Merge pull request #568 from levenleven/redact-token

dblock · web-flow · commit cec95a5399ed · 2025-07-26T07:52:50.000-04:00
Redact Authorization header in response stored in the error
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 ### 2.7.1 (Next)
 
+* [#568](https://github.com/slack-ruby/slack-ruby-client/pull/568): Redact Authorization header in response stored in the error - [@levenleven](https://github.com/levenleven).
+
 * Your contribution here.
 
 ### 2.7.0 (2025/07/20)
diff --git a/lib/slack/web/faraday/response/raise_error.rb b/lib/slack/web/faraday/response/raise_error.rb
@@ -5,7 +5,7 @@ module Faraday
       module Response
         class RaiseError < ::Faraday::Middleware
           def on_complete(env)
-            raise Slack::Web::Api::Errors::TooManyRequestsError, env.response if env.status == 429
+            raise Slack::Web::Api::Errors::TooManyRequestsError, redact_response(env.response) if env.status == 429
 
             return unless env.success?
 
@@ -16,7 +16,25 @@ def on_complete(env)
             error_message = body['error'] || body['errors'].map { |message| message['error'] }.join(',')
             error_class = Slack::Web::Api::Errors::ERROR_CLASSES[error_message]
             error_class ||= Slack::Web::Api::Errors::SlackError
-            raise error_class.new(error_message, env.response)
+            raise error_class.new(error_message, redact_response(env.response))
+          end
+
+          private
+
+          def redact_response(response)
+            return response unless response&.env
+
+            redacted_env = response.env.dup
+
+            # redact Authorization header if it exists
+            if redacted_env[:request_headers]&.key?('Authorization')
+              redacted_env[:request_headers] = redacted_env[:request_headers].dup
+              redacted_env[:request_headers]['Authorization'] = '[REDACTED]'
+            end
+
+            redacted_response = ::Faraday::Response.new(redacted_env)
+            redacted_response.env[:response] = redacted_response
+            redacted_response
           end
         end
       end
diff --git a/spec/slack/web/faraday/response/raise_error_spec.rb b/spec/slack/web/faraday/response/raise_error_spec.rb
@@ -13,13 +13,40 @@
   describe '#on_complete' do
     context 'with status of 429' do
       let(:status) { 429 }
-      let(:response) { OpenStruct.new(headers: { 'retry-after' => 10 }) }
+      let(:env) do
+        env = ::Faraday::Env.from({
+                                    request_headers: {
+                                      'Authorization' => 'Bearer very-secret-token-12345'
+                                    },
+                                    response_headers: {
+                                      'retry-after' => 10
+                                    },
+                                    status: status
+                                  })
+
+        env[:response] = ::Faraday::Response.new(env)
+        env
+      end
 
       it 'raises a TooManyRequestsError' do
         expect { raise_error_obj.on_complete(env) }.to(
           raise_error(Slack::Web::Api::Errors::TooManyRequestsError)
         )
       end
+
+      it 'redacts Authorization token' do
+        error = nil
+        begin
+          raise_error_obj.on_complete(env)
+        rescue Slack::Web::Api::Errors::TooManyRequestsError => e
+          error = e
+        end
+
+        expect(error).not_to be_nil
+        expect(error.response.env[:request_headers]['Authorization']).to eq('[REDACTED]')
+        expect(error.inspect).not_to include('very-secret-token-12345')
+        expect(error.inspect).to include('[REDACTED]')
+      end
     end
 
     context 'with an ok payload in the body' do
@@ -82,5 +109,52 @@
         )
       end
     end
+
+    context 'with SLACK_API_TOKEN in the request headers' do
+      let(:body) do
+        {
+          'ok' => false,
+          'error' => 'test_error'
+        }
+      end
+      let(:env) do
+        env = ::Faraday::Env.from({
+                                    response_body: body,
+                                    request_headers: {
+                                      'Authorization' => 'Bearer very-secret-token-12345',
+                                      'User-Agent' => 'Test Client'
+                                    },
+                                    status: status
+                                  })
+
+        env[:response] = ::Faraday::Response.new(env)
+        env
+      end
+
+      it 'redacts the Authorization header in the raised error' do
+        error = nil
+        begin
+          raise_error_obj.on_complete(env)
+        rescue Slack::Web::Api::Errors::SlackError => e
+          error = e
+        end
+
+        expect(error).not_to be_nil
+        expect(error.response.env[:request_headers]['Authorization']).to eq('[REDACTED]')
+        expect(error.inspect).not_to include('very-secret-token-12345')
+        expect(error.inspect).to include('[REDACTED]')
+      end
+
+      it 'preserves other headers' do
+        error = nil
+        begin
+          raise_error_obj.on_complete(env)
+        rescue Slack::Web::Api::Errors::SlackError => e
+          error = e
+        end
+
+        expect(error.response.env[:request_headers]['User-Agent']).to eq('Test Client')
+      end
+    end
   end
 end
