Skip to content

Mask API tokens in request logs#1

Merged
tayyebi merged 2 commits intomainfrom
copilot/mask-api-token-in-logs
Jan 5, 2026
Merged

Mask API tokens in request logs#1
tayyebi merged 2 commits intomainfrom
copilot/mask-api-token-in-logs

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 5, 2026
edited
Loading

API tokens were logged in plain text in curl-style request logs, exposing sensitive credentials.

Changes

  • Token masking in src/api/client.rs: Mask tokens before logging while preserving full token for actual HTTP requests
    • Tokens >8 chars: show first 8 characters + ... (e.g., secret_t...)
    • Tokens ≤8 chars: show ****

Example

Before:

Request:
curl -X GET 'https://api.example.com/v1/endpoint' -H 'API-Token: secret_token_12345678'

After:

Request:
curl -X GET 'https://api.example.com/v1/endpoint' -H 'API-Token: secret_t...'

The actual API-Token header sent in HTTP requests remains unchanged.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.example.com
    • Triggering command: ./target/debug/zy ./target/debug/zy check-config /tmp/.env /home/REDACTED/work/cli/cli/target/debug/deps/clap_derive-48580b93ec690a04.clap_de/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_64-REDACTED-linux-gnu/lib/librustc_demangle-43b2ff22c18e1125.rlib lib/�� lib/rustlib/x86_--error-format=json xzbkj33fu.18yzfqq.rcgu.o 134c1ucyn.18yzfqq.rcgu.o fiswsutwm.18yzfqq.rcgu.o g0tokhvej.18yzfqq.rcgu.o ge1rvkflj.18yzfqq.rcgu.o z449bqvu0.18yzfqq.rcgu.o cokn7mdl5.18yzfqq.rcgu.o 8ca0ra5t3.18yzfqq.rcgu.o nzac0ezva.18yzfqq.rcgu.o sk2jryqer.18yzfqq.rcgu.o cw2l0p5k9.18yzfqq.rcgu.o v6wmc0h3x.18yzfqq.rcgu.o tl54cwi3i.18yzfqq.rcgu.o ek8ss32cu.18yzfqq.rcgu.o (dns block)
    • Triggering command: ./target/debug/zy ./target/debug/zy check-config /tmp/.env.short error_impl.fd84ffa781b6e431-cgu.03.rcgu.o error_impl.fd84ffa781b6e431-cgu.04.rcgu.o error_impl.fd84ffa781b6e431-cgu.05.rcgu.o error_impl.fd84ffa781b6e431-cgu.06.rcgu.o error_impl.fd84ffa781b6e431-cgu.07.rcgu.o error_impl.fd84ffa781b6e431-cgu.08.rcgu.o error_impl.fd84ffa781b6e431-cgu.09.rcgu.o error_impl.fd84ffa781b6e431-cgu.10.rcgu.o error_impl.fd84ffa781b6e431-cgu.11.rcgu.o erro�� error_impl.fd84ffa781b6e431-cgu.13.rcgu.o error_impl.fd84ffa781b6e431-cgu.14.rcgu.o 3316/build_scrip/home/REDACTED/work/cli/cli/target/debug/deps/askama_derive-77c4fdec1f3d4240.askam--noprofile (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Problem

The API token is currently being logged in plain text in the Request logs within src/api/client.rs. This poses a security risk as sensitive credentials should never be exposed in logs.

Current Behavior

In src/api/client.rs at lines 45-49, the API token is logged without masking:

if !api_token.is_empty() {
    parts.push(format!("{} {}", 
        Paint::new("-H").fg(yansi::Color::Magenta), 
        Paint::new(format!("'API-Token: {}'", api_token)).fg(yansi::Color::Magenta)
    ));
}

This results in Request logs that expose the full API token value:

Request:
curl -X GET 'https://api.example.com/v1/endpoint' -H 'API-Token: secret_token_12345678'

Expected Behavior

The API token should be masked in the logs to protect sensitive credentials. Only a partial prefix (first 8 characters) or asterisks should be shown.

Expected log output:

Request:
curl -X GET 'https://api.example.com/v1/endpoint' -H 'API-Token: secret_t...'

Solution

Modify the logging logic in src/api/client.rs to mask the API token value before adding it to the log output:

if !api_token.is_empty() {
    let masked_token = if api_token.len() > 8 {
        format!("{}...", &api_token[..8])
    } else {
        "****".to_string()
    };
    parts.push(format!("{} {}", 
        Paint::new("-H").fg(yansi::Color::Magenta), 
        Paint::new(format!("'API-Token: {}'", masked_token)).fg(yansi::Color::Magenta)
    ));
}

This approach:

  • Shows the first 8 characters followed by "..." for tokens longer than 8 characters
  • Shows "****" for tokens 8 characters or shorter
  • Maintains the actual API token for the HTTP request (masking only affects the log output)

Files to Modify

  • src/api/client.rs - Update the API token logging logic in the api_call function

This pull request was created from Copilot chat.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@tayyebi
Mask API token in request logs to prevent credential exposure
6771c56 
Co-authored-by: tayyebi <14053493+tayyebi@users.noreply.github.com>
Copilot AI changed the title [WIP] Mask API token in request logs for security Mask API tokens in request logs Jan 5, 2026
Copilot AI requested a review from tayyebi January 5, 2026 14:51
@tayyebi tayyebi marked this pull request as ready for review January 5, 2026 14:53
@tayyebi tayyebi merged commit b08b7f2 into main Jan 5, 2026
Copilot AI mentioned this pull request Jan 7, 2026
Merged
@tayyebi tayyebi deleted the copilot/mask-api-token-in-logs branch January 7, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tayyebi tayyebi Awaiting requested review from tayyebi

Assignees

@tayyebi tayyebi

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tayyebi