Commit Graph

1 Commits

Author SHA1 Message Date
Authensor
f67f4ac76d fix: mask sensitive headers in API request logs
The API request logger writes request/response details to persistent
plaintext files in the temp/api_logs directory. Without masking, the
Authorization header (which carries the user's Comfy API bearer token for
paid nodes like Grok, Bria, Runway, Gemini, and Rodin) is written verbatim
to every log file. These files are never cleaned up, so tokens accumulate
on disk indefinitely.

Fix: mask Authorization, X-API-Key, Cookie, Set-Cookie, and
Proxy-Authorization headers before writing to log files. Non-sensitive
headers pass through unchanged.

9 tests: masking behavior, case-insensitivity, non-mutation of original,
and end-to-end verification that the token does not appear in the log file.

Signed-off-by: John Kearney <johndanielkearney@gmail.com>
2026-07-02 17:10:51 -05:00