fix(core): redact apikey in nab keys + http recursion logs (follow-up #947)

[slawrensen]

Follow-up to #947. That PR landed the Newznab error/debug log redaction but left a few of the review comments unaddressed. This picks those up, plus one related surface I noticed while looking at the same paths again.

Changes (3, smallest possible):

• packages/core/src/utils/http.ts — makeUrlLogSafe docstring updated. The function already strips apikey= (line 46) but the comment only mentioned password. Doc now matches behavior.

• packages/core/src/utils/http.ts — PossibleRecursiveRequestError warn and throw embedded the raw urlObj.toString(), while the sibling DEBUG log on the same path already runs through makeUrlLogSafe. Wrapped both so recursion errors don't leak apikey for any caller (not just nab).

• packages/core/src/builtins/base/nab/api.ts — cacheKey and lockKey embedded raw this.apiKey. Both keys flow into logger.* calls inside DistributedLock and searchWithBackgroundRefresh. Hashed with the existing getSimpleTextHash helper so credential partitioning is kept but the raw key never reaches a log line.

Note: the cache/lock key change is a one-time cache-bust on deploy (existing entries won't match the new key shape). No data loss, just a cold cache for nab search/caps.

Outbound request behavior is unchanged — the apikey is still sent in plain to the upstream Newznab endpoint via searchParams.set('apikey', ...).

No new deps, no public API change, no tests added (matching #947). Happy to add tests if you want them.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced security by hashing API keys used in internal caches and distributed locks to avoid exposing sensitive credentials.
  • Improved log safety by masking password and API key parameters (including URL userinfo) to prevent accidental disclosure in logs and error messages.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a3f5a86c-9bb9-4bfa-b5aa-13bcf5d657bb

📥 Commits

Reviewing files that changed from the base of the PR and between ef54303 and f595d4b.

📒 Files selected for processing (1)

• packages/core/src/utils/http.ts

---

Walkthrough

Hash API keys used in cache/lock identifiers and improve URL redaction so logs and recursion-detection errors no longer expose apikey or password (including userinfo and forceProxy).

Changes

API Key Redaction in Cache, Lock Keys, and Error Messages

Layer / File(s)	Summary
API key hashing in cache and lock keys packages/core/src/builtins/base/nab/api.ts	Import getSimpleTextHash and update search method's cacheKey and request method's DistributedLock lockKey to use a hashed API key (or '' when absent).
URL redaction in logging and error handling packages/core/src/utils/http.ts	Replace legacy masking with URL-parsing redaction of userinfo and case-insensitive password/apikey in query and fragment; use the redacted URL in recursion-detection warnings/exceptions and when redacting options.forceProxy in debug logs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Viren070/AIOStreams#947: Overlapping changes to makeUrlLogSafe to redact apikey case-insensitively and related logging updates.

Poem

A rabbit nibbles through the log, so spry,
Hiding keys that once would meet the eye,
Hash the secrets, mask the trace,
Quiet logs with careful grace,
🐰🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarises the main changes: redacting API keys in NAB cache/lock keys and HTTP recursion logs as a follow-up to issue #947.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Follow-up to #947 that finishes redacting Newznab apikey values from log output. It updates the makeUrlLogSafe docstring, wraps the previously-raw URL strings in the recursive-request warn/throw paths, and hashes this.apiKey in cache/lock keys (which are logged downstream) using the existing getSimpleTextHash helper.

Changes:

• Wrap urlObj.toString() with makeUrlLogSafe in PossibleRecursiveRequestError warn log and thrown error message.
• Replace raw apiKey interpolation in nab cacheKey/lockKey with a getSimpleTextHash of the key (preserves per-credential partitioning while keeping logs safe).
• Update makeUrlLogSafe doc comment to reflect that apikey is also masked (case-insensitive).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
packages/core/src/utils/http.ts	Doc comment fix; recursion warn/throw now go through makeUrlLogSafe.
packages/core/src/builtins/base/nab/api.ts	Import getSimpleTextHash; hash this.apiKey in cacheKey and lockKey to avoid leaking it via downstream logs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[slawrensen]

Pushed an amend addressing two more leak surfaces on the same code path:

• makeUrlLogSafe now parses the URL and redacts userinfo (https://user:apikey@host) and any password/apikey param in the fragment as well as the query, case-insensitive. Legacy regex stripping is kept as a fallback for non-URL strings (already-truncated log fragments etc.). Also tightened the password= regex to /gi so it matches the apikey= line.
• makeRequest debug log now runs options.forceProxy through makeUrlLogSafe before logging, so a proxy URL with userinfo doesn't leak.

Same scope (#947 follow-up, leak redaction), no behavior change for outbound traffic, no new deps.

Out of scope but worth flagging for a separate PR: startup.ts:140 logs Env.ADDON_PROXY.join(', ') raw at boot, same bug class.