Skip to content

feat: redact auth tokens in logs and error messages #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
narthur merged 5 commits into from
Dec 20, 2025
Merged

feat: redact auth tokens in logs and error messages #199

narthur merged 5 commits into from
Dec 20, 2025
+270 −26

Conversation

Copy link
Contributor

Copilot AI commented Dec 20, 2025
edited
Loading

Auth tokens were exposed in HTTP request/response logs and in error messages from failed HTTP operations (where Go's http library includes the full URL with query parameters).

Changes

  • Added redactAuthToken() utility - Regex-based redaction replacing auth_token values with *** in URLs and form data. Regex patterns compiled once at package init for efficiency.

  • Added redactError() helper - Wraps error objects to redact tokens before display.

  • Updated logging functions - LogRequest() and LogResponse() now redact before writing to log files.

  • Updated error printing - All error output in main.go (22 instances across all commands) now uses redactError() instead of direct %v formatting.

Example

Before:

Error: Get "https://api.beeminder.com/goals.json?auth_token=abc123": connection failed

After:

Error: Get "https://api.beeminder.com/goals.json?auth_token=***": connection failed

Tests added for redaction logic and logging behavior.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • invalid-hostname-that-does-not-exist.example.com
    • Triggering command: /tmp/go-build836282665/b001/exe/test_http_error /tmp/go-build836282665/b001/exe/test_http_error (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

When outputting error messages we need to make sure to redact the user's auth token

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 20, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI changed the title [WIP] Add user auth token redaction in error messages feat: redact auth tokens in logs and error messages Dec 20, 2025
Copilot AI requested a review from narthur December 20, 2025 13:21
@narthur narthur marked this pull request as ready for review December 20, 2025 16:32
Copilot AI review requested due to automatic review settings December 20, 2025 16:32
@github-actions
Copy link

github-actions bot commented Dec 20, 2025
edited
Loading

🚀 Pre-release Build Ready

Test builds are ready! Install directly using the bin command:

# Install the pre-release
bin install https://github.com/PinePeakDigital/buzz/releases/tag/pr-199-latest buzz-pr-199
# Run the pre-release
buzz-pr-199
# Uninstall the pre-release
bin remove buzz-pr-199

Direct Download Links

Or download binaries directly from the pre-release page:

💡 No GitHub login required for downloads!

🗑️ This pre-release will be automatically deleted when the PR is closed.

Copilot AI reviewed Dec 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements comprehensive redaction of authentication tokens from logs and error messages to prevent accidental credential exposure. The implementation uses efficient pre-compiled regex patterns and has been thoroughly tested.

Key Changes

  • Added regex-based redactAuthToken() utility function to replace auth_token values with *** in URLs and form data
  • Updated all 22 error message outputs across commands to use redactError() wrapper
  • Modified HTTP logging functions to redact tokens before writing to log files

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
utils.go Added redactAuthToken() and redactError() functions with pre-compiled regex patterns for efficient token redaction
utils_test.go Added comprehensive test coverage for redaction logic including edge cases like multiple occurrences, special characters, and error messages
config.go Updated LogRequest() and LogResponse() to redact auth tokens from URLs before logging
config_test.go Added integration tests verifying that auth tokens are properly redacted in log files
main.go Updated all error output statements (22 instances) to use redactError() instead of direct error formatting

@narthur narthur merged commit e60bdc0 into main Dec 20, 2025
2 checks passed
@narthur narthur deleted the copilot/redact-auth-token-in-error-messages branch December 20, 2025 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@narthur narthur narthur approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@narthur narthur

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@narthur