40 lines
1.6 KiB
TypeScript
40 lines
1.6 KiB
TypeScript
/**
|
|
* redact-error.ts — Internal credential-scrubbing helper.
|
|
*
|
|
* The `postgres` npm package can embed the full DSN (including the password)
|
|
* in connection-failure error messages. This module provides a single helper
|
|
* that strips the user:password portion from any such message before it is
|
|
* re-thrown, logged, or surfaced in a structured health report.
|
|
*
|
|
* This file is intentionally NOT re-exported from the package index — it is
|
|
* an internal utility for use within packages/storage/src only.
|
|
*/
|
|
|
|
/**
|
|
* Redacts credentials from error messages that may include connection URLs.
|
|
* The `postgres` npm package can embed the full DSN in connection-failure
|
|
* messages, and ioredis can embed `redis://` / `rediss://` URLs similarly.
|
|
* This helper strips the user:password portion before display.
|
|
*
|
|
* Handles `postgres://`, `postgresql://`, `redis://`, and `rediss://`
|
|
* schemes (case-insensitive). Everything between `://` and `@` (the userinfo
|
|
* component) is replaced with `***` so that the host, port, and database name
|
|
* remain visible for diagnostics while the secret is never written to logs or
|
|
* CI output.
|
|
*
|
|
* @example
|
|
* redactErrMsg('connect ECONNREFUSED postgres://admin:s3cr3t@db:5432/mosaic')
|
|
* // → 'connect ECONNREFUSED postgres://***@db:5432/mosaic'
|
|
*
|
|
* redactErrMsg('connect ECONNREFUSED redis://user:pass@cache:6379')
|
|
* // → 'connect ECONNREFUSED redis://***@cache:6379'
|
|
*/
|
|
const CREDENTIAL_URL_RE = /(postgres(?:ql)?|rediss?):\/\/[^@\s]*@/gi;
|
|
|
|
export function redactErrMsg(msg: string): string {
|
|
return msg.replace(
|
|
CREDENTIAL_URL_RE,
|
|
(_match, scheme: string) => `${scheme.toLowerCase()}://***@`,
|
|
);
|
|
}
|