masked headers

dankinsoid · dankinsoid · commit 4ec4c6c642aa · 2025-07-24T14:24:57.000+03:00
diff --git a/Sources/SwiftAPIClient/APIClientCaller.swift b/Sources/SwiftAPIClient/APIClientCaller.swift
@@ -270,6 +270,7 @@ public extension APIClient {
 					let message = configs._errorLoggingComponents.errorMessage(
 						uuid: uuid,
 						error: error,
+						maskedHeaders: configs.logMaskedHeaders,
 						fileIDLine: fileIDLine
 					)
 					configs.logger.log(level: configs._errorLogLevel, "\(message)")
diff --git a/Sources/SwiftAPIClient/Clients/HTTPClient.swift b/Sources/SwiftAPIClient/Clients/HTTPClient.swift
@@ -137,6 +137,7 @@ extension APIClientCaller where Result == AsyncThrowingValue<(Value, HTTPRespons
 							error: error,
 							request: request,
 							duration: duration,
+							maskedHeaders: configs.logMaskedHeaders,
 							fileIDLine: configs.fileIDLine
 						)
 						configs.logger.log(level: configs._errorLogLevel, "\(message)")
@@ -174,6 +175,7 @@ extension APIClientCaller where Result == AsyncThrowingValue<(Value, HTTPRespons
 							request: request,
 							data: data,
 							duration: duration,
+							maskedHeaders: configs.logMaskedHeaders,
 							fileIDLine: configs.fileIDLine
 						)
 						configs.logger.log(
@@ -196,6 +198,7 @@ extension APIClientCaller where Result == AsyncThrowingValue<(Value, HTTPRespons
 							data: data,
 							duration: duration,
 							error: error,
+							maskedHeaders: configs.logMaskedHeaders,
 							fileIDLine: configs.fileIDLine
 						)
 						configs.logger.log(level: configs._errorLogLevel, "\(message)")
diff --git a/Sources/SwiftAPIClient/Modifiers/LoggingModifier.swift b/Sources/SwiftAPIClient/Modifiers/LoggingModifier.swift
@@ -1,5 +1,6 @@
 import Foundation
 import Logging
+import HTTPTypesFoundation
 
 public extension APIClient {
 
@@ -35,6 +36,14 @@ public extension APIClient {
 	func errorLoggingComponents(_ components: LoggingComponents?) -> APIClient {
 		configs(\.errorLogginComponents, components)
 	}
+
+	/// Sets the headers that should be masked in logs.
+	/// - Parameter headers: A `Set<HTTPField.Name>` containing the names of headers to be masked.
+	func logMaskedHeaders(_ headers: Set<HTTPField.Name>) -> APIClient {
+		configs { configs in
+			configs.logMaskedHeaders.formUnion(headers)
+		}
+	}
 }
 
 public extension APIClient.Configs {
@@ -73,6 +82,13 @@ public extension APIClient.Configs {
 		get { self[\.errorLogginComponents] ?? nil }
 		set { self[\.errorLogginComponents] = newValue }
 	}
+
+	/// The headers that should be masked in logs.
+	/// - Returns: A `Set<HTTPField.Name>` containing the names of headers to be masked.
+	var logMaskedHeaders: Set<HTTPField.Name> {
+		get { self[\.logMaskedHeaders] ?? [.authorization] }
+		set { self[\.logMaskedHeaders] = newValue }
+	}
 }
 
 extension APIClient.Configs {
@@ -87,7 +103,7 @@ extension APIClient.Configs {
 
 	func logRequest(_ request: HTTPRequestComponents, uuid: UUID) {
 		if loggingComponents.contains(.onRequest), loggingComponents != .onRequest {
-			let message = loggingComponents.requestMessage(for: request, uuid: uuid, fileIDLine: fileIDLine)
+			let message = loggingComponents.requestMessage(for: request, uuid: uuid, maskedHeaders: logMaskedHeaders, fileIDLine: fileIDLine)
 			logger.log(level: logLevel, "\(message)")
 		}
 		#if canImport(Metrics)
diff --git a/Sources/SwiftAPIClient/Types/HTTPRequestComponents.swift b/Sources/SwiftAPIClient/Types/HTTPRequestComponents.swift
@@ -346,8 +346,13 @@ public extension HTTPRequestComponents {
 
 public extension HTTPRequestComponents {
 
+		/// Returns a cURL command string representation of the request
+		var cURL: String {
+			cURL(maskedHeaders: [])
+		}
+
     /// Returns a cURL command string representation of the request
-    var cURL: String {
+		func cURL(maskedHeaders: Set<HTTPField.Name>) -> String {
         var components: [String] = []
 
         // Add URL
@@ -364,7 +369,7 @@ public extension HTTPRequestComponents {
         // Add headers
         for field in headers {
             let headerValue = field.value.replacingOccurrences(of: "\"", with: "\\\"") // Escape double quotes
-            components.append("-H \"\(field.name.rawName): \(headerValue)\"")
+						components.append("-H \"\(field.name.rawName): \(maskedHeaders.contains(field.name) ? "***" : headerValue)\"")
         }
 
         // Add body if present (support multiple -d flags)
@@ -436,4 +441,4 @@ private let urlPattern = #"(?:\s+|^)['\"]?(https?://[^\s'\"\\]+)['\"]?"#
 private let headerPattern = #"(?:-H\s+|--header\s+)(?:'([^']+:\s*[^']*)'|"([^"]+:\s*[^"]*)"|([^\s'"]+:\s*[^\s'"]+))"#
 
 /// Regular expression pattern to match data in cURL command (support multiple `-d`)
-private let dataPattern = #"(?:-d\s+|--data(?:-ascii|-binary|-raw|-urlencode)?\s?)(?:'([^']*)'|"([^"]*)"|([^\s'"]+))"#
+private let dataPattern = #"(?:-d\s+|--data(?:-ascii|-binary|-raw|-urlencode)?\s?)(?:'([^']*)'|"([^"]*)"|([^\s'"]+))"#
diff --git a/Sources/SwiftAPIClient/Types/LoggingComponent.swift b/Sources/SwiftAPIClient/Types/LoggingComponent.swift
@@ -2,6 +2,7 @@ import Foundation
 #if canImport(FoundationNetworking)
 import FoundationNetworking
 #endif
+import HTTPTypes
 
 /// The components to be logged.
 public struct LoggingComponents: OptionSet {
@@ -17,8 +18,8 @@ public struct LoggingComponents: OptionSet {
 	public static let query = LoggingComponents(rawValue: 1 << 8)
 	public static let uuid = LoggingComponents(rawValue: 1 << 9)
 	public static let location = LoggingComponents(rawValue: 1 << 10)
-  public static let onRequest = LoggingComponents(rawValue: 1 << 11)
-  public static let cURL = LoggingComponents(rawValue: 1 << 12)
+	public static let onRequest = LoggingComponents(rawValue: 1 << 11)
+	public static let cURL = LoggingComponents(rawValue: 1 << 12)
 
 	public static var url: LoggingComponents { [.path, .baseURL, .query] }
 
@@ -71,6 +72,7 @@ public extension LoggingComponents {
 	func requestMessage(
 		for request: HTTPRequestComponents,
 		uuid: UUID,
+		maskedHeaders: Set<HTTPField.Name>,
 		fileIDLine: FileIDLine?
 	) -> String {
 		guard !isEmpty else { return "" }
@@ -92,7 +94,7 @@ public extension LoggingComponents {
 			message += " (\(body.count)-byte body)"
 		}
 		if contains(.headers), !request.headers.isEmpty {
-			message += "\n\(request.headers.multilineDescription)"
+			message += "\n\(request.headers.multilineDescription(masked: maskedHeaders))"
 			isMultiline = true
 		}
 		if contains(.body), let body = request.body?.data, let bodyString = String(data: body, encoding: .utf8) {
@@ -104,7 +106,7 @@ public extension LoggingComponents {
 			isMultiline = true
 		}
 		if contains(.cURL) {
-			message += "\n\(request.cURL)"
+			message += "\n\(request.cURL(maskedHeaders: maskedHeaders))"
 			isMultiline = true
 		}
 		if isMultiline {
@@ -123,7 +125,8 @@ public extension LoggingComponents {
 		data: Data?,
 		duration: TimeInterval,
 		error: Error? = nil,
-        fileIDLine: FileIDLine?
+		maskedHeaders: Set<HTTPField.Name>,
+				fileIDLine: FileIDLine?
 	) -> String {
 		responseMessage(
 			uuid: uuid,
@@ -133,7 +136,8 @@ public extension LoggingComponents {
 			headers: response.headerFields,
 			duration: duration,
 			error: error,
-            fileIDLine: fileIDLine
+			maskedHeaders: maskedHeaders,
+						fileIDLine: fileIDLine
 		)
 	}
 
@@ -145,17 +149,18 @@ public extension LoggingComponents {
 		headers: HTTPFields = [:],
 		duration: TimeInterval? = nil,
 		error: Error? = nil,
-        fileIDLine: FileIDLine?
+		maskedHeaders: Set<HTTPField.Name>,
+		fileIDLine: FileIDLine?
 	) -> String {
 		guard !isEmpty else { return "" }
-        var message = "<-- "
-        if let request {
-            message = requestMessage(for: request, uuid: uuid, fileIDLine: fileIDLine) + "\n" + message
-        } else {
-            if contains(.uuid) {
-                message = "[\(uuid.uuidString)]\n" + message
-            }
-        }
+		var message = "<-- "
+		if let request {
+				message = requestMessage(for: request, uuid: uuid, maskedHeaders: maskedHeaders, fileIDLine: fileIDLine) + "\n" + message
+		} else {
+			if contains(.uuid) {
+				message = "[\(uuid.uuidString)]\n" + message
+			}
+		}
 		switch (statusCode?.kind, error) {
 		case (_, .some), (.serverError, _), (.clientError, _), (.invalid, _):
 			message.append("🛑")
@@ -187,7 +192,7 @@ public extension LoggingComponents {
 		}
 
 		if contains(.headers), !headers.isEmpty {
-			message += "\n\(headers.multilineDescription)"
+			message += "\n\(headers.multilineDescription(masked: maskedHeaders))"
 			isMultiline = true
 		}
 		if contains(.body), let body = data, let bodyString = String(data: body, encoding: .utf8) {
@@ -207,6 +212,7 @@ public extension LoggingComponents {
 		error: Error,
 		request: HTTPRequestComponents? = nil,
 		duration: TimeInterval? = nil,
+		maskedHeaders: Set<HTTPField.Name>,
 		fileIDLine: FileIDLine? = nil
 	) -> String {
 		var message = contains(.uuid) && request == nil ? "[\(uuid.uuidString)] " : ""
@@ -215,8 +221,8 @@ public extension LoggingComponents {
 		}
 
 		if let request {
-            message = requestMessage(for: request, uuid: uuid, fileIDLine: fileIDLine) + "\n" + message
-        } else if let fileIDLine, contains(.location) {
+			message = requestMessage(for: request, uuid: uuid, maskedHeaders: maskedHeaders, fileIDLine: fileIDLine) + "\n" + message
+				} else if let fileIDLine, contains(.location) {
 			message = "\(fileIDLine.fileID)/\(fileIDLine.line)\n" + message
 		}
 		message += "❗️\(error.humanReadable)❗️"
@@ -248,7 +254,10 @@ public extension LoggingComponents {
 
 private extension HTTPFields {
 
-	var multilineDescription: String {
-		map { "\($0.name): \($0.value)" }.joined(separator: "\n")
+	func multilineDescription(masked: Set<HTTPField.Name>) -> String {
+		map {
+			"\($0.name): \(masked.contains($0.name) ? "***" : $0.value)"
+		}
+		.joined(separator: "\n")
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -270,6 +270,7 @@ public extension APIClient {`
`270`	`270`	`let message = configs._errorLoggingComponents.errorMessage(`
`271`	`271`	`uuid: uuid,`
`272`	`272`	`error: error,`
	`273`	`+ maskedHeaders: configs.logMaskedHeaders,`
`273`	`274`	`fileIDLine: fileIDLine`
`274`	`275`	`)`
`275`	`276`	`configs.logger.log(level: configs._errorLogLevel, "\(message)")`