security: reduce information leakage when displaying the tokens

zimbatm · zimbatm · commit c09ccf9baee8 · 2025-07-10T09:32:06.000+02:00
diff --git a/cmd/set_token_test.go b/cmd/set_token_test.go
@@ -77,7 +77,7 @@ func TestRunSetToken(t *testing.T) {
 				return configFile
 			},
 			expectedOutputs: []string{
-				"Successfully set token for test.example.com: test****-123",
+				"Successfully set token for test.example.com: test********",
 				"Config saved to:",
 			},
 		},
@@ -95,7 +95,7 @@ func TestRunSetToken(t *testing.T) {
 			mockStdin: "interactive-token-456\n",
 			expectedOutputs: []string{
 				"Enter token for test.example.com:",
-				"Successfully set token for test.example.com: inte****-456",
+				"Successfully set token for test.example.com: inte********",
 			},
 		},
 		{
@@ -114,7 +114,7 @@ func TestRunSetToken(t *testing.T) {
 				return configFile
 			},
 			expectedOutputs: []string{
-				"Successfully set token for test.example.com: new-****-789",
+				"Successfully set token for test.example.com: ********",
 			},
 		},
 		{
@@ -131,7 +131,7 @@ func TestRunSetToken(t *testing.T) {
 			},
 			mockStdin: "n\n",
 			expectedOutputs: []string{
-				"Token already exists for test.example.com: old-****-123",
+				"Token already exists for test.example.com: ********",
 				"Replace it? (y/N):",
 				"Operation cancelled",
 			},
@@ -151,9 +151,9 @@ func TestRunSetToken(t *testing.T) {
 			},
 			mockStdin: "y\n",
 			expectedOutputs: []string{
-				"Token already exists for test.example.com: old-****-123",
+				"Token already exists for test.example.com: ********",
 				"Replace it? (y/N):",
-				"Successfully set token for test.example.com: new-****-789",
+				"Successfully set token for test.example.com: ********",
 			},
 		},
 		{
@@ -190,7 +190,7 @@ func TestRunSetToken(t *testing.T) {
 			expectedOutputs: []string{
 				"Validating token with test-provider provider...",
 				"Token validated successfully",
-				"Successfully set token for test.example.com: vali****oken",
+				"Successfully set token for test.example.com: ********",
 			},
 		},
 		{
@@ -320,7 +320,7 @@ func TestRunSetToken(t *testing.T) {
 			expectedOutputs: []string{
 				"Detected test-provider provider, validating token...",
 				"Warning: token may not be valid",
-				"Successfully set token for test.example.com: mayb****oken",
+				"Successfully set token for test.example.com: mayb********",
 			},
 			expectError: false,
 		},
diff --git a/cmd/status_test.go b/cmd/status_test.go
@@ -54,7 +54,7 @@ func TestRunStatus(t *testing.T) {
 			setupConfig: func(t *testing.T) string {
 				tmpDir := t.TempDir()
 				configFile := filepath.Join(tmpDir, "nix.conf")
-				content := `access-tokens = github.com=gho_testtoken123
+				content := `access-tokens = github.com=gho_testtoken123456789
 `
 				err := os.WriteFile(configFile, []byte(content), 0644)
 				if err != nil {
@@ -96,7 +96,7 @@ func TestRunStatus(t *testing.T) {
 				"github.com",
 				"Provider  github",
 				"User      testuser (Test User)",
-				"Token     gho_****n123",
+				"Token     gho_******89",
 				"Scopes    repo, read:user",
 				"Status    ✓ Valid",
 			},
@@ -107,7 +107,7 @@ func TestRunStatus(t *testing.T) {
 			setupConfig: func(t *testing.T) string {
 				tmpDir := t.TempDir()
 				configFile := filepath.Join(tmpDir, "nix.conf")
-				content := `access-tokens = github.com=gho_validtoken gitlab.com=glpat_invalidtoken
+				content := `access-tokens = github.com=gho_validtoken123456 gitlab.com=glpat_invalidtoken789
 `
 				err := os.WriteFile(configFile, []byte(content), 0644)
 				if err != nil {
@@ -175,11 +175,11 @@ func TestRunStatus(t *testing.T) {
 				"github.com",
 				"Provider  github",
 				"User      ghuser (GitHub User)",
-				"Token     gho_****oken",
+				"Token     gho_******56",
 				"Status    ✓ Valid",
 				"gitlab.com",
 				"Provider  gitlab",
-				"Token     glpa****oken",
+				"Token     glpa********",
 				"Status    ✗ Invalid - 401 Unauthorized",
 			},
 			expectError: false,
@@ -189,7 +189,7 @@ func TestRunStatus(t *testing.T) {
 			setupConfig: func(t *testing.T) string {
 				tmpDir := t.TempDir()
 				configFile := filepath.Join(tmpDir, "nix.conf")
-				content := `access-tokens = unknown.host.com=token1234567890
+				content := `access-tokens = unknown.host.com=token123456789012345
 `
 				err := os.WriteFile(configFile, []byte(content), 0644)
 				if err != nil {
@@ -205,7 +205,7 @@ func TestRunStatus(t *testing.T) {
 				"unknown.host.com",
 				"Provider  unknown",
 				"Status    ⚠ Unknown (unverified)",
-				"Token     toke****7890",
+				"Token     toke********",
 				"Scopes    None",
 			},
 			expectError: false,
diff --git a/internal/ui/token.go b/internal/ui/token.go
@@ -1,11 +1,42 @@
 package ui
 
-import "fmt"
+import (
+	"fmt"
+	"strings"
+)
 
-// MaskToken masks a token for security, showing only the first and last 4 characters
+// MaskToken masks a token for security, showing only the token prefix for known types
 func MaskToken(token string) string {
-	if len(token) > 10 {
-		return fmt.Sprintf("%s****%s", token[:4], token[len(token)-4:])
+	// Handle empty or very short tokens
+	if len(token) < 14 {
+		return strings.Repeat("*", 8)
 	}
-	return "Configured"
+
+	// Known token prefixes - these help identify the token type without revealing sensitive data
+	knownPrefixes := []string{
+		"gho_",        // GitHub OAuth token
+		"ghp_",        // GitHub personal access token
+		"ghs_",        // GitHub server-to-server token
+		"github_pat_", // GitHub fine-grained PAT
+		"glpat-",      // GitLab personal access token
+		"gloas-",      // GitLab OAuth access token
+		"glrt-",       // GitLab refresh token
+		"gitea_",      // Gitea token prefix (if standardized)
+	}
+
+	// Check if token starts with a known prefix
+	for _, prefix := range knownPrefixes {
+		if strings.HasPrefix(token, prefix) {
+			// Show prefix + last 2 chars for better differentiation between multiple tokens
+			if len(token) >= len(prefix)+8 {
+				return fmt.Sprintf("%s%s%s", prefix, strings.Repeat("*", 6), token[len(token)-2:])
+			}
+			// Fallback if token is too short
+			return fmt.Sprintf("%s%s", prefix, strings.Repeat("*", 8))
+		}
+	}
+
+	// For unknown token types, show first 4 chars (might indicate type) + mask
+	// This is more conservative than showing both prefix and suffix
+	return fmt.Sprintf("%s%s", token[:4], strings.Repeat("*", 8))
 }
diff --git a/internal/ui/token_test.go b/internal/ui/token_test.go
@@ -0,0 +1,166 @@
+package ui
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestMaskToken(t *testing.T) {
+	tests := []struct {
+		name     string
+		token    string
+		expected string
+	}{
+		// Empty and short tokens
+		{
+			name:     "empty token",
+			token:    "",
+			expected: "********",
+		},
+		{
+			name:     "very short token",
+			token:    "abc",
+			expected: "********",
+		},
+		{
+			name:     "token exactly 15 chars",
+			token:    "123456789012345",
+			expected: "1234********",
+		},
+		{
+			name:     "token exactly 16 chars",
+			token:    "1234567890123456",
+			expected: "1234********",
+		},
+
+		// GitHub tokens
+		{
+			name:     "GitHub OAuth token",
+			token:    "gho_16C7e42F292c6912E7710c838347Ae178B4a",
+			expected: "gho_******4a",
+		},
+		{
+			name:     "GitHub personal access token",
+			token:    "ghp_16C7e42F292c6912E7710c838347Ae178B4a",
+			expected: "ghp_******4a",
+		},
+		{
+			name:     "GitHub server token",
+			token:    "ghs_16C7e42F292c6912E7710c838347Ae178B4a",
+			expected: "ghs_******4a",
+		},
+		{
+			name:     "GitHub fine-grained PAT",
+			token:    "github_pat_11ABCDEF0_1234567890abcdef",
+			expected: "github_pat_******ef",
+		},
+
+		// GitLab tokens
+		{
+			name:     "GitLab personal access token",
+			token:    "glpat-1234567890abcdefghij",
+			expected: "glpat-******ij",
+		},
+		{
+			name:     "GitLab OAuth access token",
+			token:    "gloas-1234567890abcdefghij",
+			expected: "gloas-******ij",
+		},
+		{
+			name:     "GitLab refresh token",
+			token:    "glrt-1234567890abcdefghij",
+			expected: "glrt-******ij",
+		},
+
+		// Gitea tokens
+		{
+			name:     "Gitea token",
+			token:    "gitea_1234567890abcdefghij",
+			expected: "gitea_******ij",
+		},
+
+		// Unknown token types
+		{
+			name:     "unknown token type",
+			token:    "xyz_1234567890abcdefghij",
+			expected: "xyz_********",
+		},
+		{
+			name:     "random long token",
+			token:    "abcdefghijklmnopqrstuvwxyz1234567890",
+			expected: "abcd********",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := MaskToken(tt.token)
+			if result != tt.expected {
+				t.Errorf("MaskToken(%q) = %q, want %q", tt.token, result, tt.expected)
+			}
+
+			// Security check: ensure no sensitive part of the token is exposed
+			if len(tt.token) >= 14 {
+				// For known prefixes, we show last 2 chars
+				hasKnownPrefix := false
+				for _, prefix := range []string{"gho_", "ghp_", "ghs_", "github_pat_", "glpat-", "gloas-", "glrt-", "gitea_"} {
+					if strings.HasPrefix(tt.token, prefix) {
+						hasKnownPrefix = true
+						break
+					}
+				}
+
+				if hasKnownPrefix && len(tt.token) > 8 {
+					// Check we're not exposing more than last 2 chars
+					suffix := tt.token[len(tt.token)-8 : len(tt.token)-2]
+					if strings.Contains(result, suffix) {
+						t.Errorf("MaskToken exposed too much of token suffix: %q contains %q", result, suffix)
+					}
+				} else if !hasKnownPrefix {
+					// For unknown tokens, check we're not exposing any suffix
+					suffix := tt.token[len(tt.token)-8:]
+					if strings.Contains(result, suffix) {
+						t.Errorf("MaskToken exposed token suffix: %q contains %q", result, suffix)
+					}
+				}
+
+				// Check that we're not exposing too much of the middle
+				if len(tt.token) > 20 {
+					middle := tt.token[10:20]
+					if strings.Contains(result, middle) {
+						t.Errorf("MaskToken exposed token middle: %q contains %q", result, middle)
+					}
+				}
+			}
+		})
+	}
+}
+
+func TestMaskTokenSecurity(t *testing.T) {
+	// Test that the function handles Unicode correctly
+	t.Run("unicode token", func(t *testing.T) {
+		token := "test_こんにちは世界1234567890"
+		result := MaskToken(token)
+		// Should show first 4 bytes, not break Unicode
+		if result != "test********" {
+			t.Errorf("MaskToken failed to handle Unicode correctly: got %q", result)
+		}
+	})
+
+	// Test consistent masking length
+	t.Run("consistent mask length", func(t *testing.T) {
+		tokens := []struct {
+			token    string
+			expected string
+		}{
+			{"gho_shorttoken123", "gho_******23"},
+			{"gho_verylongtokenwithmanymorecharacters123456789", "gho_******89"},
+		}
+		for _, tt := range tokens {
+			result := MaskToken(tt.token)
+			if result != tt.expected {
+				t.Errorf("MaskToken inconsistent masking for %q: got %q, want %q", tt.token, result, tt.expected)
+			}
+		}
+	})
+}
