Merge branch 'filter-attributes-with-sensitive-information' into 'main'

Do not include sensitive information in the `#inspect`

See merge request oauth-xx/oauth2!641

Author: pboling

lib/oauth2.rb

@@ -10,6 +10,7 @@
 
 # includes gem files
 require 'oauth2/version'
+require 'oauth2/filtered_attributes'
 require 'oauth2/error'
 require 'oauth2/authenticator'
 require 'oauth2/client'

lib/oauth2/access_token.rb

@@ -6,8 +6,11 @@ class AccessToken # rubocop:disable Metrics/ClassLength
     TOKEN_KEYS_SYM = %i[access_token id_token token accessToken idToken].freeze
     TOKEN_KEY_LOOKUP = TOKEN_KEYS_STR + TOKEN_KEYS_SYM
 
+    include FilteredAttributes
+
     attr_reader :client, :token, :expires_in, :expires_at, :expires_latency, :params
     attr_accessor :options, :refresh_token, :response
+    filtered_attributes :token, :refresh_token
 
     class << self
       # Initializes an AccessToken from a Hash

lib/oauth2/authenticator.rb

@@ -4,7 +4,10 @@
 
 module OAuth2
   class Authenticator
+    include FilteredAttributes
+
     attr_reader :mode, :id, :secret
+    filtered_attributes :secret
 
     def initialize(id, secret, mode)
       @id = id

lib/oauth2/client.rb

@@ -16,9 +16,12 @@ module OAuth2
   class Client # rubocop:disable Metrics/ClassLength
     RESERVED_PARAM_KEYS = %w[body headers params parse snaky].freeze
 
+    include FilteredAttributes
+
     attr_reader :id, :secret, :site
     attr_accessor :options
     attr_writer :connection
+    filtered_attributes :secret
 
     # Instantiate a new OAuth 2.0 client using the
     # Client ID and Client Secret registered to your

lib/oauth2/filtered_attributes.rb

@@ -0,0 +1,31 @@
+module OAuth2
+  module FilteredAttributes
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def filtered_attributes(*attributes)
+        @filtered_attribute_names = attributes.map(&:to_sym)
+      end
+
+      def filtered_attribute_names
+        @filtered_attribute_names || []
+      end
+    end
+
+    def inspect
+      filtered_attribute_names = self.class.filtered_attribute_names
+      return super if filtered_attribute_names.empty?
+
+      inspected_vars = instance_variables.map do |var|
+        if filtered_attribute_names.any? { |filtered_var| var.to_s.include?(filtered_var.to_s) }
+          "#{var}=[FILTERED]"
+        else
+          "#{var}=#{instance_variable_get(var).inspect}"
+        end
+      end
+      "#<#{self.class}:#{object_id} #{inspected_vars.join(', ')}>"
+    end
+  end
+end

spec/oauth2/access_token_spec.rb

@@ -741,4 +741,16 @@ def self.contains_token?(hash)
       expect(access_token.to_hash).to eq(hash)
     end
   end
+
+  describe '#inspect' do
+    let(:inspect_result) { described_class.new(nil, 'secret-token', { refresh_token: 'secret-refresh-token' }).inspect }
+
+    it 'filters out the @token value' do
+      expect(inspect_result).to include('@token=[FILTERED]')
+    end
+
+    it 'filters out the @refresh_token value' do
+      expect(inspect_result).to include('@refresh_token=[FILTERED]')
+    end
+  end
 end

spec/oauth2/authenticator_spec.rb

@@ -123,4 +123,10 @@
       end
     end
   end
+
+  describe '#inspect' do
+    it 'filters out the @secret value' do
+      expect(subject.inspect).to include('@secret=[FILTERED]')
+    end
+  end
 end

spec/oauth2/client_spec.rb

@@ -967,4 +967,10 @@ def stubbed_client(params = {}, &stubs)
       expect(subject.connection.builder.handlers).to include(Faraday::Request::UrlEncoded)
     end
   end
+
+  describe '#inspect' do
+    it 'filters out the @secret value' do
+      expect(subject.inspect).to include('@secret=[FILTERED]')
+    end
+  end
 end