feat: redact Authorization header when using debug option

stainless-app[bot] · stainless-app[bot] · commit 557a499e428c · 2025-12-15T19:39:35.000Z
diff --git a/internal/debugmiddleware/debug_middleware.go b/internal/debugmiddleware/debug_middleware.go
@@ -0,0 +1,60 @@
+package debugmiddleware
+
+import (
+	"net/http"
+	"net/http/httputil"
+	"strings"
+)
+
+// For the time being these type definitions are duplicated here so that we can
+// test this file in a non-generated context.
+type (
+	Middleware     = func(*http.Request, MiddlewareNext) (*http.Response, error)
+	MiddlewareNext = func(*http.Request) (*http.Response, error)
+)
+
+const redactedPlaceholder = "<REDACTED>"
+
+// DebugMiddleware returns a middleware that logs HTTP requests and responses.
+//
+// logWriter is log.Default() under most circumstances, but made low level so we
+// can more easily inject a buffer to check in tests.
+func DebugMiddleware(logger interface{ Printf(string, ...any) }) Middleware {
+	return func(req *http.Request, mn MiddlewareNext) (*http.Response, error) {
+		if reqBytes, err := httputil.DumpRequest(redactRequest(req), true); err == nil {
+			logger.Printf("Request Content:\n%s\n", reqBytes)
+		}
+
+		resp, err := mn(req)
+		if err != nil {
+			return resp, err
+		}
+
+		if respBytes, err := httputil.DumpResponse(resp, true); err == nil {
+			logger.Printf("Response Content:\n%s\n", respBytes)
+		}
+
+		return resp, err
+	}
+}
+
+// redactRequest redacts sensitive information from the request for logging
+// purposes. If redaction is necessary, the request is cloned before mutating
+// the original and that clone is returned. As a small optimization, the
+// original is request is returned unchanged if no redaction is necessary.
+func redactRequest(req *http.Request) *http.Request {
+	if auth := req.Header.Get("Authorization"); auth != "" {
+		req = req.Clone(req.Context())
+
+		// In case we're using something like a bearer token (e.g. `Bearer
+		// <my_token>`), keep the `Bearer` part for more debugging
+		// information.
+		if authKind, _, ok := strings.Cut(auth, " "); ok {
+			req.Header.Set("Authorization", authKind+" "+redactedPlaceholder)
+		} else {
+			req.Header.Set("Authorization", redactedPlaceholder)
+		}
+	}
+
+	return req
+}
diff --git a/internal/debugmiddleware/debug_middleware_test.go b/internal/debugmiddleware/debug_middleware_test.go
@@ -0,0 +1,105 @@
+package debugmiddleware
+
+import (
+	"bytes"
+	"log"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestDebugMiddleware(t *testing.T) {
+	t.Parallel()
+
+	setup := func() (Middleware, *bytes.Buffer) {
+		var logBuf bytes.Buffer
+		return DebugMiddleware(log.New(&logBuf, "", 0)), &logBuf
+	}
+
+	t.Run("DoesNotRedactMostHeaders", func(t *testing.T) {
+		t.Parallel()
+
+		middleware, logBuf := setup()
+
+		const stainlessUserAgent = "Stainless"
+
+		req := httptest.NewRequest("GET", "https://example.com", nil)
+		req.Header.Set("User-Agent", stainlessUserAgent)
+
+		var nextMiddlewareRan bool
+		middleware(req, func(req *http.Request) (*http.Response, error) {
+			nextMiddlewareRan = true
+
+			// The request sent down through middleware shouldn't be mutated.
+			if req.Header.Get("User-Agent") != stainlessUserAgent {
+				t.Error("expected original request to be unmodified")
+			}
+
+			return &http.Response{}, nil
+		})
+
+		if !nextMiddlewareRan {
+			t.Error("expected next middleware to have been run")
+		}
+
+		if !strings.Contains(logBuf.String(), "User-Agent: "+stainlessUserAgent) {
+			t.Error("expected logged request headers to include `User-Agent: Stainless`")
+		}
+	})
+
+	const secretToken = "secret-token"
+
+	t.Run("RedactsAuthorizationHeader", func(t *testing.T) {
+		t.Parallel()
+
+		middleware, logBuf := setup()
+
+		req := httptest.NewRequest("GET", "https://example.com", nil)
+		req.Header.Set("Authorization", secretToken)
+
+		var nextMiddlewareRan bool
+		middleware(req, func(req *http.Request) (*http.Response, error) {
+			nextMiddlewareRan = true
+
+			// The request sent down through middleware shouldn't be mutated.
+			if req.Header.Get("Authorization") != secretToken {
+				t.Error("expected original request to be unmodified")
+			}
+
+			return &http.Response{}, nil
+		})
+
+		if !nextMiddlewareRan {
+			t.Error("expected next middleware to have been run")
+		}
+
+		if !strings.Contains(logBuf.String(), "Authorization: "+redactedPlaceholder) {
+			t.Error("expected authorization header to be redacted")
+		}
+	})
+
+	t.Run("RedactsOnlySecretInAuthorizationHeader", func(t *testing.T) {
+		t.Parallel()
+
+		middleware, logBuf := setup()
+
+		req := httptest.NewRequest("GET", "https://example.com", nil)
+		req.Header.Set("Authorization", "Bearer "+secretToken)
+
+		var nextMiddlewareRan bool
+		middleware(req, func(req *http.Request) (*http.Response, error) {
+			nextMiddlewareRan = true
+
+			return &http.Response{}, nil
+		})
+
+		if !nextMiddlewareRan {
+			t.Error("expected next middleware to have been run")
+		}
+
+		if !strings.Contains(logBuf.String(), "Authorization: Bearer "+redactedPlaceholder) {
+			t.Error("expected authorization header to be redacted")
+		}
+	})
+}
diff --git a/pkg/cmd/flagoptions.go b/pkg/cmd/flagoptions.go
@@ -4,11 +4,13 @@ import (
 	"bytes"
 	"encoding/json"
 	"io"
+	"log"
 	"mime/multipart"
 	"os"
 
 	"github.com/stainless-api/stainless-api-cli/internal/apiform"
 	"github.com/stainless-api/stainless-api-cli/internal/apiquery"
+	"github.com/stainless-api/stainless-api-cli/internal/debugmiddleware"
 	"github.com/stainless-api/stainless-api-cli/internal/requestflag"
 	"github.com/stainless-api/stainless-api-go/option"
 
@@ -30,7 +32,7 @@ func flagOptions(
 ) ([]option.RequestOption, error) {
 	var options []option.RequestOption
 	if cmd.Bool("debug") {
-		options = append(options, debugMiddlewareOption)
+		options = append(options, option.WithMiddleware(debugmiddleware.DebugMiddleware(log.Default())))
 	}
 
 	queries := make(map[string]any)
