Merge pull request #3558 from Shopify/sanitize-api-key

Sanitize "api_key" from verbose log

packages/cli-kit/src/public/node/monorail.test.ts

@@ -40,4 +40,12 @@ describe('monorail', () => {
       headers: expectedHeaders,
     })
   })
+
+  test('sanitizes the api_key from the debug log', async () => {
+    const outputMock = mockAndCaptureOutput()
+    const res = await publishMonorailEvent('fake_schema/0.0', {api_key: 'some-api-key'}, {baz: 'abc'})
+    expect(res.type).toEqual('ok')
+    expect(outputMock.debug()).toContain('"api_key": "****"')
+    expect(outputMock.debug()).not.toContain('some-api-key')
+  })
 })

packages/cli-kit/src/public/node/monorail.ts

@@ -198,7 +198,7 @@ export async function publishMonorailEvent<TSchemaId extends keyof Schemas, TPay
     const response = await fetch(url, {method: 'POST', body, headers})
 
     if (response.status === 200) {
-      outputDebug(outputContent`Analytics event sent: ${outputToken.json(payload)}`)
+      outputDebug(outputContent`Analytics event sent: ${outputToken.json(sanitizePayload(payload))}`)
       return {type: 'ok'}
     } else {
       outputDebug(`Failed to report usage analytics: ${response.statusText}`)
@@ -215,6 +215,21 @@ export async function publishMonorailEvent<TSchemaId extends keyof Schemas, TPay
   }
 }
 
+/**
+ * Sanitizies the api_key from the payload and returns a new hash.
+ *
+ * @param payload - The public and sensitive data.
+ * @returns A copy of the payload with the api_key sanitized.
+ */
+function sanitizePayload<T extends object>(payload: T): T {
+  const result = {...payload}
+  if ('api_key' in result) {
+    result.api_key = '****'
+  }
+
+  return result
+}
+
 const buildHeaders = (currentTime: number) => {
   return {
     'Content-Type': 'application/json; charset=utf-8',