fix: Redact tokens in query and response logs (#545)

[ad-claw000]

Summary

When an Authenticate query fails or a subsequent query fails and the last response was from authentication, the error logs were exposing refresh_token, session_token, and passwords. This change redacts them.

Changes

• aperturedb/Connector.py: Modified get_last_response_str to deepcopy and scrub session_token and refresh_token inside Authenticate.
• aperturedb/CommonLibrary.py: Modified error logging in execute_query to also redact tokens/passwords in the query and response JSON before logging.

Fixes #545

[ad-claw000]

Closing in favor of older PR #672

[Copilot]

Pull request overview

This PR addresses issue #545 by preventing authentication secrets (passwords and tokens) from being exposed in SDK logs when Authenticate (or subsequent queries around authentication) fail, by scrubbing sensitive fields before formatting them for logging.

Changes:

• Redacts session_token/refresh_token when stringifying Connector.last_response via Connector.get_last_response_str().
• Redacts password/token/session_token/refresh_token in execute_query() error logs by deep-copying and scrubbing the query/response objects before logging.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
aperturedb/Connector.py	Scrubs auth tokens from the “last response” string representation used in error/diagnostic logging.
aperturedb/CommonLibrary.py	Scrubs auth secrets from failed-transaction error logs to avoid leaking credentials/tokens.

Comments suppressed due to low confidence (2)

aperturedb/Connector.py:656

• Redaction here only looks for Authenticate responses. last_response can also be a RefreshToken response (see _refresh_token() which reads session_token/refresh_token from response[0]["RefreshToken"]), and get_last_response_str() would currently serialize those tokens unredacted. Expanding the scrub to cover RefreshToken would prevent token leakage when a refresh occurs before a subsequent failing query.

            if isinstance(safe_response, list):
                for item in safe_response:
                    if isinstance(item, dict) and "Authenticate" in item:
                        auth_dict = item["Authenticate"]
                        if isinstance(auth_dict, dict):
                            if "session_token" in auth_dict:
                                auth_dict["session_token"] = "***"
                            if "refresh_token" in auth_dict:
                                auth_dict["refresh_token"] = "***"

aperturedb/CommonLibrary.py:333

• This redaction logic only handles Authenticate objects; queries/responses involving RefreshToken can also contain refresh_token/session_token fields (Connector._refresh_token expects them). As a result, execute_query can still log sensitive tokens when a refresh-token transaction fails. Consider scrubbing the same fields under RefreshToken as well (and ideally using a small shared scrubber to avoid missing future auth-related commands).

        for obj in (safe_query, safe_r):
            if isinstance(obj, list):
                for item in obj:
                    if isinstance(item, dict) and "Authenticate" in item:
                        auth_dict = item["Authenticate"]
                        if isinstance(auth_dict, dict):
                            if "password" in auth_dict:
                                auth_dict["password"] = "***"
                            if "token" in auth_dict:
                                auth_dict["token"] = "***"
                            if "session_token" in auth_dict:
                                auth_dict["session_token"] = "***"
                            if "refresh_token" in auth_dict:
                                auth_dict["refresh_token"] = "***"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.