fix: redact the Authorization HTTP header from log (#372)

bednar · web-flow · commit b81b7ec1133d · 2022-07-14T13:41:34.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,10 @@
    * Add TruncateTimeColumnFlux [FluxDSL]
    * Add ArrayFromFlux [FluxDSL]
    * Add UnionFlux [FluxDSL]
- 
+
+### Bug Fixes
+1. [#372](https://github.com/influxdata/influxdb-client-java/pull/372): Redact the `Authorization` HTTP header from log
+
 ## 6.3.0 [2022-06-30]
 
 ### Features
diff --git a/client/src/main/java/com/influxdb/client/internal/AbstractInfluxDBClient.java b/client/src/main/java/com/influxdb/client/internal/AbstractInfluxDBClient.java
@@ -89,6 +89,7 @@ public AbstractInfluxDBClient(@Nonnull final InfluxDBClientOptions options,
 
         this.options = options;
         this.loggingInterceptor = new HttpLoggingInterceptor();
+        this.loggingInterceptor.redactHeader("Authorization");
         setLogLevel(loggingInterceptor, options.getLogLevel());
         this.authenticateInterceptor = new AuthenticateInterceptor(options);
         this.gzipInterceptor = new GzipInterceptor();
@@ -103,8 +104,8 @@ public AbstractInfluxDBClient(@Nonnull final InfluxDBClientOptions options,
                 //
                 //.retryOnConnectionFailure(false)
                 .addInterceptor(new UserAgentInterceptor(customClientType))
-                .addInterceptor(this.loggingInterceptor)
                 .addInterceptor(this.authenticateInterceptor)
+                .addInterceptor(this.loggingInterceptor)
                 .addInterceptor(this.gzipInterceptor)
                 .build();
 
diff --git a/client/src/test/java/com/influxdb/client/InfluxDBClientTest.java b/client/src/test/java/com/influxdb/client/InfluxDBClientTest.java
@@ -24,7 +24,11 @@
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.Proxy;
+import java.util.List;
 import java.util.Objects;
+import java.util.logging.Level;
+import java.util.logging.LogRecord;
+import java.util.logging.Logger;
 import javax.annotation.Nonnull;
 
 import com.influxdb.LogLevel;
@@ -440,6 +444,34 @@ public void customClientType() throws InterruptedException {
         }
     }
 
+    @Test
+    public void redactedAuthorizationHeader() {
+
+        mockServer.enqueue(new MockResponse());
+
+        MockLogHandler handler = new MockLogHandler();
+
+        final Logger logger = Logger.getLogger("okhttp3.OkHttpClient");
+        logger.addHandler(handler);
+
+        try (InfluxDBClient client = InfluxDBClientFactory.create(mockServer.url("/").toString(), "my-token".toCharArray())) {
+            client.setLogLevel(LogLevel.HEADERS);
+            client
+                    .getWriteApiBlocking()
+                    .writeRecord("my-bucket", "my-org", WritePrecision.NS, "m2m,tag=a field=1");
+        }
+
+        List<LogRecord> records = handler.getRecords(Level.INFO);
+
+        LogRecord authorizationLog = records
+                .stream()
+                .filter(it -> it.getMessage().startsWith("Authorization: "))
+                .findFirst()
+                .get();
+
+        Assertions.assertThat(authorizationLog.getMessage()).isEqualTo("Authorization: ██");
+    }
+
     private void queryAndTest(final String expected) throws InterruptedException {
         RecordedRequest request = takeRequest();
         Assertions.assertThat(request).isNotNull();
