From c4753c6bba88ecc7984789172047b51cd9f22c11 Mon Sep 17 00:00:00 2001 From: rayhan1967 Date: Sun, 22 Feb 2026 00:07:40 +0700 Subject: [PATCH] fix: redact sensitive info in logs and fix strict type violations --- src/bin.ts | 7 +++++-- src/commands/install.ts | 12 ++++++------ src/utils/clack-utils.ts | 15 +++++++++++++-- 3 files changed, 24 insertions(+), 10 deletions(-) diff --git a/src/bin.ts b/src/bin.ts index 07f5543..259a141 100644 --- a/src/bin.ts +++ b/src/bin.ts @@ -16,6 +16,8 @@ import { hideBin } from 'yargs/helpers'; import chalk from 'chalk'; import { ensureAuthenticated } from './lib/ensure-auth.js'; import { checkForUpdates } from './lib/version-check.js'; +import type { ArgumentsCamelCase } from 'yargs'; +import type { InstallArgs } from './commands/install.js'; const NODE_VERSION_RANGE = getConfig().nodeVersion; @@ -274,7 +276,8 @@ yargs(hideBin(process.argv)) }, ) .command('list', 'List configured environments', {}, async (argv) => { - await applyInsecureStorage((argv as any).insecureStorage); + const typedArgv = argv as { insecureStorage?: boolean }; + await applyInsecureStorage(typedArgv.insecureStorage); const { runEnvList } = await import('./commands/env.js'); await runEnvList(); }) @@ -502,7 +505,7 @@ yargs(hideBin(process.argv)) await ensureAuthenticated(); const { handleInstall } = await import('./commands/install.js'); - await handleInstall({ dashboard: false } as any); + await handleInstall({ dashboard: false } as ArgumentsCamelCase); process.exit(0); }, ) diff --git a/src/commands/install.ts b/src/commands/install.ts index fef469c..808ec81 100644 --- a/src/commands/install.ts +++ b/src/commands/install.ts @@ -5,7 +5,7 @@ import clack from '../utils/clack.js'; import chalk from 'chalk'; import type { ArgumentsCamelCase } from 'yargs'; -interface InstallArgs { +export interface InstallArgs { debug?: boolean; local?: boolean; ci?: boolean; @@ -49,16 +49,16 @@ export async function handleInstall(argv: ArgumentsCamelCase): Prom clack.intro(chalk.inverse('WorkOS AuthKit Installer')); clack.log.error( 'This installer requires an interactive terminal (TTY) to run.\n' + - 'It appears you are running in a non-interactive environment.\n' + - 'Please run the installer in an interactive terminal.\n\n' + - 'For CI/CD environments, use --ci mode:\n' + - ' workos install --ci --api-key sk_xxx --client-id client_xxx', + 'It appears you are running in a non-interactive environment.\n' + + 'Please run the installer in an interactive terminal.\n\n' + + 'For CI/CD environments, use --ci mode:\n' + + ' workos install --ci --api-key sk_xxx --client-id client_xxx', ); process.exit(1); } try { - await runInstaller(options as unknown as InstallerOptions); + await runInstaller(options); process.exit(0); } catch (err) { const { getLogFilePath } = await import('../utils/debug.js'); diff --git a/src/utils/clack-utils.ts b/src/utils/clack-utils.ts index 527dcc2..8a67060 100644 --- a/src/utils/clack-utils.ts +++ b/src/utils/clack-utils.ts @@ -17,6 +17,17 @@ import { analytics } from './analytics.js'; import clack from './clack.js'; import { INTEGRATION_CONFIG } from '../lib/config.js'; +/** + * Redact sensitive info (API keys, client secrets) from a string. + */ +export function redactSensitiveInfo(str: string): string { + if (!str) return str; + // Redact WorkOS API keys (sk_...), client secrets, etc. + return str + .replace(/sk_[a-zA-Z0-9]+/g, 'sk_***') + .replace(/client_[a-zA-Z0-9]+/g, 'client_***'); +} + interface ProjectData { projectApiKey: string; accessToken: string; @@ -329,8 +340,8 @@ export async function installPackage({ fs.writeFileSync( join(process.cwd(), `workos-installation-error-${Date.now()}.log`), JSON.stringify({ - stdout, - stderr, + stdout: redactSensitiveInfo(stdout), + stderr: redactSensitiveInfo(stderr), }), { encoding: 'utf8' }, );