OAuth2::FilteredAttributes => auth-sanitizer gem#714
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #714 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 14 14
Lines 567 552 -15
Branches 174 169 -5
=========================================
- Hits 567 552 -15 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Coverage Report for CI Build 25942922058Warning No base build found for commit Coverage: 100.0%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsRequires a base build to compare against. How to fix this → Coverage Stats
💛 - Coveralls |
There was a problem hiding this comment.
Pull request overview
Extracts the previously-internal sensitive-value filtering primitives (OAuth2::ThingFilter, OAuth2::SanitizedLogger, and the implementation of OAuth2::FilteredAttributes) into a new external dependency, auth-sanitizer, so the same filtering can be reused by sibling auth gems. OAuth2::FilteredAttributes is preserved as a permanent alias to Auth::Sanitizer::FilteredAttributes, and Auth::Sanitizer.filtered_label_provider is wired to OAuth2.config[:filtered_label].
Changes:
- Add
auth-sanitizer ~> 0.1runtime dependency and delete the internalthing_filter.rb/sanitized_logger.rbimplementations, replacingFilteredAttributeswith a constant alias. - Update
Client#oauth_debug_loggingand option docs to useAuth::Sanitizer::SanitizedLogger, and move/rename the corresponding spec underspec/auth/sanitizer/. - Add narrative docs (README "Request Target Trust Boundaries" + filter notes, THREAT_MODEL §5.7) and a new client spec covering absolute-URL request targets; update CHANGELOG, Gemfile (nomono dev wiring), and Gemfile.lock.
Reviewed changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| lib/oauth2.rb | Requires auth/sanitizer, drops internal requires, and wires the global label provider to OAuth2.config[:filtered_label]. |
| lib/oauth2/filtered_attributes.rb | Replaces the module implementation with a permanent constant alias to Auth::Sanitizer::FilteredAttributes. |
| lib/oauth2/thing_filter.rb | Deleted; functionality moved to auth-sanitizer. |
| lib/oauth2/sanitized_logger.rb | Deleted; functionality moved to auth-sanitizer. |
| lib/oauth2/client.rb | Switches debug-log middleware to Auth::Sanitizer::SanitizedLogger with explicit filtered_keys/label; updates YARD reference. |
| oauth2.gemspec | Adds auth-sanitizer ~> 0.1 runtime dependency. |
| Gemfile | Adds an opt-out nomono dev-bundler block for local sibling checkouts. |
| Gemfile.lock | Locks auth-sanitizer 0.1.0 and refreshes transitive versions/checksums. |
| spec/auth/sanitizer/thing_filter_spec.rb | Re-targets specs to Auth::Sanitizer::ThingFilter/FilteredAttributes. |
| spec/oauth2/client_spec.rb | Adds a test covering absolute-URL request targets. |
| README.md | Documents filtered debug keys/label and adds the "Request Target Trust Boundaries" guidance; removes CodeTriage badge. |
| THREAT_MODEL.md | Inserts §5.7 covering request-target trust-boundary expansion and renumbers logging section to §5.8. |
| SECURITY.md | Adds a trailing period to a sentence. |
| CHANGELOG.md | Notes the refactor and removal of internal filter classes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Minimum allowed line rate is |
OAuth2::FilteredAttributes was extracted from this gem and turned into a standalone package, so it can be shared / reused by other auth-related packages that need the same filtering.
At minimum it will now be used to protect: