Skip to content

fix(middleware): redact Authorization header in structured logs#4134

Open
UGVicV wants to merge 18 commits into
orchestration-agent:mainfrom
UGVicV:fix/bounty-3899-redact-auth-header
Open

fix(middleware): redact Authorization header in structured logs#4134
UGVicV wants to merge 18 commits into
orchestration-agent:mainfrom
UGVicV:fix/bounty-3899-redact-auth-header

Conversation

@UGVicV
Copy link
Copy Markdown

@UGVicV UGVicV commented May 25, 2026

Description

This PR resolves the issue where the LoggingMiddleware could expose sensitive headers (Authorization, Cookie, X-Api-Key) in structured log output.

Fix

  • Added SENSITIVE_HEADERS frozenset covering: authorization, proxy-authorization, cookie, set-cookie, x-api-key.
  • Added REDACTED = "***REDACTED***" constant.
  • Added _redact_headers() helper that masks sensitive header values (case-insensitive key matching).
  • Updated LoggingMiddleware.dispatch() to redact headers before logging.
  • Wrapped all middleware dispatch methods in try-except with logger.error().
  • Fixed all PEP8 violations (lines under 79 characters).

Verification

Created tests/test_middleware.py with 6 regression tests:

  • test_redacts_authorization: Authorization header masked.
  • test_redacts_cookie: Cookie header masked.
  • test_redacts_x_api_key: X-Api-Key header masked.
  • test_preserves_safe_headers: Non-sensitive headers untouched.
  • test_empty_headers: Empty dict works.
  • test_case_insensitive: Mixed case matching works.
78 passed in 0.20s
  • flake8 src/api/middleware.py tests/test_middleware.py -> Passed (0 errors)

Closes #3899.

Vic added 18 commits May 22, 2026 11:55
fix(config): scope environment overrides to AO_CONFIG and resolve tes…
02df74b 
…t deadlock (fixes orchestration-agent#2017)
fix(sandbox): validate sandbox resource limits configuration (fixes o…
c959fb0 
…rchestration-agent#2009)
fix(cli): handle KeyboardInterrupt in status watch gracefully (fixes o…
2bea64d 
…rchestration-agent#2032)
fix(executor): validate max_concurrent in AgentExecutor initialization (
21e5639 
fixes orchestration-agent#2050)
fix(metrics): add collected_at timestamp to snapshot output (fixes or…
dedd94e 
…chestration-agent#2071)
fix(workflow): respect explicit False parameter defaults and overrides (
3ee591c 
fixes orchestration-agent#2042)
fix(metrics): reject non-numeric values in MetricsCollector.gauge (fixes
b3f1464 
 orchestration-agent#1978)
fix(metrics): expose active_timers count in snapshot output (fixes or…
50de0d0 
…chestration-agent#1734)
fix: reject empty metadata keys (closes orchestration-agent#2126)
5329c0b
fix: normalize whitespace and reject whitespace-only metadata keys
bc0ee87
fix: resolve PEP8 style warnings in agent and test code
529c06a
fix(metrics): validate counter range limits for exporter compatibility (
c4448fb 
closes orchestration-agent#4096)
fix(cli): reject unsupported output modes via argparse choices (closes
f0444f6 
…orchestration-agent#3835)
fix(config): add to_redacted_dict for safe diagnostic output (closes o…
b65a6f7 
…rchestration-agent#3015)
fix(sdk): validate task retry counts and timeout in decorator (closes o…
45de906 
…rchestration-agent#2324)
fix(metrics): bound histogram sample storage to prevent unbounded mem…
30918e1 
…ory (closes orchestration-agent#982)
fix(sandbox): summarize cleanup_all failures with per-agent reporting (
d3705b5 
…closes orchestration-agent#4066)
fix(middleware): redact Authorization header in structured logs (closes
737c0ef 
orchestration-agent#3899)
@UGVicV UGVicV mentioned this pull request May 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ Bounty $4k ] [ Middleware ] Redact Authorization header in structured logs — request logging

1 participant

@UGVicV