fix(security): redact sensitive query params in request logs

[seapagan]

Summary

• Redact sensitive query params in request logging with a centralized key list (SENSITIVE_QUERY_KEYS in app/middleware/logging_middleware.py)
• Add unit coverage for redaction helper and middleware logging
• Document request log redaction and mark the security review item complete

Testing

• poe test

Summary by CodeRabbit

• New Features

  • Request logs now redact sensitive query parameters (tokens, API keys, etc.) before being recorded; the list of sensitive keys is configurable.

• Documentation

  • Updated security/config docs to note request-log redaction and improved formatting and summary counts in the security review notes.

• Tests

  • Added unit tests verifying redaction behavior while preserving non-sensitive query data and response handling.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds query-parameter redaction to request logging via LoggingMiddleware (new class attributes and helper methods). Updates docs and SECURITY-REVIEW.md to describe and record the change. Adds unit tests covering redaction behavior and edge-case query inputs.

Changes

Cohort / File(s)	Summary
Middleware — redaction logic app/middleware/logging_middleware.py	Adds REDACTED_VALUE and SENSITIVE_QUERY_KEYS; imports parse_qsl and urlencode; introduces @classmethod _should_redact() and @classmethod _redact_query(); dispatch now uses a redacted query string when building the logged request path.
Tests — validation tests/unit/test_logging.py	Adds tests asserting sensitive keys (e.g., code, token, API_KEY) are redacted in logs, non-sensitive parts remain, and edge cases (empty query, no-params, mixed queries) are covered. Adjusts an existing test to set mock_request.url.query = ''.
Documentation & Security notes docs/usage/configuration/environment.md, SECURITY-REVIEW.md	Documents request-log redaction and that SENSITIVE_QUERY_KEYS is customizable; updates SECURITY-REVIEW.md summary/table formatting and issue counts. No runtime behavior changes outside logging output.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Client
    participant LoggingMiddleware as Middleware
    participant AppHandler as Handler
    participant Logger

    Client->>Middleware: HTTP request (method, path, query)
    alt query present
        Middleware->>Middleware: parse_qsl(query) / _redact_query()
        Note right of Middleware `#EFEFEF`: Sensitive params replaced\nwith "REDACTED"
    end
    Middleware->>Handler: forward request (unchanged)
    Handler-->>Middleware: response
    Middleware->>Logger: log method and path (uses redacted query if applied)
    Logger-->>Middleware: write log
    Middleware-->>Client: return response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hop through queries, soft and fleet,

Snipping secrets where they meet.
Tokens tucked and keys all masked,
Logs stay clear — no secrets asked.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main security improvement: redacting sensitive query parameters in request logs.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f9d9be8 and cac1c76.

📒 Files selected for processing (1)

• app/middleware/logging_middleware.py

🚧 Files skipped from review as they are similar to previous changes (1)

• app/middleware/logging_middleware.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Codacy Static Code Analysis
• GitHub Check: test (3.11)
• GitHub Check: test (3.13)
• GitHub Check: test (3.10)
• GitHub Check: test (3.12)
• GitHub Check: test (3.14)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ 100.00%

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (24eac05)	2217	2217	100.00%
Head commit (cac1c76)	2246 (+29)	2246 (+29)	100.00% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#805)	30	30	100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

app/middleware/logging_middleware.py (1)

46-67: Solid redaction logic with good edge case handling.

The implementation correctly handles:

• Empty queries (Line 48-49)
• Unparseable queries (Lines 52-53)
• Mixed sensitive/non-sensitive parameters
• Performance optimization by only rebuilding when needed (Lines 64-65)

Minor nitpick: Line 67 uses doseq=True, which is designed for dict values that are sequences (e.g., {'key': ['v1', 'v2']}). Since we're passing a list of tuples, this parameter has no effect—repeated keys are already handled correctly. It's harmless but unnecessary.

Optional: Remove unnecessary parameter

-        return urlencode(redacted_params, doseq=True)
+        return urlencode(redacted_params)

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 24eac05 and 0d773c0.

📒 Files selected for processing (4)

• SECURITY-REVIEW.md
• app/middleware/logging_middleware.py
• docs/usage/configuration/environment.md
• tests/unit/test_logging.py

🧰 Additional context used

🧬 Code graph analysis (1)

tests/unit/test_logging.py (1)

app/middleware/logging_middleware.py (3)

• LoggingMiddleware (21-99)
• dispatch (69-99)
• _redact_query (47-67)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Codacy Static Code Analysis
• GitHub Check: test (3.14)
• GitHub Check: test (3.10)
• GitHub Check: test (3.12)
• GitHub Check: test (3.11)
• GitHub Check: test (3.13)

🔇 Additional comments (5)

app/middleware/logging_middleware.py (3)

24-36: LGTM! Well-designed redaction configuration.

The class attributes provide a clean, centralized way to define sensitive keys. The comment on Line 25 about key ordering for performance shows good awareness. The tuple contains appropriate sensitive parameter names commonly used in authentication flows.

---

38-44: LGTM! Case-insensitive matching is appropriate.

The case-insensitive comparison (Line 40) correctly handles variations like code, Code, and CODE, which is the right security posture since attackers might try case variations.

---

90-92: LGTM! Clean integration of redaction into request logging.

The redaction is applied at the right layer—after request processing but before logging—ensuring the application can still access sensitive parameters while keeping them out of logs.

tests/unit/test_logging.py (2)

517-552: Excellent integration test coverage!

This test thoroughly validates the redaction behavior:

• ✅ Sensitive parameters redacted (code, token, API_KEY)
• ✅ Non-sensitive parameters preserved (page=2)
• ✅ Case-insensitive matching verified (Line 535: API_KEY uppercase)
• ✅ Original sensitive values confirmed absent from logs (Lines 549-551)
• ✅ Response unchanged (Line 552)

---

554-560: Good edge case coverage for the helper method.

These unit tests cover important edge cases:

• Empty query string handling
• Unparseable query strings (e.g., lone &)