ensure headers are redacted when inspecting http requests & responses (…

…#3826) Co-authored-by: Tim <hello@timsmart.co>
Effect-TS · Oct 23, 2024 · 42cd72a · 42cd72a
1 parent c5d537f
commit 42cd72a
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 23 deletions.
diff --git a/.changeset/old-spies-knock.md b/.changeset/old-spies-knock.md
@@ -0,0 +1,5 @@
+---
+"@effect/platform": patch
+---
+
+ensure requests & responses have headers redacted when inspecting
diff --git a/packages/platform-browser/src/internal/httpClient.ts b/packages/platform-browser/src/internal/httpClient.ts
@@ -314,25 +314,11 @@ class ClientResponseImpl extends IncomingMessageImpl<Error.ResponseError> implem
   }
 
   toJSON(): unknown {
-    let body: unknown
-    try {
-      body = Effect.runSync(this.json)
-    } catch (_) {
-      //
-    }
-    try {
-      body = body ?? Effect.runSync(this.text)
-    } catch (_) {
-      //
-    }
-    return {
+    return IncomingMessage.inspect(this, {
       _id: "@effect/platform/HttpClientResponse",
       request: this.request.toJSON(),
-      status: this.status,
-      headers: this.headers,
-      remoteAddress: this.remoteAddress.toJSON(),
-      body
-    }
+      status: this.status
+    })
   }
 }
 

diff --git a/packages/platform/src/HttpIncomingMessage.ts b/packages/platform/src/HttpIncomingMessage.ts
@@ -5,7 +5,7 @@ import * as Effect from "effect/Effect"
 import * as FiberRef from "effect/FiberRef"
 import { dual } from "effect/Function"
 import * as Global from "effect/GlobalValue"
-import type { Inspectable } from "effect/Inspectable"
+import * as Inspectable from "effect/Inspectable"
 import * as Option from "effect/Option"
 import type * as ParseResult from "effect/ParseResult"
 import * as Schema from "effect/Schema"
@@ -31,7 +31,7 @@ export type TypeId = typeof TypeId
  * @since 1.0.0
  * @category models
  */
-export interface HttpIncomingMessage<E> extends Inspectable {
+export interface HttpIncomingMessage<E> extends Inspectable.Inspectable {
   readonly [TypeId]: TypeId
   readonly headers: Headers.Headers
   readonly remoteAddress: Option.Option<string>
@@ -116,7 +116,7 @@ export const inspect = <E>(self: HttpIncomingMessage<E>, that: object): object =
   }
   const obj: any = {
     ...that,
-    headers: self.headers,
+    headers: Inspectable.redact(self.headers),
     remoteAddress: self.remoteAddress.toJSON()
   }
   if (body !== undefined) {

diff --git a/packages/platform/src/internal/httpClientRequest.ts b/packages/platform/src/internal/httpClientRequest.ts
@@ -29,7 +29,7 @@ const Proto = {
       url: this.url,
       urlParams: this.urlParams,
       hash: this.hash,
-      headers: this.headers,
+      headers: Inspectable.redact(this.headers),
       body: this.body.toJSON()
     }
   },

diff --git a/packages/platform/src/internal/httpServerResponse.ts b/packages/platform/src/internal/httpServerResponse.ts
@@ -75,7 +75,7 @@ class ServerResponseImpl extends Effectable.StructuralClass<ServerResponse.HttpS
       _id: "@effect/platform/HttpServerResponse",
       status: this.status,
       statusText: this.statusText,
-      headers: this.headers,
+      headers: Inspectable.redact(this.headers),
       cookies: this.cookies.toJSON(),
       body: this.body.toJSON()
     }

diff --git a/packages/platform/test/HttpClient.test.ts b/packages/platform/test/HttpClient.test.ts
@@ -1,13 +1,14 @@
 import {
   Cookies,
   FetchHttpClient,
+  Headers,
   HttpClient,
   HttpClientRequest,
   HttpClientResponse,
   UrlParams
 } from "@effect/platform"
 import { assert, describe, expect, it } from "@effect/vitest"
-import { Either, Ref, Struct } from "effect"
+import { Either, FiberId, FiberRefs, Inspectable, Ref, Struct } from "effect"
 import * as Context from "effect/Context"
 import * as Effect from "effect/Effect"
 import * as Layer from "effect/Layer"
@@ -191,4 +192,33 @@ describe("HttpClient", () => {
       )
       assert.deepStrictEqual(response, { id: 1, userId: 1, title: "delectus aut autem", completed: false })
     }).pipe(Effect.provide(JsonPlaceholderLive)))
+
+  it("ClientRequest redacts headers", () => {
+    const request = HttpClientRequest.get(new URL("https://example.com")).pipe(
+      HttpClientRequest.setHeaders({
+        "authorization": "foobar"
+      })
+    )
+
+    const fiberRefs = FiberRefs.unsafeMake(
+      new Map([
+        [
+          Headers.currentRedactedNames,
+          [[FiberId.none, ["Authorization"]] as const]
+        ] as const
+      ])
+    )
+    const r = Inspectable.withRedactableContext(fiberRefs, () => Inspectable.toStringUnknown(request))
+    const redacted = JSON.parse(r)
+
+    assert.deepStrictEqual(redacted, {
+      _id: "@effect/platform/HttpClientRequest",
+      method: "GET",
+      url: "https://example.com/",
+      urlParams: [],
+      hash: { _id: "Option", _tag: "None" },
+      headers: { authorization: "<redacted>" },
+      body: { _id: "@effect/platform/HttpBody", _tag: "Empty" }
+    })
+  })
 })