Skip to content

Commit

Permalink
feat: obfuscate refresh_token parameter in oauth request by default (#…
Browse files Browse the repository at this point in the history 
…1966)
  • Loading branch information
@maksymgendin
maksymgendin authored Dec 9, 2024
1 parent bba2898 commit 4ef191e
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 12 deletions.
16 changes: 8 additions & 8 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -302,14 +302,14 @@ e.g. *password*.

Logbook supports different types of filters:

| Type | Operates on | Applies to | Default |
|------------------|--------------------------------|------------|-----------------------------------------------------------------------------------|
| `QueryFilter` | Query string | request | `access_token` |
| `PathFilter` | Path | request | n/a |
| `HeaderFilter` | Header (single key-value pair) | both | `Authorization` |
| `BodyFilter` | Content-Type and body | both | json: `access_token` and `refresh_token`<br> form: `client_secret` and `password` |
| `RequestFilter` | `HttpRequest` | request | Replace binary, multipart and stream bodies. |
| `ResponseFilter` | `HttpResponse` | response | Replace binary, multipart and stream bodies. |
| Type | Operates on | Applies to | Default |
|------------------|--------------------------------|------------|----------------------------------------------------------------------------------------------------|
| `QueryFilter` | Query string | request | `access_token` |
| `PathFilter` | Path | request | n/a |
| `HeaderFilter` | Header (single key-value pair) | both | `Authorization` |
| `BodyFilter` | Content-Type and body | both | json: `access_token` and `refresh_token`<br> form: `client_secret`, `password` and `refresh_token` |
| `RequestFilter` | `HttpRequest` | request | Replace binary, multipart and stream bodies. |
| `ResponseFilter` | `HttpResponse` | response | Replace binary, multipart and stream bodies. |

`QueryFilter`, `PathFilter`, `HeaderFilter` and `BodyFilter` are relatively high-level and should cover all needs in ~90% of all
cases. For more complicated setups one should fallback to the low-level variants, i.e. `RequestFilter` and `ResponseFilter`
Expand Down
1 change: 1 addition & 0 deletions logbook-core/src/main/java/org/zalando/logbook/core/BodyFilters.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ public static BodyFilter oauthRequest() {
final Set<String> properties = new HashSet<>();
properties.add("client_secret");
properties.add("password");
properties.add("refresh_token");
return replaceFormUrlEncodedProperty(properties, "XXX");
}

Expand Down
11 changes: 7 additions & 4 deletions logbook-core/src/test/java/org/zalando/logbook/core/BodyFiltersTest.java
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package org.zalando.logbook.core;

import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;
import org.zalando.logbook.BodyFilter;

import static java.util.Collections.singleton;
Expand All @@ -12,13 +14,14 @@

final class BodyFiltersTest {

@Test
void filtersClientSecretByOauthRequestFilterByDefault() {
@ParameterizedTest
@ValueSource(strings = {"client_secret", "password", "refresh_token"})
void filtersParameterByOauthRequestFilterByDefault(String parameterName) {
final BodyFilter unit = defaultValue();

final String actual = unit.filter("application/x-www-form-urlencoded", "client_secret=secret");
final String actual = unit.filter("application/x-www-form-urlencoded", parameterName + "=secret");

assertThat(actual).isEqualTo("client_secret=XXX");
assertThat(actual).isEqualTo(parameterName + "=XXX");
}

@Test
Expand Down

0 comments on commit 4ef191e

Please sign in to comment.