Skip to content

fix(analytics): redact single-use path tokens before auto-capture (#3932)#3935

Merged
PierreBrisorgueil merged 1 commit into
masterfrom
fix/analytics-path-token-redact
Jul 2, 2026
Merged

fix(analytics): redact single-use path tokens before auto-capture (#3932)#3935
PierreBrisorgueil merged 1 commit into
masterfrom
fix/analytics-path-token-redact

Conversation

@PierreBrisorgueil

Copy link
Copy Markdown
Contributor

Problem

Analytics auto-capture recorded endpoint = req.originalUrl.split('?')[0] — stripped the query string but not path params. Routes carrying a single-use secret as a path param (/api/auth/reset/:token, /verify-email/:token, /(auth/)invitations/verify/:token) shipped the raw token to the analytics store, enabling account takeover by anyone with analytics read access.

Fix

New redactPathSecrets helper (co-located with the existing morgan redactUrl). The middleware now prefers the matched route pattern (req.route?.path with mounted prefix) and falls back to redactPathSecrets for unmatched paths — so a token is never captured raw.

Note (behavior change)

Preferring the route pattern applies to all parameterized routes, not only the token ones: endpoint now reports the pattern (/api/tasks/:id) rather than the concrete path for matched routes. This lowers event cardinality (safer) but changes the endpoint property shape for any existing analytics insight keyed on literal paths.

Test

Added path-token redaction unit tests + a real /api/auth/reset/:token integration test; the existing query-string-scrub test still passes.

Closes #3932

https://claude.ai/code/session_01V1mhCDsSUnn3WGtevd3YFX

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@PierreBrisorgueil, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 59 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 92667002-1cb2-4cf6-9120-1cc5f7bc9ccd

📥 Commits

Reviewing files that changed from the base of the PR and between 7916876 and a4a5a2b.

📒 Files selected for processing (5)
  • lib/helpers/redactUrl.js
  • lib/helpers/tests/redactUrl.unit.tests.js
  • lib/middlewares/analytics.js
  • lib/middlewares/tests/analytics.middleware.integration.tests.js
  • lib/middlewares/tests/analytics.middleware.unit.tests.js
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/analytics-path-token-redact

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.69%. Comparing base (7916876) to head (a4a5a2b).

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #3935      +/-   ##
==========================================
+ Coverage   92.67%   92.69%   +0.01%     
==========================================
  Files         169      169              
  Lines        5546     5556      +10     
  Branches     1782     1786       +4     
==========================================
+ Hits         5140     5150      +10     
  Misses        326      326              
  Partials       80       80              
Flag Coverage Δ
integration 61.03% <40.00%> (-0.04%) ⬇️
unit 74.33% <100.00%> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.


Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7916876...a4a5a2b. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@PierreBrisorgueil PierreBrisorgueil merged commit 626ff5e into master Jul 2, 2026
8 checks passed
@PierreBrisorgueil PierreBrisorgueil deleted the fix/analytics-path-token-redact branch July 2, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

🔒 analytics auto-capture leaks single-use path tokens (reset/verify/invite) to the analytics store

1 participant