From 94f8f132ca473a14a76eecadd7b46a521823bc0a Mon Sep 17 00:00:00 2001
From: Beth Skurrie <beth@bethesque.com>
Date: Wed, 14 Mar 2018 13:52:38 +1100
Subject: [PATCH] feat: redact auth headers from rack env used to report errors

---
 lib/webmachine/convert_request_to_rack_env.rb | 16 +++++--
 .../convert_request_to_rack_env_spec.rb       | 47 +++++++++++++------
 2 files changed, 44 insertions(+), 19 deletions(-)

diff --git a/lib/webmachine/convert_request_to_rack_env.rb b/lib/webmachine/convert_request_to_rack_env.rb
index 280dfb903..9f0a548fb 100644
--- a/lib/webmachine/convert_request_to_rack_env.rb
+++ b/lib/webmachine/convert_request_to_rack_env.rb
@@ -11,11 +11,19 @@ def self.call(request)
         'SCRIPT_NAME' => '',
         'rack.url_scheme' => request.uri.scheme,
         'rack.input' => request.body.to_io ? StringIO.new(request.body.to_s) : nil
-      }
-      http_headers = request.headers.each do | key, value |
-        env[convert_http_header_name_to_rack_header_name(key)] = value
+      }.merge(convert_headers(request))
+    end
+
+    def self.convert_headers(request)
+      request.headers.each_with_object({}) do | (key, value), env |
+        v = redact?(key) ? '[Filtered]' : value
+        env[convert_http_header_name_to_rack_header_name(key)] = v
       end
-      env
+    end
+
+    def self.redact?(http_header_name)
+      lower = http_header_name.downcase
+      lower == 'authorization' || lower.include?('token')
     end
 
     def self.convert_http_header_name_to_rack_header_name(http_header_name)
diff --git a/spec/lib/webmachine/convert_request_to_rack_env_spec.rb b/spec/lib/webmachine/convert_request_to_rack_env_spec.rb
index b94b989c2..584d39bc0 100644
--- a/spec/lib/webmachine/convert_request_to_rack_env_spec.rb
+++ b/spec/lib/webmachine/convert_request_to_rack_env_spec.rb
@@ -6,17 +6,36 @@ module Webmachine
 
     let(:rack_env) do
       {
-        "rack.input"=>StringIO.new('foo'),
-        "REQUEST_METHOD"=>"POST",
-        "SERVER_NAME"=>"example.org",
-        "SERVER_PORT"=>"80",
-        "QUERY_STRING"=>"",
-        "PATH_INFO"=>"/foo",
-        "rack.url_scheme"=>"http",
-        "SCRIPT_NAME"=>"",
-        "CONTENT_LENGTH"=>"0",
-        "HTTP_HOST"=>"example.org",
-        "CONTENT_TYPE"=>"application/x-www-form-urlencoded",
+        "rack.input" => StringIO.new('foo'),
+        "REQUEST_METHOD" => "POST",
+        "SERVER_NAME" => "example.org",
+        "SERVER_PORT" => "80",
+        "QUERY_STRING" => "",
+        "PATH_INFO" => "/foo",
+        "rack.url_scheme" => "http",
+        "SCRIPT_NAME" => "",
+        "CONTENT_LENGTH" => "0",
+        "HTTP_HOST" => "example.org",
+        "CONTENT_TYPE" => "application/x-www-form-urlencoded",
+        "HTTP_AUTHORIZATION"  =>  "auth",
+        "HTTP_TOKEN" => "foo"
+      }
+    end
+
+    let(:expected_rack_env) do
+      {
+        "REQUEST_METHOD" => "POST",
+        "SERVER_NAME" => "example.org",
+        "SERVER_PORT" => "80",
+        "QUERY_STRING" => "",
+        "PATH_INFO" => "/foo",
+        "rack.url_scheme" => "http",
+        "SCRIPT_NAME" => "",
+        "CONTENT_LENGTH" => "0",
+        "HTTP_HOST" => "example.org",
+        "CONTENT_TYPE" => "application/x-www-form-urlencoded",
+        "HTTP_AUTHORIZATION" => "[Filtered]",
+        "HTTP_TOKEN" => "[Filtered]"
       }
     end
 
@@ -38,12 +57,10 @@ module Webmachine
     subject { ConvertRequestToRackEnv.call(webmachine_request) }
 
     describe ".call" do
-      it "" do
-        expected_env = rack_env.dup
-        expected_env.delete('rack.input')
+      it "returns a rack env hash created from the Webmachine::Request" do
         actual_env = subject
         actual_rack_input = actual_env.delete('rack.input')
-        expect(subject).to eq expected_env
+        expect(subject).to eq expected_rack_env
         expect(actual_rack_input.string).to eq 'foo'
       end
     end