Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Redact sensitive fields when logging external API requests #3004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nyomanjyotisa merged 3 commits into from
Jan 21, 2026
Merged

Redact sensitive fields when logging external API requests #3004

nyomanjyotisa merged 3 commits into from
Jan 21, 2026

Conversation

@nyomanjyotisa
Copy link
Member

@nyomanjyotisa nyomanjyotisa commented Jan 21, 2026
edited
Loading

Issue: https://github.com/antiwork/gumroad-private/issues/52
Private repo PR: https://github.com/antiwork/gumroad-private/pull/78

Ref

Description

Problem

Several code paths log external service payloads directly at info level.
These logs may include sensitive credentials such as:

  • PayPal bearer tokens and auth assertions
  • PayPal IPN verification signatures
  • Stripe OAuth tokens and publishable keys

Logging these values in plaintext poses a security risk.

Solution

Introduce a centralized log redaction utility that safely sanitizes sensitive fields before logging

Before/After

Paypal rest API

Before

Making Paypal request:: #<OpenStruct path="/v2/payments/captures/3R951669WT495394B/refund", verb="POST", headers={"Accept" => "application/json", "Accept-Language" => "en_US", "Authorization" => "Bearer A21AAI9v6NTs3Y42Ufo-5Q-cskFZtTLkOodRO1uJQvdaWnsbiCt078vvzYnSy5X1gLFwGZIyhtT6D_EUZyyyp_YjB9CudeK7w", "Content-Type" => "application/json", "PayPal-Partner-Attribution-Id" => "Gumroad_SP_PCPP", "PayPal-Request-Id" => "refund-3R951669WT495394B-2.0-17688981787207448", "Prefer" => "return=representation", "Paypal-Auth-Assertion" => "eyJhbGciOiJub25lIn0=.eyJwYXllcl9pZCI6IjAwMDAwMDAxNCIsImlzcyI6InRlc3QtcGF5cGFsLXBhcnRuZXItY2xpZW50LWlkIn0=."}, body={amount: {currency_code: "USD", value: 0.2e1}}>

After (Authorization and Paypal-Auth-Assertion filtered)

Making Paypal request:: {path: "/v2/payments/captures/3R951669WT495394B/refund", verb: "POST", headers: {"Accept" => "application/json", "Accept-Language" => "en_US", "Authorization" => "[FILTERED]", "Content-Type" => "application/json", "PayPal-Partner-Attribution-Id" => "Gumroad_SP_PCPP", "PayPal-Request-Id" => "refund-3R951669WT495394B-2.0-1768914671032522", "Prefer" => "return=representation", "Paypal-Auth-Assertion" => "[FILTERED]"}, body: {amount: {currency_code: "USD", value: 0.2e1}}}

Paypal payouts

Before

Paypal payouts: received IPN {"txn_type" => "masspay", "payment_gross_1" => "10.00", "payment_date" => "17:19:05 Jun 24, 2015 PDT", "last_name" => "Lavingia", "mc_fee_1" => "0.20", "masspay_txn_id_1" => "8G377690596809442", "receiver_email_1" => "[email protected]", "residence_country" => "US", "verify_sign" => "Ae-XDUZhrxwaCSsmGO9JpO33K7P1AozUnt1w.tzHJKWOWYlez5cVvscv", "payer_status" => "verified", "test_ipn" => "1", "payer_email" => "[email protected]", "first_name" => "Sahil", "payment_fee_1" => "0.20", "payer_id" => "3FBN6YS9YFTV6", "payer_business_name" => "Sahil Lavingia's Test Store", "payment_status" => "Processed", "status_1" => "Completed", "mc_gross_1" => "10.00", "charset" => "windows-1252", "notify_version" => "3.8", "mc_currency_1" => "USD", "unique_id_1" => "38", "ipn_track_id" => "29339dfb40e24"}

After (verify_sign filtered)

Paypal payouts: received IPN {"txn_type":"masspay","payment_gross_1":"10.00","payment_date":"17:19:05 Jun 24, 2015 PDT","last_name":"Lavingia","mc_fee_1":"0.20","masspay_txn_id_1":"8G377690596809442","receiver_email_1":"[email protected]","residence_country":"US","verify_sign":"[FILTERED]","payer_status":"verified","test_ipn":"1","payer_email":"[email protected]","first_name":"Sahil","payment_fee_1":"0.20","payer_id":"3FBN6YS9YFTV6","payer_business_name":"Sahil Lavingia's Test Store","payment_status":"Processed","status_1":"Completed","mc_gross_1":"10.00","charset":"windows-1252","notify_version":"3.8","mc_currency_1":"USD","unique_id_1":"38","ipn_track_id":"29339dfb40e24"}

Stripe Connect

Before

Stripe Connect referer: /settings/payments, parameters: #<OmniAuth::AuthHash credentials=#<OmniAuth::AuthHash token="tok"> extra=#<OmniAuth::AuthHash extra_info=#<OmniAuth::AuthHash country="SG"> raw_info=#<OmniAuth::AuthHash country="SG">> info=#<OmniAuth::AuthHash::InfoHash email="[email protected]" stripe_publishable_key="pk_key"> uid="acct_1SOk0BEsYunTuUHD">

After (token and stripe_publishable_key filtered)

Stripe Connect referer: /settings/payments, parameters: {"uid":"acct_1SOk0BEsYunTuUHD","credentials":{"token":"[FILTERED]"},"info":{"email":"[email protected]","stripe_publishable_key":"[FILTERED]"},"extra":{"extra_info":{"country":"SG"},"raw_info":{"country":"SG"}}}

AI Disclosure

Cursor - Claude Sonnet 4.5 for code generation, self reviewed by me

@nyomanjyotisa nyomanjyotisa merged commit 23daeef into main Jan 21, 2026
72 checks passed
@nyomanjyotisa nyomanjyotisa deleted the log-redactor branch January 21, 2026 04:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nyomanjyotisa