From b28e5628f5964e2ecc04cc1df8a54948567a4b48 Mon Sep 17 00:00:00 2001
From: Daniel Bankhead <dan@danielbankhead.com>
Date: Thu, 10 Aug 2023 20:56:33 -0700
Subject: [PATCH] feat: Prevent Auth Logging by Default (#565)

* chore: formatting + add type to `timeout`

* feat: Add Error Redactor option

* chore: fix error double-cast

* fix: if real `GaxiosError` the `name` wouldn't be `AbortError`

* style: lint

* refactor: specify redactable properties

* chore: redact `token` in params

* refactor: return redacted objects and use

* test: add tests for `errorRedactor`
---
 README.md          |  18 +++++-
 src/common.ts      | 146 ++++++++++++++++++++++++++++++++++++++++++---
 src/gaxios.ts      |  20 +++++--
 src/retry.ts       |   2 +-
 test/test.getch.ts | 113 +++++++++++++++++++++++++++++++++++
 5 files changed, 282 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index b06ecd6d..2b9b0c59 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,7 @@
 > An HTTP request client that provides an `axios` like interface over top of `node-fetch`.
 
 ## Install
+
 ```sh
 $ npm install gaxios
 ```
@@ -16,12 +17,13 @@ $ npm install gaxios
 ```js
 const {request} = require('gaxios');
 const res = await request({
-  url: 'https://www.googleapis.com/discovery/v1/apis/'
+  url: 'https://www.googleapis.com/discovery/v1/apis/',
 });
 ```
 
 ## Setting Defaults
-Gaxios supports setting default properties both on the default instance, and on additional instances. This is often useful when making many requests to the same domain with the same base settings.  For example:
+
+Gaxios supports setting default properties both on the default instance, and on additional instances. This is often useful when making many requests to the same domain with the same base settings. For example:
 
 ```js
 const gaxios = require('gaxios');
@@ -86,7 +88,7 @@ over other authentication methods, i.e., application default credentials.
     return qs.stringify(params);
   },
 
-  // The timeout for the HTTP request. Defaults to 0.
+  // The timeout for the HTTP request in milliseconds. Defaults to 0.
   timeout: 1000,
 
   // Optional method to override making the actual HTTP request. Useful
@@ -152,8 +154,18 @@ over other authentication methods, i.e., application default credentials.
   // Cancelling a request requires the `abort-controller` library.
   // See https://github.com/bitinn/node-fetch#request-cancellation-with-abortsignal
   signal?: AbortSignal
+
+  /**
+   * An experimental, customizable error redactor.
+   *
+   * Set `false` to disable.
+   *
+   * @experimental
+   */
+  errorRedactor?: typeof defaultErrorRedactor | false;
 }
 ```
 
 ## License
+
 [Apache-2.0](https://github.com/googleapis/gaxios/blob/master/LICENSE)
diff --git a/src/common.ts b/src/common.ts
index 5807df38..2dbc7e2d 100644
--- a/src/common.ts
+++ b/src/common.ts
@@ -25,8 +25,6 @@ export class GaxiosError<T = any> extends Error {
    * 'ECONNRESET'
    */
   code?: string;
-  response?: GaxiosResponse<T>;
-  config: GaxiosOptions;
   /**
    * An HTTP Status code.
    * See {@link https://developer.mozilla.org/en-US/docs/Web/API/Response/status Response: status property}
@@ -34,21 +32,43 @@ export class GaxiosError<T = any> extends Error {
    * @example
    * 500
    */
-  status: number;
+  status?: number;
+
   constructor(
     message: string,
-    options: GaxiosOptions,
-    response: GaxiosResponse<T>,
+    public config: GaxiosOptions,
+    public response?: GaxiosResponse<T>,
     public error?: Error | NodeJS.ErrnoException
   ) {
     super(message);
-    this.response = response;
-    this.config = options;
-    this.response.data = translateData(options.responseType, response.data);
+
+    if (this.response) {
+      this.response.data = translateData(config.responseType, response?.data);
+      this.status = this.response.status;
+    }
+
     if (error && 'code' in error && error.code) {
       this.code = error.code;
     }
-    this.status = response.status;
+
+    if (config.errorRedactor) {
+      const errorRedactor = config.errorRedactor<T>;
+
+      // shallow-copy config for redaction as we do not want
+      // future requests to have redacted information
+      this.config = {...config};
+      if (this.response) {
+        // copy response's config, as it may be recursively redacted
+        this.response = {...this.response, config: {...this.response.config}};
+      }
+
+      const results = errorRedactor({config, response});
+      this.config = {...config, ...results.config};
+
+      if (this.response) {
+        this.response = {...this.response, ...results.response, config};
+      }
+    }
   }
 }
 
@@ -138,7 +158,31 @@ export interface GaxiosOptions {
   // Configure client to use mTLS:
   cert?: string;
   key?: string;
+  /**
+   * An experimental error redactor.
+   *
+   * @experimental
+   */
+  errorRedactor?: typeof defaultErrorRedactor | false;
 }
+/**
+ * A partial object of `GaxiosResponse` with only redactable keys
+ *
+ * @experimental
+ */
+export type RedactableGaxiosOptions = Pick<
+  GaxiosOptions,
+  'body' | 'data' | 'headers' | 'url'
+>;
+/**
+ * A partial object of `GaxiosResponse` with only redactable keys
+ *
+ * @experimental
+ */
+export type RedactableGaxiosResponse<T = any> = Pick<
+  GaxiosResponse<T>,
+  'config' | 'data' | 'headers'
+>;
 
 /**
  * Configuration for the Gaxios `request` method.
@@ -243,3 +287,87 @@ function translateData(responseType: string | undefined, data: any) {
       return data;
   }
 }
+
+/**
+ * An experimental error redactor.
+ *
+ * @param config Config to potentially redact properties of
+ * @param response Config to potentially redact properties of
+ *
+ * @experimental
+ */
+export function defaultErrorRedactor<T = any>(data: {
+  config?: RedactableGaxiosOptions;
+  response?: RedactableGaxiosResponse<T>;
+}) {
+  const REDACT =
+    '<<REDACTED> - See `errorRedactor` option in `gaxios` for configuration>.';
+
+  function redactHeaders(headers?: Headers) {
+    if (!headers) return;
+
+    for (const key of Object.keys(headers)) {
+      // any casing of `Authentication`
+      if (/^authentication$/.test(key)) {
+        headers[key] = REDACT;
+      }
+    }
+  }
+
+  function redactString(obj: GaxiosOptions, key: keyof GaxiosOptions) {
+    if (
+      typeof obj === 'object' &&
+      obj !== null &&
+      typeof obj[key] === 'string'
+    ) {
+      const text = obj[key];
+
+      if (/grant_type=/.test(text) || /assertion=/.test(text)) {
+        obj[key] = REDACT;
+      }
+    }
+  }
+
+  function redactObject<T extends GaxiosOptions['data']>(obj: T) {
+    if (typeof obj === 'object' && obj !== null) {
+      if ('grant_type' in obj) {
+        obj['grant_type'] = REDACT;
+      }
+
+      if ('assertion' in obj) {
+        obj['assertion'] = REDACT;
+      }
+    }
+  }
+
+  if (data.config) {
+    redactHeaders(data.config.headers);
+
+    redactString(data.config, 'data');
+    redactObject(data.config.data);
+
+    redactString(data.config, 'body');
+    redactObject(data.config.body);
+
+    try {
+      const url = new URL(data.config.url || '');
+      if (url.searchParams.has('token')) {
+        url.searchParams.set('token', REDACT);
+      }
+
+      data.config.url = url.toString();
+    } catch {
+      // ignore error
+    }
+  }
+
+  if (data.response) {
+    defaultErrorRedactor({config: data.response.config});
+    redactHeaders(data.response.headers);
+
+    redactString(data.response, 'data');
+    redactObject(data.response.data);
+  }
+
+  return data;
+}
diff --git a/src/gaxios.ts b/src/gaxios.ts
index 907b2366..a0eba80b 100644
--- a/src/gaxios.ts
+++ b/src/gaxios.ts
@@ -26,6 +26,7 @@ import {
   GaxiosPromise,
   GaxiosResponse,
   Headers,
+  defaultErrorRedactor,
 } from './common';
 import {getRetryConfig} from './retry';
 import {Stream} from 'stream';
@@ -156,14 +157,15 @@ export class Gaxios {
       } else {
         translatedResponse = await this._defaultAdapter(opts);
       }
+
       if (!opts.validateStatus!(translatedResponse.status)) {
         if (opts.responseType === 'stream') {
           let response = '';
           await new Promise(resolve => {
-            (translatedResponse.data as Stream).on('data', chunk => {
+            (translatedResponse?.data as Stream).on('data', chunk => {
               response += chunk;
             });
-            (translatedResponse.data as Stream).on('end', resolve);
+            (translatedResponse?.data as Stream).on('end', resolve);
           });
           translatedResponse.data = response as T;
         }
@@ -175,8 +177,11 @@ export class Gaxios {
       }
       return translatedResponse;
     } catch (e) {
-      const err = e as GaxiosError;
-      err.config = opts;
+      const err =
+        e instanceof GaxiosError
+          ? e
+          : new GaxiosError((e as Error).message, opts, undefined, e as Error);
+
       const {shouldRetry, config} = await getRetryConfig(err);
       if (shouldRetry && config) {
         err.config.retryConfig!.currentRetryAttempt =
@@ -324,6 +329,13 @@ export class Gaxios {
       }
     }
 
+    if (
+      typeof opts.errorRedactor !== 'function' &&
+      opts.errorRedactor !== false
+    ) {
+      opts.errorRedactor = defaultErrorRedactor;
+    }
+
     return opts;
   }
 
diff --git a/src/retry.ts b/src/retry.ts
index 540298e8..7e7b3d61 100644
--- a/src/retry.ts
+++ b/src/retry.ts
@@ -95,7 +95,7 @@ function shouldRetryRequest(err: GaxiosError) {
 
   // node-fetch raises an AbortError if signaled:
   // https://github.com/bitinn/node-fetch#request-cancellation-with-abortsignal
-  if (err.name === 'AbortError') {
+  if (err.name === 'AbortError' || err.error?.name === 'AbortError') {
     return false;
   }
 
diff --git a/test/test.getch.ts b/test/test.getch.ts
index e877628c..15d2ba48 100644
--- a/test/test.getch.ts
+++ b/test/test.getch.ts
@@ -446,6 +446,32 @@ describe('🥁 configuration options', () => {
     scope.done();
     assert.deepStrictEqual(res.status, 200);
   });
+
+  it('should be able to disable the `errorRedactor`', async () => {
+    const scope = nock(url).get('/').reply(200);
+    const instance = new Gaxios({url, errorRedactor: false});
+
+    assert.equal(instance.defaults.errorRedactor, false);
+
+    await instance.request({url});
+    scope.done();
+
+    assert.equal(instance.defaults.errorRedactor, false);
+  });
+
+  it('should be able to set a custom `errorRedactor`', async () => {
+    const scope = nock(url).get('/').reply(200);
+    const errorRedactor = (t: {}) => t;
+
+    const instance = new Gaxios({url, errorRedactor});
+
+    assert.equal(instance.defaults.errorRedactor, errorRedactor);
+
+    await instance.request({url});
+    scope.done();
+
+    assert.equal(instance.defaults.errorRedactor, errorRedactor);
+  });
 });
 
 describe('🎏 data handling', () => {
@@ -618,6 +644,93 @@ describe('🎏 data handling', () => {
     assert.ok(res.data);
     assert.notEqual(res.data, body);
   });
+
+  it('should redact sensitive props via the `errorRedactor` by default', async () => {
+    const REDACT =
+      '<<REDACTED> - See `errorRedactor` option in `gaxios` for configuration>.';
+
+    const customURL = new URL(url);
+    customURL.searchParams.append('token', 'sensitive');
+    customURL.searchParams.append('random', 'non-sensitive');
+
+    const config: GaxiosOptions = {
+      headers: {
+        authentication: 'My Auth',
+        'content-type': 'application/x-www-form-urlencoded',
+        random: 'data',
+      },
+      data: {
+        grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+        assertion: 'somesensitivedata',
+        unrelated: 'data',
+      },
+      body: 'grant_type=somesensitivedata&assertion=somesensitivedata',
+    };
+
+    const responseHeaders = {
+      ...config.headers,
+      'content-type': 'application/json',
+    };
+    const response = {...config.data};
+
+    const scope = nock(url)
+      .post('/')
+      .query(() => true)
+      .reply(404, response, responseHeaders);
+
+    const instance = new Gaxios(JSON.parse(JSON.stringify(config)));
+
+    try {
+      await instance.request({url: customURL.toString(), method: 'POST'});
+
+      throw new Error('Expected a GaxiosError');
+    } catch (e) {
+      assert(e instanceof GaxiosError);
+
+      // config should not be mutated
+      assert.deepStrictEqual(instance.defaults, config);
+      assert.notStrictEqual(e.config, config);
+
+      // config redactions - headers
+      assert(e.config.headers);
+      assert.deepStrictEqual(e.config.headers, {
+        ...config.headers, // non-redactables should be present
+        authentication: REDACT,
+      });
+
+      // config redactions - data
+      assert.deepStrictEqual(e.config.data, {
+        ...config.data, // non-redactables should be present
+        grant_type: REDACT,
+        assertion: REDACT,
+      });
+
+      // config redactions - body
+      assert.deepStrictEqual(e.config.body, REDACT);
+
+      // config redactions - url
+      assert(e.config.url);
+      const resultURL = new URL(e.config.url);
+      assert.notDeepStrictEqual(resultURL.toString(), customURL.toString());
+      customURL.searchParams.set('token', REDACT);
+      assert.deepStrictEqual(resultURL.toString(), customURL.toString());
+
+      // response redactions
+      assert(e.response);
+      assert.deepStrictEqual(e.response.config, e.config);
+      assert.deepStrictEqual(e.response.headers, {
+        ...responseHeaders, // non-redactables should be present
+        authentication: REDACT,
+      });
+      assert.deepStrictEqual(e.response.data, {
+        ...response, // non-redactables should be present
+        grant_type: REDACT,
+        assertion: REDACT,
+      });
+    } finally {
+      scope.done();
+    }
+  });
 });
 
 describe('🍂 defaults & instances', () => {