mirror of
https://github.com/arc53/DocsGPT.git
synced 2026-05-21 04:45:06 +00:00
81b6ee5daa
* feat: postgres tests * feat: mongo cutoff * feat: mongo cutoff * feat: adjust docs and compose files * fix: mini code mongo removals * fix: tests and k8s mongo stuff * feat: test fixes * fix: ruff * fix: vale * Potential fix for pull request finding 'CodeQL / Clear-text logging of sensitive information' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * fix: mini suggestions * vale lint fix 2 * fix: codeql columns thing * fix: test mongo * fix: tests coverage * feat: better tests 4 * feat: more tests * feat: decent coverage * fix: ruff fixes * fix: remove mongo mock * feat: enhance workflow engine and API routes; add document retrieval and source handling * feat: e2e tests * fix: mcp, mongo and more * fix: mini codeql warning * fix: agent chunk view * fix: mini issues * fix: more pg fixes * feat: postgres prep on start * feat: qa tests * fix: mini improvements * fix: tests --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Siddhant Rai <siddhant.rai.5686@gmail.com>
38 lines
1.3 KiB
Python
38 lines
1.3 KiB
Python
"""Shared helpers for connector auth modules.
|
|
|
|
These helpers exist so that sensitive values (session tokens, bearer
|
|
credentials) never end up interpolated into exception messages or log
|
|
lines. Exception messages frequently flow into ``stack_logs`` (Postgres)
|
|
and Sentry via ``exc_info=True``, so the raw value must never be the
|
|
thing we format.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import hashlib
|
|
|
|
|
|
def session_token_fingerprint(session_token: str) -> str:
|
|
"""Return a short, irreversible fingerprint for a session token.
|
|
|
|
The returned string is safe to embed in exception messages and log
|
|
lines: it is a prefix of a SHA-256 digest, clearly tagged so an
|
|
operator reading the log knows it is a hash and not the token
|
|
itself. It is stable for a given input, which lets operators
|
|
correlate "which token failed" across log lines without exposing
|
|
the credential.
|
|
|
|
Args:
|
|
session_token: The raw session token. Accepts ``None`` or the
|
|
empty string for defensive callers; both yield a distinct
|
|
sentinel rather than raising.
|
|
|
|
Returns:
|
|
A string of the form ``"sha256:<6 hex chars>"``, or
|
|
``"sha256:<empty>"`` when the input is falsy.
|
|
"""
|
|
if not session_token:
|
|
return "sha256:<empty>"
|
|
digest = hashlib.sha256(session_token.encode("utf-8")).hexdigest()
|
|
return f"sha256:{digest[:6]}"
|