Mask API key when a client is displayed as a string

Ron Dahlgren · Ron Dahlgren · commit 74ea4b47f0a1 · 2025-11-17T17:35:35.000-05:00
This commit implements `to_s` and `inspect` to mask everything after the
first four characters of the api key. When using the Ruby SerpAPI client
in pry, for instance, the default `inspect` representation will include
the `api_key` of the `@params` attribute.
diff --git a/lib/serpapi/client.rb b/lib/serpapi/client.rb
@@ -181,6 +181,20 @@ def close
       @socket.close if @socket
     end
 
+    def to_s
+      # If the api_key is set, mask it
+      masked_api_key = if api_key && api_key.length > 4
+                         "#{api_key[0..3]}#{'*' * (api_key.length - 4)}"
+                       else
+                         api_key
+                       end
+      "SerpApi::Client(engine: #{engine}, api_key: #{masked_api_key}, persistent: #{persistent?}, timeout: #{timeout}s)"
+    end
+
+    def inspect
+      to_s
+    end
+
     private
 
     # @param [Hash] params to merge with default parameters provided to the constructor.
diff --git a/spec/serpapi/client/client_spec.rb b/spec/serpapi/client/client_spec.rb
@@ -95,6 +95,25 @@
       raise("wrong exception: #{e}")
     end
   end
+
+  it 'should not expose api_key in to_s and inspect' do
+    str = client.to_s
+    expect(str).to include('SerpApi::Client(engine: google, api_key: ')
+    expect(str).to_not include(ENV['SERPAPI_KEY'])
+
+    inspect_str = client.inspect
+    expect(inspect_str).to include('SerpApi::Client(engine: google, api_key: ')
+    expect(inspect_str).to_not include(ENV['SERPAPI_KEY'])
+  end
+
+  it 'should gracefully handle api_key values shorter than 5 characters' do
+    short_key_client = SerpApi::Client.new(engine: 'google', api_key: 'abcd', timeout: 10)
+    str = short_key_client.to_s
+    expect(str).to include('SerpApi::Client(engine: google, api_key: abcd')
+
+    inspect_str = short_key_client.inspect
+    expect(inspect_str).to include('SerpApi::Client(engine: google, api_key: abcd')
+  end
 end
 
 describe 'SerpApi client with persitency enable' do
@@ -136,4 +155,4 @@
     expect(client.socket).to be_nil
     expect(client.close).to be_nil
   end
-end
+end
