feat: obscure cross-space headers from response errors (#532)

scuilla · web-flow · commit c00beb9c1a14 · 2025-03-10T10:54:34.000-06:00
diff --git a/src/error-handler.ts b/src/error-handler.ts
@@ -1,6 +1,19 @@
 import isPlainObject from 'lodash/isPlainObject.js'
 import type { ContentfulErrorData } from './types.js'
 
+function obscureHeaders(config: any) {
+  // Management, Delivery and Preview API tokens
+  if (config?.headers?.['Authorization']) {
+    const token = `...${config.headers['Authorization'].toString().substr(-5)}`
+    config.headers['Authorization'] = `Bearer ${token}`
+  }
+  // Encoded Delivery or Preview token map for Cross-Space References
+  if (config?.headers?.['X-Contentful-Resource-Resolution']) {
+    const token = `...${config.headers['X-Contentful-Resource-Resolution'].toString().substr(-5)}`
+    config.headers['X-Contentful-Resource-Resolution'] = token
+  }
+}
+
 /**
  * Handles errors received from the server. Parses the error into a more useful
  * format, places it in an exception and throws it.
@@ -13,11 +26,7 @@ export default function errorHandler(errorResponse: any): never {
   const { config, response } = errorResponse
   let errorName
 
-  // Obscure the Management token
-  if (config && config.headers && config.headers['Authorization']) {
-    const token = `...${config.headers['Authorization'].toString().substr(-5)}`
-    config.headers['Authorization'] = `Bearer ${token}`
-  }
+  obscureHeaders(config)
 
   if (!isPlainObject(response) || !isPlainObject(config)) {
     throw errorResponse
diff --git a/test/unit/error-handler-test.spec.ts b/test/unit/error-handler-test.spec.ts
@@ -104,4 +104,40 @@ describe('A errorHandler', () => {
       expect(err.config.headers.Authorization).toBe('Bearer ...token')
     }
   })
+
+  it('Obscures encoded cross-space reference tokens in any error message', async () => {
+    const responseError: any = cloneDeep(errorMock)
+    responseError.config.headers = {
+      'X-Contentful-Resource-Resolution': 'secret-token',
+    }
+
+    try {
+      errorHandler(responseError)
+    } catch (err: any) {
+      const parsedMessage = JSON.parse(err.message)
+      expect(parsedMessage.request.headers['X-Contentful-Resource-Resolution']).toBe('...token')
+    }
+
+    const requestError: any = {
+      config: {
+        url: 'requesturl',
+        headers: {},
+      },
+      data: {},
+      request: {
+        status: 404,
+        statusText: 'Not Found',
+      },
+    }
+
+    requestError.config.headers = {
+      'X-Contentful-Resource-Resolution': 'secret-token',
+    }
+
+    try {
+      errorHandler(requestError)
+    } catch (err: any) {
+      expect(err.config.headers['X-Contentful-Resource-Resolution']).toBe('...token')
+    }
+  })
 })
