fix: hide new include-ims-annotation secrets (#83)

moritzraho · web-flow · commit 2330f0e0ed63 · 2026-02-23T20:53:11.000+01:00
* fix: hide new include-ims-annotation secrets

* fix review comments

* add a test
diff --git a/lib/common-templates/utils.js b/lib/common-templates/utils.js
@@ -24,12 +24,24 @@ governing permissions and limitations under the License.
  *
  */
 function stringParameters (params) {
-  // hide authorization token without overriding params
-  let headers = params.__ow_headers || {}
-  if (headers.authorization) {
-    headers = { ...headers, authorization: '<hidden>' }
+  // shallow copy to not override first level references
+  const paramsShallowCopy = { ...params }
+  // hide credentials from the include-ims-credentials annotation without
+  // overriding fields in __ims_oauth_s2s
+  if (params.__ims_oauth_s2s?.client_secret) {
+    paramsShallowCopy.__ims_oauth_s2s = {
+      ...params.__ims_oauth_s2s,
+      client_secret: '<hidden>'
+    }
+  }
+  // hide authorization token without overriding fields in __ow_headers
+  if (params.__ow_headers?.authorization) {
+    paramsShallowCopy.__ow_headers = {
+      ...params.__ow_headers,
+      authorization: '<hidden>'
+    }
   }
-  return JSON.stringify({ ...params, __ow_headers: headers })
+  return JSON.stringify(paramsShallowCopy)
 }
 
 /**
diff --git a/lib/common-templates/utils.test.js b/lib/common-templates/utils.test.js
@@ -55,10 +55,25 @@ describe('stringParameters', () => {
   })
   test('with auth header', () => {
     const params = {
-      a: 1, b: 2, __ow_headers: { 'x-api-key': 'fake-api-key', authorization: 'secret' }
+      a: 1, b: 2, __ow_headers: { 'x-api-key': 'fake-api-key', authorization: 'thesecret' }
     }
     expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"authorization":"<hidden>"'))
-    expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('secret'))
+    expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('thesecret'))
+  })
+  test('with ims credentials', () => {
+    const params = {
+      a: 1, b: 2, __ims_oauth_s2s: { client_id: 'fake-client-id', client_secret: 'thesecret', org_id: 'fake@AdobeOrg' }
+    }
+    expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"client_secret":"<hidden>"'))
+    expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('thesecret'))
+  })
+  test('with ims credentials and authorization header', () => {
+    const params = {
+      a: 1, b: 2, __ims_oauth_s2s: { client_id: 'fake-client-id', client_secret: 'thesecret', org_id: 'fake@AdobeOrg' }, __ow_headers: { authorization: 'thesecret' }
+    }
+    expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"client_secret":"<hidden>"'))
+    expect(utils.stringParameters(params)).toEqual(expect.stringContaining('"authorization":"<hidden>"'))
+    expect(utils.stringParameters(params)).not.toEqual(expect.stringContaining('thesecret'))
   })
 })
 
