fix: address code review feedback - enhance header security and add tests

phernandez · claude · phernandez · commit b6f2823183a5 · 2025-09-27T21:46:16.000-05:00
- Expand sensitive header filtering to include cookie, x-api-key, x-auth-token, api-key - Add comprehensive test coverage for 30-second timeout configuration - Ensure all sensitive authentication headers are excluded from debug logs Addresses review comments from github-actions bot on PR #317 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: phernandez <paul@basicmachines.co>
diff --git a/src/basic_memory/mcp/tools/headers.py b/src/basic_memory/mcp/tools/headers.py
@@ -29,7 +29,8 @@ def inject_auth_header(headers: HeaderTypes | None = None) -> HeaderTypes:
 
     # Log only non-sensitive header keys for debugging
     if logger.opt(lazy=True).debug:
-        safe_headers = {k for k in http_headers.keys() if k.lower() != "authorization"}
+        sensitive_headers = {"authorization", "cookie", "x-api-key", "x-auth-token", "api-key"}
+        safe_headers = {k for k in http_headers.keys() if k.lower() not in sensitive_headers}
         logger.debug(f"HTTP headers present: {list(safe_headers)}")
 
     authorization = http_headers.get("Authorization") or http_headers.get("authorization")
diff --git a/tests/api/test_async_client.py b/tests/api/test_async_client.py
@@ -1,7 +1,7 @@
 """Tests for async_client configuration."""
 
 from unittest.mock import patch
-from httpx import AsyncClient, ASGITransport
+from httpx import AsyncClient, ASGITransport, Timeout
 
 from basic_memory.mcp.async_client import create_client
 
@@ -25,3 +25,25 @@ def test_create_client_uses_http_when_proxy_env_set():
         assert not isinstance(client._transport, ASGITransport)
         # When using remote API, no base_url is set (dynamic from headers)
         assert str(client.base_url) == "http://localhost:8000"
+
+
+def test_create_client_configures_extended_timeouts():
+    """Test that create_client configures 30-second timeouts for long operations."""
+    with patch.dict("os.environ", {}, clear=True):
+        client = create_client()
+
+        # Verify timeout configuration
+        assert isinstance(client.timeout, Timeout)
+        assert client.timeout.connect == 10.0  # 10 seconds for connection
+        assert client.timeout.read == 30.0     # 30 seconds for reading
+        assert client.timeout.write == 30.0    # 30 seconds for writing
+        assert client.timeout.pool == 30.0     # 30 seconds for pool
+
+    # Also test with proxy URL
+    with patch.dict("os.environ", {"BASIC_MEMORY_PROXY_URL": "http://localhost:8000"}):
+        client = create_client()
+
+        # Same timeout configuration should apply
+        assert isinstance(client.timeout, Timeout)
+        assert client.timeout.read == 30.0
+        assert client.timeout.write == 30.0
