fix(logs/azure): redact sensitive header when DEBUG is set (#1218)

Author: minhanh-phan

Diff for: src/core.ts

@@ -1148,9 +1148,43 @@ function applyHeadersMut(targetHeaders: Headers, newHeaders: Headers): void {
   }
 }
 
+const SENSITIVE_HEADERS = new Set(['authorization', 'api-key']);
+
 export function debug(action: string, ...args: any[]) {
   if (typeof process !== 'undefined' && process?.env?.['DEBUG'] === 'true') {
-    console.log(`OpenAI:DEBUG:${action}`, ...args);
+    const modifiedArgs = args.map((arg) => {
+      if (!arg) {
+        return arg;
+      }
+
+      // Check for sensitive headers in request body 'headers' object
+      if (arg['headers']) {
+        // clone so we don't mutate
+        const modifiedArg = { ...arg, headers: { ...arg['headers'] } };
+
+        for (const header in arg['headers']) {
+          if (SENSITIVE_HEADERS.has(header.toLowerCase())) {
+            modifiedArg['headers'][header] = 'REDACTED';
+          }
+        }
+
+        return modifiedArg;
+      }
+
+      let modifiedArg = null;
+
+      // Check for sensitive headers in headers object
+      for (const header in arg) {
+        if (SENSITIVE_HEADERS.has(header.toLowerCase())) {
+          // avoid making a copy until we need to
+          modifiedArg ??= { ...arg };
+          modifiedArg[header] = 'REDACTED';
+        }
+      }
+
+      return modifiedArg ?? arg;
+    });
+    console.log(`OpenAI:DEBUG:${action}`, ...modifiedArgs);
   }
 }
 

Diff for: tests/index.test.ts

@@ -2,7 +2,7 @@
 
 import OpenAI from 'openai';
 import { APIUserAbortError } from 'openai';
-import { Headers } from 'openai/core';
+import { debug, Headers } from 'openai/core';
 import defaultFetch, { Response, type RequestInit, type RequestInfo } from 'node-fetch';
 
 describe('instantiate client', () => {
@@ -424,3 +424,95 @@ describe('retries', () => {
     expect(count).toEqual(3);
   });
 });
+
+describe('debug()', () => {
+  const env = process.env;
+  const spy = jest.spyOn(console, 'log');
+
+  beforeEach(() => {
+    jest.resetModules();
+    process.env = { ...env };
+    process.env['DEBUG'] = 'true';
+  });
+
+  afterEach(() => {
+    process.env = env;
+  });
+
+  test('body request object with Authorization header', function () {
+    // Test request body includes headers object with Authorization
+    const headersTest = {
+      headers: {
+        Authorization: 'fakeAuthorization',
+      },
+    };
+    debug('request', headersTest);
+    expect(spy).toHaveBeenCalledWith('OpenAI:DEBUG:request', {
+      headers: {
+        Authorization: 'REDACTED',
+      },
+    });
+  });
+
+  test('body request object with api-key header', function () {
+    // Test request body includes headers object with api-ley
+    const apiKeyTest = {
+      headers: {
+        'api-key': 'fakeKey',
+      },
+    };
+    debug('request', apiKeyTest);
+    expect(spy).toHaveBeenCalledWith('OpenAI:DEBUG:request', {
+      headers: {
+        'api-key': 'REDACTED',
+      },
+    });
+  });
+
+  test('header object with Authorization header', function () {
+    // Test headers object with authorization header
+    const authorizationTest = {
+      authorization: 'fakeValue',
+    };
+    debug('request', authorizationTest);
+    expect(spy).toHaveBeenCalledWith('OpenAI:DEBUG:request', {
+      authorization: 'REDACTED',
+    });
+  });
+
+  test('input args are not mutated', function () {
+    const authorizationTest = {
+      authorization: 'fakeValue',
+    };
+    const client = new OpenAI({
+      baseURL: 'http://localhost:5000/',
+      defaultHeaders: authorizationTest,
+      apiKey: 'api-key',
+    });
+
+    const { req } = client.buildRequest({ path: '/foo', method: 'post' });
+    debug('request', authorizationTest);
+    expect((req.headers as Headers)['authorization']).toEqual('fakeValue');
+    expect(spy).toHaveBeenCalledWith('OpenAI:DEBUG:request', {
+      authorization: 'REDACTED',
+    });
+  });
+
+  test('input headers are not mutated', function () {
+    const authorizationTest = {
+      authorization: 'fakeValue',
+    };
+    const client = new OpenAI({
+      baseURL: 'http://localhost:5000/',
+      defaultHeaders: authorizationTest,
+      apiKey: 'api-key',
+    });
+
+    const { req } = client.buildRequest({ path: '/foo', method: 'post' });
+    debug('request', { headers: req.headers });
+    expect((req.headers as Headers)['authorization']).toEqual('fakeValue');
+    expect(spy).toHaveBeenCalledWith('OpenAI:DEBUG:request', {
+      authorization: 'REDACTED',
+    });
+  });
+});