From f764c3b6285e1d59862a92c7ea2b47b6555e77b1 Mon Sep 17 00:00:00 2001
From: Gregor <gregor@martynus.net>
Date: Thu, 16 May 2019 14:04:49 -0700
Subject: [PATCH] fix: redact `?access_token=...` in `url` if present

---
 src/index.ts | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index e66d870..a60c15a 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -70,12 +70,13 @@ export class RequestError extends Error {
       });
     }
 
-    // client_id & client_secret can be passed as URL query parameters to increase rate limit
-    // see https://developer.github.com/v3/#increasing-the-unauthenticated-rate-limit-for-oauth-applications
-    requestCopy.url = requestCopy.url.replace(
-      /\bclient_secret=\w+/g,
-      "client_secret=[REDACTED]"
-    );
+    requestCopy.url = requestCopy.url
+      // client_id & client_secret can be passed as URL query parameters to increase rate limit
+      // see https://developer.github.com/v3/#increasing-the-unauthenticated-rate-limit-for-oauth-applications
+      .replace(/\bclient_secret=\w+/g, "client_secret=[REDACTED]")
+      // OAuth tokens can be passed as URL query parameters, although it is not recommended
+      // see https://developer.github.com/v3/#oauth2-token-sent-in-a-header
+      .replace(/\baccess_token=\w+/g, "access_token=[REDACTED]");
 
     this.request = requestCopy;
   }