Skip to content

[CRED-2625] Redact Authorization (Bearer) header in debug logRequest#4168

Draft
luczhou wants to merge 1 commit into
masterfrom
lucinda.zhou/CRED-2625/redact-authorization-header
Draft

[CRED-2625] Redact Authorization (Bearer) header in debug logRequest#4168
luczhou wants to merge 1 commit into
masterfrom
lucinda.zhou/CRED-2625/redact-authorization-header

Conversation

@luczhou
Copy link
Copy Markdown

@luczhou luczhou commented May 15, 2026
edited by atlassian Bot
Loading

Description

isomorphic-fetch.ts's logRequest method (packages/datadog-api-client-common/http/isomorphic-fetch.ts:168-200) masks DD-API-KEY and DD-APPLICATION-KEY values with xs before logging the captured request, but the Authorization header (Bearer tokens — delegated tokens, PATs) falls through and gets logged verbatim. Any caller running with debug = true and access-token auth leaks the bearer to the global logger.

Surfaced cross-language by terraform-provider-datadog#3757, which is the first Terraform code path to use PAT (Bearer) auth via the Go SDK. The same gap exists here in TS.

Tracking ticket: CRED-2625.

Changes

  • packages/datadog-api-client-common/http/isomorphic-fetch.ts: add a third allowlist entry that masks the Authorization header value with xs, matching the existing api/app-key handling shape.
  • tests/api/log-redaction.test.ts: new test logRequest masks Authorization Bearer token — drives logRequest directly with all three credentials set on the request context and asserts none of the original credential values appear in the captured logger.debug output, and that each is replaced by an x-string of the same length.

Cross-language

Related work tracked under CRED-2625:

  • datadog-api-client-go PR #4098 — same fix shape (redact ContextAccessToken in CallAPI debug dump).
  • datadog-api-client-ruby PR (forthcoming) — same fix shape (add Authorization to sanitize_request_header's keys_to_redact).
  • datadog-api-client-java GH issue (forthcoming) — wider gap. Jersey LoggingFeature.PAYLOAD_ANY has no header redaction at all, so api/app keys and bearer leak there.
  • datadog-api-client-python — no equivalent gap (no request-header logging in rest.j2).

Testing

  • yarn jest-test --testPathPattern=log-redaction passes
  • yarn jest-test full suite (run by CI)

🤖 Generated with Claude Code

@luczhou @claude
Redact Authorization (Bearer) header in debug logRequest
35fae22 
isomorphic-fetch.ts's logRequest method masks DD-API-KEY and
DD-APPLICATION-KEY values before logging the captured request, but the
Authorization header (Bearer tokens — delegated tokens, PATs) falls
through and gets logged verbatim. Any caller running with debug=true
and access-token auth leaks the bearer to the global logger.

Surfaced cross-language by terraform-provider-datadog#3757, which is
the first Terraform code path to use PAT (Bearer) auth via the Go SDK.
Verified the same gap exists here in TS.

Add a third allowlist entry that masks the Authorization header value
with `x`s, matching the existing api/app key handling. Test exercises
logRequest directly with all three credentials set and asserts none of
the original values appear in the captured log output.

Refs: CRED-2625, terraform-provider-datadog#3757

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 15, 2026
Draft
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@luczhou