feat: add headers redacter (#18)

src/lib/base-config.ts

@@ -2,4 +2,7 @@ import {AppConfig} from '../types';
 
 export const NODEKIT_BASE_CONFIG: AppConfig = {
     nkDefaultSensitiveKeys: ['authorization', 'cookie', 'set-cookie', 'password'],
+    nkDefaultSensitiveHeaders: ['authorization', 'cookie', 'set-cookie', 'password'],
+    nkDefaultHeadersWithSensitiveUrls: ['referer'],
+    nkDefaultSensitiveQueryParams: [],
 };

src/lib/utils/redact-sensitive-headers.ts

@@ -0,0 +1,31 @@
+import {IncomingHttpHeaders} from 'http';
+import {Dict} from '../../types';
+import {prepareSensitiveKeysRedacter} from './redact-sensitive-keys';
+
+export type SensitiveHeadersRedacter = (inputHeaders: Dict | IncomingHttpHeaders) => Dict;
+
+export default function prepareSensitiveHeadersRedacter(
+    sensitiveHeaders: Array<string> = [],
+    headersWithSensitiveUrls: Array<string> = [],
+    redactSensitiveQueryParams: (input: string) => string = (input) => input,
+    isDevMode = false,
+) {
+    const redactSensitiveHeaders: SensitiveHeadersRedacter = (inputHeaders) => {
+        if (isDevMode) {
+            return inputHeaders;
+        }
+
+        const redactSensitiveKeys = prepareSensitiveKeysRedacter(sensitiveHeaders);
+
+        const result = redactSensitiveKeys(inputHeaders);
+
+        Object.keys(result).forEach((headerName) => {
+            if (headersWithSensitiveUrls.includes(headerName.toLowerCase())) {
+                result[headerName] = redactSensitiveQueryParams(result[headerName] as string);
+            }
+        });
+
+        return result;
+    };
+    return redactSensitiveHeaders;
+}

src/lib/utils/redact-sensitive-query-params.ts

@@ -0,0 +1,47 @@
+import {URL} from 'url';
+import {Dict} from '../../types';
+import {prepareSensitiveKeysRedacter} from './redact-sensitive-keys';
+
+export type SensitiveQueryParamsRedacter = (input?: string) => string;
+
+export default function prepareSensitiveQueryParamsRedacter(
+    sensitiveQueryParams: Array<string> = [],
+    isDevMode = false,
+) {
+    const redactSensitiveQueryParams: SensitiveQueryParamsRedacter = (input = ''): string => {
+        if (isDevMode || !input) {
+            return input;
+        }
+
+        if (sensitiveQueryParams.length === 0) {
+            return input;
+        }
+
+        const defaultBase = 'http://127.0.0.1';
+        const parsedUrl = new URL(input, defaultBase);
+
+        const matchedSensitiveQueryParams = sensitiveQueryParams.reduce<Dict>((acc, key) => {
+            if (parsedUrl.searchParams.has(key)) {
+                acc[key] = parsedUrl.searchParams.get(key);
+            }
+            return acc;
+        }, {});
+
+        if (Object.keys(matchedSensitiveQueryParams).length === 0) {
+            return input;
+        }
+
+        const redactSensitiveKeys = prepareSensitiveKeysRedacter(sensitiveQueryParams);
+        const redactedSensitiveQueryParams = redactSensitiveKeys(matchedSensitiveQueryParams);
+
+        Object.keys(redactedSensitiveQueryParams).forEach((key) => {
+            parsedUrl.searchParams.set(key, redactedSensitiveQueryParams[key] as string);
+        });
+
+        const resultUrl = parsedUrl.toString();
+
+        return resultUrl.startsWith(defaultBase) ? resultUrl.replace(defaultBase, '') : resultUrl;
+    };
+
+    return redactSensitiveQueryParams;
+}

src/nodekit.ts

@@ -13,6 +13,12 @@ import {
 } from './lib/utils/redact-sensitive-keys';
 import {prepareClickhouseClient} from './lib/telemetry/clickhouse';
 import {DynamicConfigSetup, DynamicConfigPoller} from './lib/dynamic-config-poller';
+import prepareSensitiveHeadersRedacter, {
+    SensitiveHeadersRedacter,
+} from './lib/utils/redact-sensitive-headers';
+import prepareSensitiveQueryParamsRedacter, {
+    SensitiveQueryParamsRedacter,
+} from './lib/utils/redact-sensitive-query-params';
 
 interface InitOptions {
     disableDotEnv?: boolean;
@@ -26,6 +32,8 @@ export class NodeKit {
 
     utils: {
         redactSensitiveKeys: SensitiveKeysRedacter;
+        redactSensitiveQueryParams: SensitiveQueryParamsRedacter;
+        redactSensitiveHeaders: SensitiveHeadersRedacter;
         isTrueEnvValue: (arg: string) => boolean;
     };
 
@@ -60,10 +68,28 @@ export class NodeKit {
             devMode: appDevMode,
         });
 
+        const redactSensitiveQueryParams = prepareSensitiveQueryParamsRedacter(
+            this.config.nkDefaultSensitiveQueryParams?.concat(
+                this.config.appSensitiveQueryParams || [],
+            ),
+            appDevMode,
+        );
+
+        const redactSensitiveHeaders = prepareSensitiveHeadersRedacter(
+            this.config.nkDefaultSensitiveHeaders?.concat(this.config.appSensitiveHeaders || []),
+            this.config.nkDefaultHeadersWithSensitiveUrls?.concat(
+                this.config.appHeadersWithSensitiveUrls || [],
+            ),
+            redactSensitiveQueryParams,
+            appDevMode,
+        );
+
         this.utils = {
             redactSensitiveKeys: prepareSensitiveKeysRedacter(
                 this.config.nkDefaultSensitiveKeys?.concat(this.config.appSensitiveKeys || []),
             ),
+            redactSensitiveHeaders,
+            redactSensitiveQueryParams,
             isTrueEnvValue,
         };
 

src/types.ts

@@ -8,7 +8,13 @@ export interface AppConfig {
     appDevMode?: boolean;
 
     nkDefaultSensitiveKeys?: string[];
+    nkDefaultSensitiveHeaders?: string[];
+    nkDefaultHeadersWithSensitiveUrls?: string[];
+    nkDefaultSensitiveQueryParams?: string[];
     appSensitiveKeys?: string[];
+    appSensitiveHeaders?: string[];
+    appHeadersWithSensitiveUrls?: string[];
+    appSensitiveQueryParams?: string[];
 
     appTracingEnabled?: boolean;
     appTracingServiceName?: string;