From c2a11cb638396efa2ffe8081ead89fa6dd20aeaa Mon Sep 17 00:00:00 2001
From: Rick Winfrey <rick.winfrey@gmail.com>
Date: Tue, 20 May 2025 15:42:32 -0700
Subject: [PATCH 1/4] Add Authorization Bearer token pattern

---
 lib/patterns/default.rb           | 5 ++++-
 spec/lib/redacting_logger_spec.rb | 5 +++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/patterns/default.rb b/lib/patterns/default.rb
index f2a3f85..efc90c4 100644
--- a/lib/patterns/default.rb
+++ b/lib/patterns/default.rb
@@ -47,6 +47,9 @@ module Patterns
     # Vault Tokens
     # https://github.com/hashicorp/vault/issues/27151
     /[sbr]\.[a-zA-Z0-9]{24,}/, # <= 1.9.x
-    /hv[sbr]\.[a-zA-Z0-9]{24,}/ # >= 1.10
+    /hv[sbr]\.[a-zA-Z0-9]{24,}/, # >= 1.10
+
+    # Authorization bearer tokens
+    /(?i)authorization:\s+bearer\s+[A-Za-z0-9\-_\.=~+\/]+/,
   ].freeze
 end
diff --git a/spec/lib/redacting_logger_spec.rb b/spec/lib/redacting_logger_spec.rb
index 88294bb..8b6dc7b 100644
--- a/spec/lib/redacting_logger_spec.rb
+++ b/spec/lib/redacting_logger_spec.rb
@@ -160,6 +160,11 @@
         case: "redacts a RubyGems token",
         message: "using rubygems token: rubygems_0123456789abcdef0123456789abcdef0123456789abcdef",
         expected_message: "using rubygems token: [REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token",
+        message: '-H  "Authorization: Bearer ab123456789a1abcd1~_.-+456ABCDE=" -H "Content-Type: application/json"',
+        expected_message: '-H  "[REDACTED]" -H "Content-Type: application/json"'
       }
     ].each do |test|
       it "redacts #{test[:case]}" do

From a20d6a80fe7c1e31c9105919b0f31c1b9de2d117 Mon Sep 17 00:00:00 2001
From: Rick Winfrey <rick.winfrey@gmail.com>
Date: Tue, 20 May 2025 16:05:44 -0700
Subject: [PATCH 2/4] Link to the Bearer token spec

---
 lib/patterns/default.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/patterns/default.rb b/lib/patterns/default.rb
index efc90c4..c658b45 100644
--- a/lib/patterns/default.rb
+++ b/lib/patterns/default.rb
@@ -50,6 +50,7 @@ module Patterns
     /hv[sbr]\.[a-zA-Z0-9]{24,}/, # >= 1.10
 
     # Authorization bearer tokens
+    # https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
     /(?i)authorization:\s+bearer\s+[A-Za-z0-9\-_\.=~+\/]+/,
   ].freeze
 end

From 75f477e88d791f54db697497d0751f93c9f90206 Mon Sep 17 00:00:00 2001
From: GrantBirki <grant.birkinbine@gmail.com>
Date: Sun, 25 May 2025 21:48:21 -0700
Subject: [PATCH 3/4] add an extra test around the case of the bearing token
 header (insensitive case)

---
 spec/lib/redacting_logger_spec.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/spec/lib/redacting_logger_spec.rb b/spec/lib/redacting_logger_spec.rb
index 8b6dc7b..095f796 100644
--- a/spec/lib/redacting_logger_spec.rb
+++ b/spec/lib/redacting_logger_spec.rb
@@ -165,6 +165,11 @@
         case: "redacts authorization bearer token",
         message: '-H  "Authorization: Bearer ab123456789a1abcd1~_.-+456ABCDE=" -H "Content-Type: application/json"',
         expected_message: '-H  "[REDACTED]" -H "Content-Type: application/json"'
+      },
+      {
+        case: "redacts authorization bearer token with case insensitivity",
+        message: '-H  "authorizAtion: beaRer ab123456789a1abcd1~_.-+456ABCDE=" -H "Content-Type: application/json"',
+        expected_message: '-H  "[REDACTED]" -H "Content-Type: application/json"'
       }
     ].each do |test|
       it "redacts #{test[:case]}" do

From f7042d2d9866af9bad0b85a9b1377b5bfb7b2e29 Mon Sep 17 00:00:00 2001
From: GrantBirki <grant.birkinbine@gmail.com>
Date: Sun, 25 May 2025 22:00:09 -0700
Subject: [PATCH 4/4] add more bearer token edge cases

---
 spec/lib/redacting_logger_spec.rb | 35 +++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/spec/lib/redacting_logger_spec.rb b/spec/lib/redacting_logger_spec.rb
index 095f796..1294e5c 100644
--- a/spec/lib/redacting_logger_spec.rb
+++ b/spec/lib/redacting_logger_spec.rb
@@ -170,6 +170,41 @@
         case: "redacts authorization bearer token with case insensitivity",
         message: '-H  "authorizAtion: beaRer ab123456789a1abcd1~_.-+456ABCDE=" -H "Content-Type: application/json"',
         expected_message: '-H  "[REDACTED]" -H "Content-Type: application/json"'
+      },
+      {
+        case: "redacts authorization bearer token with extra spaces and tabs",
+        message: "authorization:    bearer   abcd1234",
+        expected_message: "[REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token with special characters",
+        message: "authorization: bearer aBcD-_=~+/1234",
+        expected_message: "[REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token at start of string",
+        message: "authorization: bearer tokenatstart",
+        expected_message: "[REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token at end of string",
+        message: "some text authorization: bearer tokenatend",
+        expected_message: "some text [REDACTED]"
+      },
+      {
+        case: "redacts multiple authorization bearer tokens in one string",
+        message: "authorization: bearer token1 and authorization: bearer token2",
+        expected_message: "[REDACTED] and [REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token with minimum plausible length",
+        message: "authorization: bearer a",
+        expected_message: "[REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token with maximum plausible length",
+        message: "authorization: bearer #{'a' * 256}",
+        expected_message: "[REDACTED]"
       }
     ].each do |test|
       it "redacts #{test[:case]}" do