#16 - Obfuscate Authorization header and suppress logging payloads for AuthToken request and via request.suppressLogging()

Author: rbygrave

client/src/main/java/io/avaje/http/client/DHttpClientContext.java

@@ -13,6 +13,12 @@
 
 class DHttpClientContext implements HttpClientContext {
 
+  /**
+   * HTTP Authorization header.
+   */
+  static final String AUTHORIZATION = "Authorization";
+  private static final String BEARER = "Bearer ";
+
   private final HttpClient httpClient;
   private final String baseUrl;
   private final Duration requestTimeout;
@@ -172,7 +178,7 @@ void afterResponse(DHttpClientRequest request) {
 
   void beforeRequest(DHttpClientRequest request) {
     if (withAuthToken && !request.isSkipAuthToken()) {
-      request.header("Authorization", "Bearer " + authToken());
+      request.header(AUTHORIZATION, BEARER + authToken());
     }
     if (requestIntercept != null) {
       requestIntercept.beforeRequest(request);

client/src/main/java/io/avaje/http/client/DHttpClientRequest.java

@@ -48,6 +48,7 @@ class DHttpClientRequest implements HttpClientRequest, HttpClientResponse {
   private BodyContent encodedResponseBody;
   private boolean loggableResponseBody;
   private boolean skipAuthToken;
+  private boolean suppressLogging;
 
   DHttpClientRequest(DHttpClientContext context, Duration requestTimeout) {
     this.context = context;
@@ -58,6 +59,13 @@ class DHttpClientRequest implements HttpClientRequest, HttpClientResponse {
   @Override
   public HttpClientRequest skipAuthToken() {
     this.skipAuthToken = true;
+    this.suppressLogging = true;
+    return this;
+  }
+
+  @Override
+  public HttpClientRequest suppressLogging() {
+    this.suppressLogging = true;
     return this;
   }
 
@@ -471,6 +479,9 @@ public HttpRequest request() {
 
     @Override
     public String requestBody() {
+      if (suppressLogging) {
+        return "<suppressed request body>";
+      }
       if (encodedRequestBody != null) {
         return new String(encodedRequestBody.content(), StandardCharsets.UTF_8);
       } else if (bodyFormEncoded) {
@@ -485,6 +496,9 @@ public String requestBody() {
 
     @Override
     public String responseBody() {
+      if (suppressLogging) {
+        return "<suppressed response body>";
+      }
       if (encodedResponseBody != null) {
         return new String(encodedResponseBody.content(), StandardCharsets.UTF_8);
       } else if (httpResponse != null && loggableResponseBody) {

client/src/main/java/io/avaje/http/client/HttpClientRequest.java

@@ -34,6 +34,14 @@ public interface HttpClientRequest {
    */
   HttpClientRequest skipAuthToken();
 
+  /**
+   * For this request suppress payload logging.
+   * <p>
+   * The payload contains sensitive content and the request and response content
+   * should be suppressed and not included in request logging.
+   */
+  HttpClientRequest suppressLogging();
+
   /**
    * Set the request timeout to use for this request. When not set the default
    * request timeout will be used.

client/src/main/java/io/avaje/http/client/RequestListener.java

@@ -50,7 +50,6 @@ interface Event {
      * This will return null if the response is not String or byte array
      * encoded string content. For example, when requests use response
      * handlers for InputStream, Path, Stream etc this will return null.
-     * <p>
      */
     String responseBody();
 

client/src/main/java/io/avaje/http/client/RequestLogger.java

@@ -61,8 +61,17 @@ private void headers(StringBuilder sb, String label, HttpHeaders headers) {
     if (!entries.isEmpty()) {
       sb.append(delimiter).append(label);
       for (Map.Entry<String, List<String>> entry : entries) {
-        sb.append(entry.getKey()).append("=").append(entry.getValue()).append(", ");
+        final String key = entry.getKey();
+        if (obfuscate(key)) {
+          sb.append(key).append("=<obfuscated>, ");
+        } else {
+          sb.append(key).append("=").append(entry.getValue()).append(", ");
+        }
       }
     }
   }
+
+  boolean obfuscate(String key) {
+    return DHttpClientContext.AUTHORIZATION.equals(key);
+  }
 }

client/src/test/java/io/avaje/http/client/DHttpClientRequestTest.java

@@ -0,0 +1,35 @@
+package io.avaje.http.client;
+
+import org.junit.jupiter.api.Test;
+
+import java.time.Duration;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+
+class DHttpClientRequestTest {
+
+  @Test
+  void suppressLogging_listenerEvent_expect_suppressedPayloadContent() {
+
+    final DHttpClientRequest request = new DHttpClientRequest(mock(DHttpClientContext.class), Duration.ZERO);
+
+    request.suppressLogging();
+    final RequestListener.Event event = request.listenerEvent();
+
+    assertThat(event.requestBody()).isEqualTo("<suppressed request body>");
+    assertThat(event.responseBody()).isEqualTo("<suppressed response body>");
+  }
+
+  @Test
+  void skipAuthToken_listenerEvent_expect_suppressedPayloadContent() {
+
+    final DHttpClientRequest request = new DHttpClientRequest(mock(DHttpClientContext.class), Duration.ZERO);
+
+    request.skipAuthToken();
+    final RequestListener.Event event = request.listenerEvent();
+
+    assertThat(event.requestBody()).isEqualTo("<suppressed request body>");
+    assertThat(event.responseBody()).isEqualTo("<suppressed response body>");
+  }
+}

client/src/test/java/io/avaje/http/client/RequestLoggerTest.java

@@ -0,0 +1,16 @@
+package io.avaje.http.client;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class RequestLoggerTest {
+
+  private final RequestLogger requestLogger = new RequestLogger();
+
+  @Test
+  void obfuscate() {
+    assertTrue(requestLogger.obfuscate("Authorization"));
+    assertFalse(requestLogger.obfuscate("Foo"));
+  }
+}