detect-4.1.0.tgz#deb2453e8f08dcae7ae98c626b13dddb0155906c"
+  integrity sha512-Acylog8/luQ8L7il+geoSxhEkazvkslg7PSNKOX59mbB9cOveP5aq9h74Y7YU8yDpJwetzQQrfIwtf4Wp4LKcw==
+
 type-fest@^0.20.2:
   version "0.20.2"
   resolved "https://registry.yarnpkg.com/type-fest/-/type-fest-0.20.2.tgz#1bf207f4b28f91583666cb5fbd327887301cd5f4"