fix(appdata): Redact sensitive values in AppData logs and add redaction tests

2025-08-16 13:15:32 +00:00
parent 2cc0da4462
commit e3a76ca577
5 changed files with 160 additions and 21 deletions
--- a/test/test.redaction.ts
+++ b/test/test.redaction.ts
@@ -0,0 +1,85 @@
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as npmextra from '../ts/index.js';
+
+// Test that sensitive values are properly redacted in logs
+tap.test('should redact sensitive values in console output', async () => {
+  // Capture console.log output
+  const originalLog = console.log;
+  const logOutput: string[] = [];
+  console.log = (...args: any[]) => {
+    logOutput.push(args.join(' '));
+  };
+
+  try {
+    // Set up environment variables with sensitive data
+    process.env['API_KEY'] = 'super-secret-api-key-12345';
+    process.env['DATABASE_PASSWORD'] = 'myP@ssw0rd123';
+    process.env['AUTH_TOKEN'] = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ';
+    process.env['PUBLIC_URL'] = 'https://example.com';
+    process.env['DEBUG_MODE'] = 'true';
+
+    // Create AppData with sensitive environment mappings
+    const appData = await npmextra.AppData.createAndInit({
+      ephemeral: true,
+      envMapping: {
+        apiKey: 'API_KEY',
+        dbPassword: 'DATABASE_PASSWORD',
+        authToken: 'AUTH_TOKEN',
+        publicUrl: 'PUBLIC_URL',
+        debugMode: 'boolean:DEBUG_MODE',
+        nestedConfig: {
+          secretKey: 'API_KEY',
+          nonSecret: 'PUBLIC_URL'
+        }
+      }
+    });
+
+    // Restore console.log
+    console.log = originalLog;
+
+    // Check that sensitive values were redacted in logs
+    const combinedOutput = logOutput.join('\n');
+    
+    // API_KEY should be redacted
+    expect(combinedOutput).toContain('sup...[26 chars]');
+    expect(combinedOutput).not.toContain('super-secret-api-key-12345');
+    
+    // DATABASE_PASSWORD should be redacted
+    expect(combinedOutput).toContain('myP...[13 chars]');
+    expect(combinedOutput).not.toContain('myP@ssw0rd123');
+    
+    // AUTH_TOKEN should be redacted (JWT tokens starting with eyJ)
+    expect(combinedOutput).toContain('eyJ...[');
+    expect(combinedOutput).not.toContain('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9');
+    
+    // PUBLIC_URL should not be redacted (not sensitive)
+    expect(combinedOutput).toContain('https://example.com');
+    
+    // DEBUG_MODE should not be redacted (not sensitive)
+    expect(combinedOutput).toContain('true');
+
+    // Verify data is still stored correctly (not redacted in actual storage)
+    const kvStore = await appData.getKvStore();
+    const apiKey = await kvStore.readKey('apiKey');
+    const dbPassword = await kvStore.readKey('dbPassword');
+    const publicUrl = await kvStore.readKey('publicUrl');
+    
+    // Actual values should be stored correctly
+    expect(apiKey).toEqual('super-secret-api-key-12345');
+    expect(dbPassword).toEqual('myP@ssw0rd123');
+    expect(publicUrl).toEqual('https://example.com');
+    
+  } finally {
+    // Restore console.log in case of test failure
+    console.log = originalLog;
+    
+    // Clean up environment variables
+    delete process.env['API_KEY'];
+    delete process.env['DATABASE_PASSWORD'];
+    delete process.env['AUTH_TOKEN'];
+    delete process.env['PUBLIC_URL'];
+    delete process.env['DEBUG_MODE'];
+  }
+});
+
+export default tap.start();