Merge branch '425-mask-platform-access-token' into 'master'

fix(engine): mask Platform Access Token in UI logs (#425)

Closes #425

See merge request postgres-ai/database-lab!593

Author: agneum

engine/internal/platform/platform.go

@@ -112,3 +112,8 @@ func (s *Service) OriginURL() string {
 
 	return platformURL.String()
 }
+
+// AccessToken returns Platform AccessToken.
+func (s *Service) AccessToken() string {
+	return s.cfg.AccessToken
+}

engine/internal/srv/server.go

@@ -276,6 +276,10 @@ func (s *Server) initLogRegExp() {
 		secretPatterns = append(secretPatterns, s.Config.VerificationToken)
 	}
 
+	if accessToken := s.Platform.AccessToken(); len(accessToken) >= minTokenLength && !containsSpace(accessToken) {
+		secretPatterns = append(secretPatterns, accessToken)
+	}
+
 	s.re = regexp.MustCompile("(?i)" + strings.Join(secretPatterns, "|"))
 }
 

engine/internal/srv/ws_test.go

@@ -1,15 +1,21 @@
 package srv
 
 import (
+	"context"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
+	"gitlab.com/postgres-ai/database-lab/v3/internal/platform"
 	"gitlab.com/postgres-ai/database-lab/v3/internal/srv/config"
 )
 
 func TestLogLineFiltering(t *testing.T) {
-	s := Server{Config: &config.Config{VerificationToken: "secretToken"}}
+	pl, err := platform.New(context.Background(), platform.Config{AccessToken: "platformAccessToken"})
+	require.NoError(t, err)
+
+	s := Server{Config: &config.Config{VerificationToken: "secretToken"}, Platform: pl}
 	s.initLogRegExp()
 
 	testCases := []struct {
@@ -56,6 +62,10 @@ func TestLogLineFiltering(t *testing.T) {
 			input:  []byte(`AWS_ACCESS_KEY_ID:password`),
 			output: []byte(`AWS_********`),
 		},
+		{
+			input:  []byte(`platform: "platformAccessToken"`),
+			output: []byte(`platform: "********"`),
+		},
 	}
 
 	for _, tc := range testCases {