Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize "api_key" from verbose log #3558

Merged
merged 3 commits into from
Apr 4, 2024
Merged

Sanitize "api_key" from verbose log #3558

merged 3 commits into from
Apr 4, 2024

Conversation

theodoretan
Copy link
Member

WHY are these changes introduced?

Fixes #3518

The api_key is visible in the verbose log on shopify app config link. While this isn't critical as this is on the developers machine, these logs are required when opening a bug ticket.

WHAT is this pull request doing?

Replaces the api_key with **** for the logs output.

How to test your changes?

Post-release steps

Measuring impact

How do we know this change was effective? Please choose one:

  • n/a - this doesn't need measurement, e.g. a linting rule or a bug-fix
  • Existing analytics will cater for this addition
  • PR includes analytics changes to measure impact

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've made sure that any changes to dev or deploy have been reflected in the internal flowchart.

@github-actions GitHub Actions
Copy link
Contributor

Thanks for your contribution!

Depending on what you are working on, you may want to request a review from a Shopify team:

  • Themes: @shopify/advanced-edits
  • UI extensions: @shopify/ui-extensions-cli
    • Checkout UI extensions: @shopify/checkout-ui-extensions-api-stewardship
  • Hydrogen: @shopify/hydrogen
  • Other: @shopify/cli-foundations

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 13, 2024
edited

Coverage report

St.
 Category Percentage Covered / Total
🟡 Statements
72.01% (-0.12% 🔻)
 6751/9375
🟡 Branches
69.23% (+0.06% 🔼)
 3294/4758
🟡 Functions
70.69% (-0.29% 🔻)
 1799/2545
🟡 Lines
73.16% (-0.12% 🔻)
 6366/8701
Show files with reduced coverage 🔻
St.
 File Statements Branches Functions Lines
🟢
... / app.ts
84.4% (-0.55% 🔻)
70.69% (-1.44% 🔻)
 86.84%
86.02% (-0.44% 🔻)
🟢
... / loader.ts
93.13% (+0.14% 🔼)
86.81% (-0.02% 🔻)
95.12% (+0.39% 🔼)
94.1% (+0.35% 🔼)
🟡
... / dev.ts
77.5% (+0.76% 🔼)
 55.56%
80% (-1.25% 🔻)
73.53% (+1.31% 🔼)
🟡
... / select-app.ts
60.71% (-7.14% 🔻)
50% (-16.67% 🔻)
77.78% (-9.72% 🔻)
65.22% (-4.35% 🔻)
🟢
... / tcp.ts
92.86% (-7.14% 🔻)
 100%
75% (-25% 🔻)
92.31% (-7.69% 🔻)

Test suite run success

1616 tests passing in 754 suites.

Report generated by 🧪jest coverage report action from dfa068f

@ryancbahan ryancbahan marked this pull request as ready for review March 15, 2024 14:49
@github-actions GitHub Actions
Copy link
Contributor

We detected some changes at either packages/*/src or packages/cli-kit/assets/cli-ruby/** and there are no updates in the .changeset.
If the changes are user-facing, run "pnpm changeset add" to track your changes and include them in the next release CHANGELOG.

@ryancbahan
Copy link
Contributor

@theodoretan I looked into analytics and it looks like the key is already santized to SHOPIFY_API_KEY there, so this should be good.

MitchDickinson
MitchDickinson approved these changes Mar 15, 2024
View reviewed changes
Copy link
Contributor

@MitchDickinson MitchDickinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. You might want a 2nd review since I am new and don't know these codebases/systems well. But this seems clear and simple!

packages/cli-kit/src/public/node/monorail.test.ts Show resolved Hide resolved
isaacroldan
isaacroldan reviewed Mar 21, 2024
View reviewed changes
packages/cli-kit/src/public/node/monorail.ts
@@ -198,7 +198,7 @@ export async function publishMonorailEvent<TSchemaId extends keyof Schemas, TPay
const response = await fetch(url, {method: 'POST', body, headers})

if (response.status === 200) {
outputDebug(outputContent`Analytics event sent: ${outputToken.json(payload)}`)
outputDebug(outputContent`Analytics event sent: ${outputToken.json(sanitizePayload(payload))}`)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this the only place where we were printing the api_key?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I believe it is

@theodoretan theodoretan added this pull request to the merge queue Apr 4, 2024
Merged via the queue into main with commit ef3b485 Apr 4, 2024
@theodoretan theodoretan deleted the sanitize-api-key branch April 4, 2024 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shauns shauns shauns left review comments

@MitchDickinson MitchDickinson MitchDickinson approved these changes

@isaacroldan isaacroldan isaacroldan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Verbose log contains api key when running shopify app config link
5 participants
@theodoretan @ryancbahan @shauns @MitchDickinson @isaacroldan