Merge pull request #54 from waldronlab/issue/46-api-key-masking

Implement API key masking in logs and error messages

Author: RonaldRonnie

app/api/app.py

@@ -110,16 +110,22 @@ async def validation_exception_handler(request: Request, exc: RequestValidationE
 @app.exception_handler(Exception)
 async def global_exception_handler(request: Request, exc: Exception):
     """Handle unexpected exceptions."""
+    from app.utils.credential_masking import mask_exception_message, mask_string
+    
+    # Mask any credentials in exception message and traceback
+    safe_exc_msg = mask_exception_message(exc)
+    safe_traceback = mask_string(traceback.format_exc())
+    
     logger.error(
-        f"Unhandled exception: {str(exc)}\n"
-        f"Traceback: {traceback.format_exc()}\n"
+        f"Unhandled exception: {safe_exc_msg}\n"
+        f"Traceback: {safe_traceback}\n"
         f"Request ID: {getattr(request.state, 'request_id', None)}"
     )
 
     if ENVIRONMENT == "production":
         detail = "An internal error occurred. Please try again later."
     else:
-        detail = str(exc)
+        detail = safe_exc_msg
 
     return JSONResponse(
         status_code=500,

app/api/routers/bugsigdb_analysis.py

@@ -1,6 +1,7 @@
 """API router for BugSigDB field analysis."""
 from fastapi import APIRouter, HTTPException
 import logging
+from app.utils.credential_masking import mask_exception_message
 
 from app.services.bugsigdb_analyzer import analyze_paper_simple
 
@@ -92,7 +93,8 @@ async def analyze_paper(pmid: str):
     except HTTPException:
         raise
     except Exception as e:
-        logger.error(f"Error in analysis for PMID {pmid}: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error in analysis for PMID {pmid}: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Analysis error: {str(e)}")
 
 
@@ -104,7 +106,8 @@ async def analyze_paper_post(pmid: str):
     except HTTPException:
         raise
     except Exception as e:
-        logger.error(f"Error in analysis for PMID {pmid}: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error in analysis for PMID {pmid}: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Analysis error: {str(e)}")
 
 

app/api/routers/bugsigdb_analysis_v2.py

@@ -3,6 +3,7 @@
 from typing import Optional, List
 import logging
 from datetime import datetime
+from app.utils.credential_masking import mask_exception_message
 
 from app.services.bugsigdb_analyzer import analyze_paper_simple, analyze_paper_with_rag
 from app.api.models.api_models import (
@@ -140,7 +141,8 @@ async def analyze_paper(
     except HTTPException:
         raise
     except Exception as e:
-        logger.error(f"Error in v2 analysis for PMID {pmid}: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error in v2 analysis for PMID {pmid}: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Analysis error: {str(e)}")
 
 
@@ -183,7 +185,8 @@ async def analyze_paper_post(request: AnalysisRequestV2) -> PaperAnalysisResultV
     except HTTPException:
         raise
     except Exception as e:
-        logger.error(f"Error in v2 POST analysis for PMID {request.pmid}: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error in v2 POST analysis for PMID {request.pmid}: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Analysis error: {str(e)}")
 
 
@@ -222,7 +225,8 @@ async def analyze_with_semaphore(pmid: str):
                         use_rag=request.use_rag
                     )
                 except Exception as e:
-                    logger.error(f"Error analyzing PMID {pmid} in batch: {e}")
+                    safe_error = mask_exception_message(e)
+                    logger.error(f"Error analyzing PMID {pmid} in batch: {safe_error}")
                     return None
 
         tasks = [analyze_with_semaphore(pmid) for pmid in request.pmids]
@@ -237,7 +241,8 @@ async def analyze_with_semaphore(pmid: str):
         return valid_results
 
     except Exception as e:
-        logger.error(f"Error in batch analysis: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error in batch analysis: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Batch analysis error: {str(e)}")
 
 
@@ -262,7 +267,8 @@ async def get_rag_config() -> RAGConfigResponse:
             available_providers=available_providers or ["gemini", "openai", "anthropic"]
         )
     except Exception as e:
-        logger.error(f"Error getting RAG config: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error getting RAG config: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Error getting RAG config: {str(e)}")
 
 

app/api/routers/study_analysis.py

@@ -5,6 +5,7 @@
 from typing import Optional
 from fastapi import APIRouter, HTTPException, BackgroundTasks
 from pydantic import BaseModel, HttpUrl
+from app.utils.credential_masking import mask_exception_message
 
 from app.services.web_scraper import WebScraperService
 from app.services.image_processor import ImageProcessorService
@@ -142,7 +143,8 @@ async def process_url_analysis(
                     gemini_api_key=GEMINI_API_KEY
                 )
             except Exception as e:
-                logger.warning(f"Job {job_id}: Unable to initialize visual LLM: {e}")
+                safe_error = mask_exception_message(e)
+                logger.warning(f"Job {job_id}: Unable to initialize visual LLM: {safe_error}")
 
         image_descriptions = []
 
@@ -228,6 +230,7 @@ async def process_url_analysis(
         logger.info(f"Job {job_id}: Completed successfully")
 
     except Exception as e:
-        logger.error(f"Job {job_id}: Failed with error: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Job {job_id}: Failed with error: {safe_error}")
         job_store[job_id].status = "failed"
         job_store[job_id].error = str(e)

app/api/routers/system.py

@@ -6,6 +6,7 @@
 import asyncio
 from datetime import datetime
 import pytz
+from app.utils.credential_masking import mask_exception_message
 
 from app.utils.config import (
     AVAILABLE_MODELS,
@@ -36,7 +37,8 @@ def get_unified_qa():
         try:
             _unified_qa = UnifiedQA(use_gemini=True, gemini_api_key=GEMINI_API_KEY)
         except Exception as e:
-            logger.warning(f"Failed to initialize UnifiedQA: {e}")
+            safe_error = mask_exception_message(e)
+            logger.warning(f"Failed to initialize UnifiedQA: {safe_error}")
             _unified_qa = None
     return _unified_qa
 
@@ -47,7 +49,8 @@ def get_pubmed_retriever():
         try:
             _pubmed_retriever = PubMedRetriever(api_key=NCBI_API_KEY)
         except Exception as e:
-            logger.warning(f"Failed to initialize PubMedRetriever: {e}")
+            safe_error = mask_exception_message(e)
+            logger.warning(f"Failed to initialize PubMedRetriever: {safe_error}")
             _pubmed_retriever = None
     return _pubmed_retriever
 
@@ -71,7 +74,8 @@ async def health_check():
         )
 
     except Exception as e:
-        logger.error(f"Error in health check: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error in health check: {safe_error}")
         return HealthResponse(
             status="unhealthy",
             timestamp=get_current_timestamp(),
@@ -102,7 +106,8 @@ async def get_config():
         )
 
     except Exception as e:
-        logger.error(f"Error getting config: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error getting config: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Error getting configuration: {str(e)}")
 
 
@@ -152,7 +157,8 @@ async def gemini_health_check():
             }
 
     except Exception as e:
-        logger.error(f"Error in Gemini health check: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error in Gemini health check: {safe_error}")
         return {
             "status": "unhealthy",
             "api_key_configured": bool(GEMINI_API_KEY),
@@ -183,7 +189,8 @@ async def ncbi_health_check(pmid: str = "31452104"):
             "pmid": pmid
         }
     except Exception as e:
-        logger.error(f"NCBI health check error: {e}", exc_info=True)
+        safe_error = mask_exception_message(e)
+        logger.error(f"NCBI health check error: {safe_error}", exc_info=False)  # Don't log full traceback to avoid credential exposure
         return {
             "status": "unhealthy",
             "error": "An internal error occurred. Please try again later.",
@@ -234,7 +241,8 @@ async def get_metrics():
         )
 
     except Exception as e:
-        logger.error(f"Error getting metrics: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error getting metrics: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Error getting metrics: {str(e)}")
 
 
@@ -274,7 +282,8 @@ async def get_system_status():
         }
 
     except Exception as e:
-        logger.error(f"Error getting system status: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error getting system status: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Error getting system status: {str(e)}")
 
 
@@ -303,7 +312,8 @@ async def get_version():
         }
 
     except Exception as e:
-        logger.error(f"Error getting version: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error getting version: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Error getting version: {str(e)}")
 
 
@@ -380,5 +390,6 @@ async def ask_question(request: Dict[str, Any]):
     except HTTPException:
         raise
     except Exception as e:
-        logger.error(f"Error in Q&A endpoint: {e}")
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error in Q&A endpoint: {safe_error}")
         raise HTTPException(status_code=500, detail=f"Error processing question: {str(e)}")

app/api/utils/api_utils.py

@@ -135,7 +135,9 @@ def get_paper_metadata_from_csv(pmid: str, csv_path: str = 'data/full_dump.csv')
                         'publication_date': row.get('publication_date', '')
                     }
     except Exception as e:
-        logger.error(f"Error reading CSV metadata for PMID {pmid}: {e}")
+        from app.utils.credential_masking import mask_exception_message
+        safe_error = mask_exception_message(e)
+        logger.error(f"Error reading CSV metadata for PMID {pmid}: {safe_error}")
 
     return None
 

app/models/gemini_qa.py

@@ -7,6 +7,7 @@
 import os
 import json
 from app.utils.config import GEMINI_TIMEOUT
+from app.utils.credential_masking import mask_string, mask_exception_message
 import asyncio
 import time
 
@@ -592,7 +593,8 @@ async def analyze_paper_enhanced(self, prompt: str) -> Dict[str, Union[str, floa
                 }
             }
         except Exception as e:
-            error_msg = str(e)
+            # Mask any credentials in error message before logging
+            error_msg = mask_string(str(e))
             error_type = type(e).__name__
 
             if "quota" in error_msg.lower() or "quota exceeded" in error_msg.lower():

app/models/llm_provider.py

@@ -3,6 +3,7 @@
 import logging
 from typing import Optional, Dict, List, Any
 from enum import Enum
+from app.utils.credential_masking import mask_exception_message, mask_string
 
 logger = logging.getLogger(__name__)
 
@@ -167,11 +168,13 @@ async def chat(
                 "error": "timeout",
             }
         except Exception as e:
-            logger.error(f"LLM request failed: {e}")
+            # Mask any credentials in error message
+            safe_error = mask_exception_message(e)
+            logger.error(f"LLM request failed: {safe_error}")
             return {
-                "text": f"Error: {str(e)}",
+                "text": f"Error: {safe_error}",
                 "confidence": 0.0,
-                "error": str(e),
+                "error": safe_error,
             }
 
     async def analyze_image(
@@ -229,8 +232,10 @@ async def analyze_image(
             logger.error(f"Image analysis timed out after {timeout}s")
             return "Image analysis timed out."
         except Exception as e:
-            logger.error(f"Image analysis failed: {e}")
-            return f"Error analyzing image: {str(e)}"
+            # Mask any credentials in error message
+            safe_error = mask_exception_message(e)
+            logger.error(f"Image analysis failed: {safe_error}")
+            return f"Error analyzing image: {safe_error}"
 
     @staticmethod
     def get_available_providers() -> List[str]:

app/models/unified_qa.py

@@ -22,6 +22,7 @@
     from .gemini_qa import GeminiQA
 
 from app.utils.config import GEMINI_TIMEOUT, GEMINI_API_KEY, LLM_PROVIDER, LLM_MODEL
+from app.utils.credential_masking import mask_exception_message, mask_string
 
 logger = logging.getLogger(__name__)
 
@@ -113,7 +114,8 @@ async def chat(self, prompt: str) -> dict:
                 )
                 return response
             except Exception as e:
-                logger.error(f"UnifiedQA.chat (LiteLLM) error: {e}")
+                safe_error = mask_exception_message(e)
+                logger.error(f"UnifiedQA.chat (LiteLLM) error: {safe_error}")
 
         if not self.qa_system:
             return {"text": "Model not available. Check API keys or LLM_PROVIDER config.", "confidence": 0.0}
@@ -124,7 +126,8 @@ async def chat(self, prompt: str) -> dict:
                 return await self._fallback_to_gemini(prompt)
             return response
         except Exception as e:
-            logger.error(f"UnifiedQA.chat error: {e}")
+            safe_error = mask_exception_message(e)
+            logger.error(f"UnifiedQA.chat error: {safe_error}")
             logger.info("Attempting fallback to GeminiQA after error")
             return await self._fallback_to_gemini(prompt)
 
@@ -141,8 +144,9 @@ async def _fallback_to_gemini(self, prompt: str) -> dict:
             logger.info("Fallback to GeminiQA successful")
             return response
         except Exception as e:
-            logger.error(f"Fallback to GeminiQA also failed: {e}")
-            return {"text": f"Error: All QA systems failed. Last error: {e}", "confidence": 0.0}
+            safe_error = mask_exception_message(e)
+            logger.error(f"Fallback to GeminiQA also failed: {safe_error}")
+            return {"text": f"Error: All QA systems failed. Last error: {safe_error}", "confidence": 0.0}
 
     async def ask_question(self, question: str, context: Optional[str] = None, pmid: Optional[str] = None) -> Dict:
         """Ask a question with optional context. Returns {'answer': str, 'confidence': float}."""