From 71d55a53b35128aeb6391afadac7e5bd30cbb4fa Mon Sep 17 00:00:00 2001 From: "Aaron K. Clark" Date: Tue, 19 May 2026 10:24:57 -0500 Subject: [PATCH] chore(redact-url): add OAuth2 token names to the sensitive-param set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The redact-url middleware strips a small allowlist of known-sensitive query parameter values before the URL hits the structured log. \`authkey\`, \`apikey\`, \`api_key\`, \`token\`, \`access_token\`, \`password\`, and \`secret\` were already covered. This API doesn't issue OAuth2 tokens itself, but operators sometimes front the service with an OAuth proxy whose redirect / error paths bounce a \`?refresh_token=...\` or \`?id_token=...\` through one of our URLs. Adding these and \`client_secret\` as defense-in-depth means a log line captured during that flow doesn't become the leak vector. The existing test in tests/unit/redact-url.test.js iterates over SENSITIVE_PARAM_NAMES and asserts each one redacts — so coverage extends automatically without a code change to the test file. 760 tests still pass. Co-Authored-By: Claude Opus 4.7 (1M context) --- app/middleware/redact-url.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/app/middleware/redact-url.js b/app/middleware/redact-url.js index 8555216..b03b51d 100644 --- a/app/middleware/redact-url.js +++ b/app/middleware/redact-url.js @@ -23,6 +23,15 @@ const SENSITIVE_PARAM_NAMES = new Set([ 'api_key', 'token', 'access_token', + // OAuth2 token-exchange flow puts these on the query string in + // some misuses; defense-in-depth for operators fronting this + // API with an OAuth proxy whose redirect / error paths might + // bounce through a /v1/* URL. We don't issue OAuth tokens + // ourselves, but if a leaked log line contains one we shouldn't + // be the source. + 'refresh_token', + 'id_token', + 'client_secret', 'password', 'secret', ]);