From c3200bd283b1bbd601629b04b8d9d9baebab0577 Mon Sep 17 00:00:00 2001
From: Theodore Tan <theodore.tan@shopify.com>
Date: Wed, 13 Mar 2024 09:36:24 -0400
Subject: [PATCH 1/3] Sanitize api key from verbose log

---
 .../cli-kit/src/public/node/monorail.test.ts    |  7 +++++++
 packages/cli-kit/src/public/node/monorail.ts    | 17 ++++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/packages/cli-kit/src/public/node/monorail.test.ts b/packages/cli-kit/src/public/node/monorail.test.ts
index 39f246933e..f608b05ab0 100644
--- a/packages/cli-kit/src/public/node/monorail.test.ts
+++ b/packages/cli-kit/src/public/node/monorail.test.ts
@@ -40,4 +40,11 @@ describe('monorail', () => {
       headers: expectedHeaders,
     })
   })
+
+  test('sanitizes the api_key from the debug log', async () => {
+    const outputMock = mockAndCaptureOutput()
+    const res = await publishMonorailEvent('fake_schema/0.0', {api_key: 'some-api-key'}, {baz: 'abc'})
+    expect(res.type).toEqual('ok')
+    expect(outputMock.debug()).toContain('"api_key": "****"')
+  })
 })
diff --git a/packages/cli-kit/src/public/node/monorail.ts b/packages/cli-kit/src/public/node/monorail.ts
index f0bc3fc3bb..2d097d9917 100644
--- a/packages/cli-kit/src/public/node/monorail.ts
+++ b/packages/cli-kit/src/public/node/monorail.ts
@@ -198,7 +198,7 @@ export async function publishMonorailEvent<TSchemaId extends keyof Schemas, TPay
     const response = await fetch(url, {method: 'POST', body, headers})
 
     if (response.status === 200) {
-      outputDebug(outputContent`Analytics event sent: ${outputToken.json(payload)}`)
+      outputDebug(outputContent`Analytics event sent: ${outputToken.json(sanitizePayload(payload))}`)
       return {type: 'ok'}
     } else {
       outputDebug(`Failed to report usage analytics: ${response.statusText}`)
@@ -215,6 +215,21 @@ export async function publishMonorailEvent<TSchemaId extends keyof Schemas, TPay
   }
 }
 
+/**
+ * Sanitizies the api_key from the payload.
+ *
+ * @param payload - The public and sensitive data.
+ * @returns The payload with the api_key sanitized.
+ */
+function sanitizePayload<T extends object>(payload: T): T {
+  const result = {...payload}
+  if ('api_key' in result) {
+    result.api_key = '****'
+  }
+
+  return result
+}
+
 const buildHeaders = (currentTime: number) => {
   return {
     'Content-Type': 'application/json; charset=utf-8',

From fd7f92a718a2fd4f880bffaed9b13d21a9357483 Mon Sep 17 00:00:00 2001
From: Theodore Tan <theodore.tan@shopify.com>
Date: Thu, 28 Mar 2024 17:06:00 -0400
Subject: [PATCH 2/3] Modify payload directly and add additional test

---
 packages/cli-kit/src/public/node/monorail.test.ts | 1 +
 packages/cli-kit/src/public/node/monorail.ts      | 7 +++----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/packages/cli-kit/src/public/node/monorail.test.ts b/packages/cli-kit/src/public/node/monorail.test.ts
index f608b05ab0..fcb8e5751a 100644
--- a/packages/cli-kit/src/public/node/monorail.test.ts
+++ b/packages/cli-kit/src/public/node/monorail.test.ts
@@ -46,5 +46,6 @@ describe('monorail', () => {
     const res = await publishMonorailEvent('fake_schema/0.0', {api_key: 'some-api-key'}, {baz: 'abc'})
     expect(res.type).toEqual('ok')
     expect(outputMock.debug()).toContain('"api_key": "****"')
+    expect(outputMock.debug()).not.toContain('some-api-key')
   })
 })
diff --git a/packages/cli-kit/src/public/node/monorail.ts b/packages/cli-kit/src/public/node/monorail.ts
index 2d097d9917..e05ef6960e 100644
--- a/packages/cli-kit/src/public/node/monorail.ts
+++ b/packages/cli-kit/src/public/node/monorail.ts
@@ -222,12 +222,11 @@ export async function publishMonorailEvent<TSchemaId extends keyof Schemas, TPay
  * @returns The payload with the api_key sanitized.
  */
 function sanitizePayload<T extends object>(payload: T): T {
-  const result = {...payload}
-  if ('api_key' in result) {
-    result.api_key = '****'
+  if ('api_key' in payload) {
+    payload.api_key = '****'
   }
 
-  return result
+  return payload
 }
 
 const buildHeaders = (currentTime: number) => {

From dfa068f33934d7b8051b75f4d24dff574b13080c Mon Sep 17 00:00:00 2001
From: Theodore Tan <theodore.tan@shopify.com>
Date: Thu, 4 Apr 2024 12:21:40 -0400
Subject: [PATCH 3/3] Dont modify the original payload

---
 packages/cli-kit/src/public/node/monorail.ts | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/packages/cli-kit/src/public/node/monorail.ts b/packages/cli-kit/src/public/node/monorail.ts
index e05ef6960e..27b41c2c57 100644
--- a/packages/cli-kit/src/public/node/monorail.ts
+++ b/packages/cli-kit/src/public/node/monorail.ts
@@ -216,17 +216,18 @@ export async function publishMonorailEvent<TSchemaId extends keyof Schemas, TPay
 }
 
 /**
- * Sanitizies the api_key from the payload.
+ * Sanitizies the api_key from the payload and returns a new hash.
  *
  * @param payload - The public and sensitive data.
- * @returns The payload with the api_key sanitized.
+ * @returns A copy of the payload with the api_key sanitized.
  */
 function sanitizePayload<T extends object>(payload: T): T {
-  if ('api_key' in payload) {
-    payload.api_key = '****'
+  const result = {...payload}
+  if ('api_key' in result) {
+    result.api_key = '****'
   }
 
-  return payload
+  return result
 }
 
 const buildHeaders = (currentTime: number) => {