fix: harden Redis cache config and env test isolation (#541)

Author: Justxd22

src/cache/client.ts

@@ -4,6 +4,23 @@ import { createLogger } from '../factories/logger-factory'
 
 const logger = createLogger('cache-client')
 
+const redactRedisUrlCredentials = (url: string): string => {
+  try {
+    const parsedUrl = new URL(url)
+
+    if (!parsedUrl.username && !parsedUrl.password) {
+      return url
+    }
+
+    parsedUrl.username = parsedUrl.username ? '***' : ''
+    parsedUrl.password = parsedUrl.password ? '***' : ''
+
+    return parsedUrl.toString()
+  } catch {
+    return url
+  }
+}
+
 export const getCacheConfig = (): RedisClientOptions => {
   if (process.env.REDIS_URI) {
     return {
@@ -20,7 +37,8 @@ export const getCacheConfig = (): RedisClientOptions => {
     const username = process.env.REDIS_USER ?? 'default'
 
     return {
-      url: `redis://${username}:${process.env.REDIS_PASSWORD}@${host}:${port}`,
+      url: `redis://${host}:${port}`,
+      username,
       password: process.env.REDIS_PASSWORD,
     }
   }
@@ -37,7 +55,10 @@ export const getCacheClient = (): CacheClient => {
     const config = getCacheConfig()
     // eslint-disable-next-line @typescript-eslint/no-unused-vars
     const { password: _, ...loggableConfig } = config
-    logger('config: %o', loggableConfig)
+    logger('config: %o', {
+      ...loggableConfig,
+      ...(loggableConfig.url ? { url: redactRedisUrlCredentials(loggableConfig.url) } : {}),
+    })
     instance = createClient(config)
   }
 

test/unit/cache/client.spec.ts

@@ -3,7 +3,7 @@ import { expect } from 'chai'
 import { getCacheConfig } from '../../../src/cache/client'
 
 describe('getCacheConfig', () => {
-  const originalEnv = { ...process.env }
+  const originalEnv = process.env
 
   beforeEach(() => {
     process.env = { ...originalEnv }
@@ -14,7 +14,7 @@ describe('getCacheConfig', () => {
     delete process.env.REDIS_PORT
   })
 
-  after(() => {
+  afterEach(() => {
     process.env = originalEnv
   })
 
@@ -29,7 +29,7 @@ describe('getCacheConfig', () => {
     })
   })
 
-  it('builds authenticated redis url when REDIS_PASSWORD is set', () => {
+  it('builds authenticated redis config when REDIS_PASSWORD is set', () => {
     process.env.REDIS_HOST = 'localhost'
     process.env.REDIS_PORT = '6379'
     process.env.REDIS_USER = 'default'
@@ -38,7 +38,22 @@ describe('getCacheConfig', () => {
     const config = getCacheConfig()
 
     expect(config).to.deep.equal({
-      url: 'redis://default:secret@localhost:6379',
+      url: 'redis://localhost:6379',
+      username: 'default',
+      password: 'secret',
+    })
+  })
+
+  it('defaults REDIS_USER to default when REDIS_PASSWORD is set and REDIS_USER is unset', () => {
+    process.env.REDIS_HOST = 'localhost'
+    process.env.REDIS_PORT = '6379'
+    process.env.REDIS_PASSWORD = 'secret'
+
+    const config = getCacheConfig()
+
+    expect(config).to.deep.equal({
+      url: 'redis://localhost:6379',
+      username: 'default',
       password: 'secret',
     })
   })