Skip to content

Commit 517ed57

Browse files
committed
fix: Redact secrets and tokens from #inspect
Override #inspect on Client and Token to replace sensitive values (client_secret, access_token, id_token, refresh_token) with [REDACTED], preventing leaks via logging or error reporting.
1 parent dc30749 commit 517ed57

4 files changed

Lines changed: 79 additions & 0 deletions

File tree

lib/cognito_idp/client.rb

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,14 @@ def initialize(client_id:, domain:, client_secret: nil, adapter: Faraday.default
1515
@stubs = stubs
1616
end
1717

18+
def inspect
19+
"#<#{self.class}:0x#{object_id.to_s(16)} " \
20+
"@adapter=#{adapter.inspect}, " \
21+
"@client_id=#{client_id.inspect}, " \
22+
"@client_secret=#{client_secret.nil? ? "nil" : "[REDACTED]"}, " \
23+
"@domain=#{domain.inspect}>"
24+
end
25+
1826
def authorization_uri(redirect_uri:, **options)
1927
AuthorizationUri.new(
2028
client_id: client_id,

lib/cognito_idp/token.rb

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,5 +14,15 @@ def initialize(token_hash)
1414
end
1515
@expires_at = Time.now + expires_in unless expires_in.nil?
1616
end
17+
18+
def inspect
19+
"#<#{self.class}:0x#{object_id.to_s(16)} " \
20+
"@access_token=#{access_token.nil? ? "nil" : "[REDACTED]"}, " \
21+
"@id_token=#{id_token.nil? ? "nil" : "[REDACTED]"}, " \
22+
"@token_type=#{token_type.inspect}, " \
23+
"@expires_in=#{expires_in.inspect}, " \
24+
"@expires_at=#{expires_at.inspect}, " \
25+
"@refresh_token=#{refresh_token.nil? ? "nil" : "[REDACTED]"}>"
26+
end
1727
end
1828
end

spec/cognito_idp/client_spec.rb

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,25 @@
1515
expect(CognitoIdp::VERSION).not_to be nil
1616
end
1717

18+
describe "#inspect" do
19+
it "redacts client_secret when set" do
20+
client = described_class.new(client_id: "id", client_secret: "super-secret", domain: "auth.example.com")
21+
expect(client.inspect).to include("@client_secret=[REDACTED]")
22+
expect(client.inspect).not_to include("super-secret")
23+
end
24+
25+
it "shows nil when client_secret is not set" do
26+
client = described_class.new(client_id: "id", domain: "auth.example.com")
27+
expect(client.inspect).to include("@client_secret=nil")
28+
end
29+
30+
it "shows non-secret attributes" do
31+
client = described_class.new(client_id: "id", domain: "auth.example.com")
32+
expect(client.inspect).to include('@client_id="id"')
33+
expect(client.inspect).to include('@domain="auth.example.com"')
34+
end
35+
end
36+
1837
describe "#authorization_uri" do
1938
subject(:uri) { client.authorization_uri(redirect_uri: redirect_uri) }
2039

spec/cognito_idp/token_spec.rb

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,48 @@
1616
it { expect(token.expires_at).to be_nil }
1717
it { expect(token.refresh_token).to be_nil }
1818

19+
describe "#inspect" do
20+
context "when token values are set" do
21+
let(:token_hash) do
22+
{
23+
"access_token" => "secret-access",
24+
"id_token" => "secret-id",
25+
"token_type" => "Bearer",
26+
"expires_in" => 3600,
27+
"refresh_token" => "secret-refresh"
28+
}
29+
end
30+
31+
it "redacts access_token" do
32+
expect(token.inspect).to include("@access_token=[REDACTED]")
33+
expect(token.inspect).not_to include("secret-access")
34+
end
35+
36+
it "redacts id_token" do
37+
expect(token.inspect).to include("@id_token=[REDACTED]")
38+
expect(token.inspect).not_to include("secret-id")
39+
end
40+
41+
it "redacts refresh_token" do
42+
expect(token.inspect).to include("@refresh_token=[REDACTED]")
43+
expect(token.inspect).not_to include("secret-refresh")
44+
end
45+
46+
it "shows non-secret attributes" do
47+
expect(token.inspect).to include('@token_type="Bearer"')
48+
expect(token.inspect).to include("@expires_in=3600")
49+
end
50+
end
51+
52+
context "when token values are nil" do
53+
it "shows nil for absent tokens" do
54+
expect(token.inspect).to include("@access_token=nil")
55+
expect(token.inspect).to include("@id_token=nil")
56+
expect(token.inspect).to include("@refresh_token=nil")
57+
end
58+
end
59+
end
60+
1961
context "when token is initialized with values" do
2062
let(:token_hash) do
2163
{

0 commit comments

Comments
 (0)