Merge pull request #175 from Yusufolosun/fix/stellar-log-address-redaction

fix: redact Stellar wallet addresses in logs

Author: greatest0fallt1me

src/__test__/logRedact.test.ts

@@ -0,0 +1,87 @@
+import { afterEach, describe, expect, it } from "vitest";
+import {
+  isLogRedactionDebugEnabled,
+  redactLogArgs,
+  redactLogString,
+  redactLogValue,
+} from "../utils/logRedact.js";
+
+const STELLAR_ADDRESS = "GCKFBEIYV2U22IO2BJ4KVJOIP7XPWQGZBW3JXDC55CYIXB5NAXMCEKJA";
+const STELLAR_ADDRESS_2 = "GAAZI4TCR3TY5OJHCTJC2A4QSY6CJWJH5IAJTGKIN2ER7LBNVKOCCWNB";
+
+const originalDebugFlag = process.env.LOG_REDACTION_DEBUG;
+
+afterEach(() => {
+  if (originalDebugFlag === undefined) {
+    delete process.env.LOG_REDACTION_DEBUG;
+  } else {
+    process.env.LOG_REDACTION_DEBUG = originalDebugFlag;
+  }
+});
+
+describe("logRedact", () => {
+  it("redacts Stellar addresses inside strings", () => {
+    const input = `wallet=${STELLAR_ADDRESS}`;
+    const output = redactLogString(input, false);
+
+    expect(output).toBe("wallet=GCKFBE...EKJA");
+    expect(output).not.toContain(STELLAR_ADDRESS);
+  });
+
+  it("redacts multiple Stellar addresses in one log message", () => {
+    const input = `${STELLAR_ADDRESS} -> ${STELLAR_ADDRESS_2}`;
+    const output = redactLogString(input, false);
+
+    expect(output).toBe("GCKFBE...EKJA -> GAAZI4...CWNB");
+  });
+
+  it("redacts nested objects and arrays", () => {
+    const payload = {
+      walletAddress: STELLAR_ADDRESS,
+      nested: {
+        message: `from ${STELLAR_ADDRESS_2}`,
+      },
+      list: [STELLAR_ADDRESS],
+    };
+
+    const output = redactLogValue(payload, false);
+
+    expect(output.walletAddress).toBe("GCKFBE...EKJA");
+    expect(output.nested.message).toBe("from GAAZI4...CWNB");
+    expect(output.list[0]).toBe("GCKFBE...EKJA");
+  });
+
+  it("redacts Error message and stack", () => {
+    const error = new Error(`failed for ${STELLAR_ADDRESS}`);
+    error.stack = `Error: failed for ${STELLAR_ADDRESS}`;
+
+    const output = redactLogValue(error, false);
+
+    expect(output.message).toContain("GCKFBE...EKJA");
+    expect(output.message).not.toContain(STELLAR_ADDRESS);
+    expect(output.stack).toContain("GCKFBE...EKJA");
+    expect(output.stack).not.toContain(STELLAR_ADDRESS);
+  });
+
+  it("returns original log args when debug mode is enabled", () => {
+    const args = [
+      `wallet=${STELLAR_ADDRESS}`,
+      { walletAddress: STELLAR_ADDRESS_2 },
+    ];
+
+    const output = redactLogArgs(args, true);
+
+    expect(output).toBe(args);
+  });
+
+  it("reads debug mode from LOG_REDACTION_DEBUG", () => {
+    process.env.LOG_REDACTION_DEBUG = "true";
+    expect(isLogRedactionDebugEnabled()).toBe(true);
+
+    process.env.LOG_REDACTION_DEBUG = "1";
+    expect(isLogRedactionDebugEnabled()).toBe(true);
+
+    process.env.LOG_REDACTION_DEBUG = "false";
+    expect(isLogRedactionDebugEnabled()).toBe(false);
+  });
+});

src/routes/webhook.ts

@@ -1,5 +1,6 @@
 import { Router, type Request, type Response } from 'express';
 import { getWebhookConfig, testWebhookConnectivity } from '../services/drawWebhookService.js';
+import { redactLogArgs } from '../utils/logRedact.js';
 
 export const webhookRouter = Router();
 
@@ -46,7 +47,7 @@ webhookRouter.post('/test', async (_req: Request, res: Response) => {
 
         res.status(200).json(summary);
     } catch (error) {
-        console.error('[WebhookRoutes] Connectivity test failed:', error);
+        console.error(...redactLogArgs(['[WebhookRoutes] Connectivity test failed:', error]));
         res.status(500).json({
             error: 'Internal server error',
             message: 'Failed to test webhook connectivity'

src/services/horizonListener.ts

@@ -1,3 +1,6 @@
+import { createHash } from "node:crypto";
+import { redactLogArgs } from "../utils/logRedact.js";
+
 // ---------------------------------------------------------------------------
 // Types
 // ---------------------------------------------------------------------------
@@ -105,6 +108,18 @@ const retryState = {
     nextRetryTime: 0,
 };
 
+function logInfo(...args: unknown[]): void {
+    console.log(...redactLogArgs(args));
+}
+
+function logWarn(...args: unknown[]): void {
+    console.warn(...redactLogArgs(args));
+}
+
+function logError(...args: unknown[]): void {
+    console.error(...redactLogArgs(args));
+}
+
 // ---------------------------------------------------------------------------
 // Configuration helpers
 // ---------------------------------------------------------------------------
@@ -253,7 +268,8 @@ function calculateBackoffDelay(attempt: number, config: HorizonListenerConfig):
 }
 
 function generateEventId(event: HorizonEvent): string {
-    return `${event.ledger}-${event.contractId}-${event.topics.join('-')}-${event.data.slice(0, 50)}`;
+    const dataHash = createHash("sha256").update(event.data).digest("hex").slice(0, 16);
+    return `${event.ledger}-${event.contractId}-${event.topics.join('-')}-${dataHash}`;
 }
 
 function isEventProcessed(eventId: string): boolean {
@@ -274,7 +290,7 @@ function markEventProcessed(eventId: string): void {
 function logMetrics(config: HorizonListenerConfig): void {
     if (!config.enableMetrics) return;
 
-    console.log("[HorizonListener] Metrics:", {
+    logInfo("[HorizonListener] Metrics:", {
         ...metrics,
         processedEventIdsCount: processedEventIds.size,
         currentLedgerCursor,
@@ -290,7 +306,7 @@ async function dispatchEvent(event: HorizonEvent): Promise<void> {
     if (isEventProcessed(eventId)) {
         metrics.eventsDuplicated++;
         if (activeConfig?.enableMetrics) {
-            console.log("[HorizonListener] Skipping duplicate event:", eventId);
+            logInfo("[HorizonListener] Skipping duplicate event:", eventId);
         }
         return;
     }
@@ -302,7 +318,7 @@ async function dispatchEvent(event: HorizonEvent): Promise<void> {
         try {
             await handler(event);
         } catch (err) {
-            console.error(
+            logError(
                 "[HorizonListener] Event handler threw an error:",
                 err,
             );
@@ -420,7 +436,7 @@ async function handleCursorGap(config: HorizonListenerConfig, gapStart: string):
     const maxGap = config.maxCursorGap || 100;
     const startLedger = parseInt(gapStart);
 
-    console.log(`[HorizonListener] Cursor gap detected at ledger ${gapStart}, attempting recovery`);
+    logInfo(`[HorizonListener] Cursor gap detected at ledger ${gapStart}, attempting recovery`);
 
     // Try to fill the gap by querying individual ledgers
     for (let ledger = startLedger; ledger < startLedger + maxGap && ledger <= (currentLedgerCursor || startLedger) + maxGap; ledger++) {
@@ -429,13 +445,13 @@ async function handleCursorGap(config: HorizonListenerConfig, gapStart: string):
             await new Promise(resolve => setTimeout(resolve, 10)); // Simulate network delay
 
             if (Math.random() < 0.1) { // 10% chance of finding events in gap
-                console.log(`[HorizonListener] Recovered events at ledger ${ledger}`);
+                logInfo(`[HorizonListener] Recovered events at ledger ${ledger}`);
                 metrics.cursorGapsRecovered++;
                 break;
             }
         } catch (error) {
             // If we can't recover from gap, skip ahead
-            console.warn(`[HorizonListener] Failed to recover ledger ${ledger}, skipping`);
+            logWarn(`[HorizonListener] Failed to recover ledger ${ledger}, skipping`);
             break;
         }
     }
@@ -449,7 +465,7 @@ export async function pollOnce(config: HorizonListenerConfig): Promise<void> {
         // Check if we're in a backoff period
         if (retryState.nextRetryTime > Date.now()) {
             if (config.enableMetrics) {
-                console.log(`[HorizonListener] In backoff period, next retry at ${new Date(retryState.nextRetryTime).toISOString()}`);
+                logInfo(`[HorizonListener] In backoff period, next retry at ${new Date(retryState.nextRetryTime).toISOString()}`);
             }
             return;
         }
@@ -464,7 +480,7 @@ export async function pollOnce(config: HorizonListenerConfig): Promise<void> {
         const cursor = currentLedgerCursor ? `${currentLedgerCursor}` : config.startLedger;
 
         if (config.enableMetrics) {
-            console.log(
+            logInfo(
                 `[HorizonListener] Polling ${config.horizonUrl} ` +
                 `(contracts: ${config.contractIds.length > 0 ? config.contractIds.join(", ") : "none"}, ` +
                 `cursor: ${cursor})`,
@@ -490,7 +506,7 @@ export async function pollOnce(config: HorizonListenerConfig): Promise<void> {
             const rateLimitDelay = config.rateLimitDelayMs || 60000;
             retryState.nextRetryTime = Date.now() + rateLimitDelay;
 
-            console.warn(`[HorizonListener] Rate limit hit, waiting ${rateLimitDelay}ms`);
+            logWarn(`[HorizonListener] Rate limit hit, waiting ${rateLimitDelay}ms`);
             return;
         }
 
@@ -510,17 +526,17 @@ export async function pollOnce(config: HorizonListenerConfig): Promise<void> {
 
                 metrics.retryAttempts++;
 
-                console.warn(`[HorizonListener] Transient error (attempt ${retryState.attempts}/${maxRetries}), retrying in ${delay}ms:`, classifiedError.message);
+                logWarn(`[HorizonListener] Transient error (attempt ${retryState.attempts}/${maxRetries}), retrying in ${delay}ms:`, classifiedError.message);
                 return;
             } else {
-                console.error(`[HorizonListener] Max retries exceeded for transient error:`, classifiedError);
+                logError(`[HorizonListener] Max retries exceeded for transient error:`, classifiedError);
                 retryState.attempts = 0; // Reset for next time
                 return;
             }
         }
 
         // Non-transient error - log and continue
-        console.error("[HorizonListener] Non-transient error occurred:", classifiedError);
+        logError("[HorizonListener] Non-transient error occurred:", classifiedError);
     }
 }
 
@@ -538,15 +554,15 @@ export function getConfig(): HorizonListenerConfig | null {
 
 export async function start(): Promise<void> {
     if (running) {
-        console.warn("[HorizonListener] Already running — ignoring start() call.");
+        logWarn("[HorizonListener] Already running — ignoring start() call.");
         return;
     }
 
     const config = resolveConfig();
     activeConfig = config;
     running = true;
 
-    console.log("[HorizonListener] Starting with config:", {
+    logInfo("[HorizonListener] Starting with config:", {
         horizonUrl: config.horizonUrl,
         contractIds: config.contractIds,
         pollIntervalMs: config.pollIntervalMs,
@@ -559,14 +575,14 @@ export async function start(): Promise<void> {
         void pollOnce(config);
     }, config.pollIntervalMs);
 
-    console.log(
+    logInfo(
         `[HorizonListener] Started. Polling every ${config.pollIntervalMs}ms.`,
     );
 }
 
 export function stop(): void {
     if (!running) {
-        console.warn("[HorizonListener] Not running — ignoring stop() call.");
+        logWarn("[HorizonListener] Not running — ignoring stop() call.");
         return;
     }
 
@@ -578,5 +594,5 @@ export function stop(): void {
     running = false;
     activeConfig = null;
 
-    console.log("[HorizonListener] Stopped.");
-}
+    logInfo("[HorizonListener] Stopped.");
+}

src/utils/logRedact.ts

@@ -0,0 +1,104 @@
+const STELLAR_ADDRESS_REGEX = /\bG[A-Z2-7]{55}\b/g;
+
+function truncateAddress(address: string): string {
+  return `${address.slice(0, 6)}...${address.slice(-4)}`;
+}
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  if (Object.prototype.toString.call(value) !== '[object Object]') {
+    return false;
+  }
+
+  const prototype = Object.getPrototypeOf(value);
+  return prototype === Object.prototype || prototype === null;
+}
+
+export function isLogRedactionDebugEnabled(
+  env: NodeJS.ProcessEnv = process.env,
+): boolean {
+  const flag = env['LOG_REDACTION_DEBUG'];
+  if (!flag) {
+    return false;
+  }
+
+  const normalized = flag.trim().toLowerCase();
+  return normalized === 'true' || normalized === '1';
+}
+
+export function redactLogString(
+  value: string,
+  debugEnabled = isLogRedactionDebugEnabled(),
+): string {
+  if (debugEnabled) {
+    return value;
+  }
+
+  return value.replace(STELLAR_ADDRESS_REGEX, truncateAddress);
+}
+
+function redactValueInternal(
+  value: unknown,
+  seen: WeakSet<object>,
+): unknown {
+  if (typeof value === 'string') {
+    return redactLogString(value, false);
+  }
+
+  if (value instanceof Error) {
+    const redactedError = new Error(redactLogString(value.message, false));
+    redactedError.name = value.name;
+    if (value.stack) {
+      redactedError.stack = redactLogString(value.stack, false);
+    }
+
+    const extra = value as unknown as Record<string, unknown>;
+    for (const [key, nested] of Object.entries(extra)) {
+      (redactedError as unknown as Record<string, unknown>)[key] =
+        redactValueInternal(nested, seen);
+    }
+
+    return redactedError;
+  }
+
+  if (Array.isArray(value)) {
+    return value.map((entry) => redactValueInternal(entry, seen));
+  }
+
+  if (isPlainObject(value)) {
+    if (seen.has(value)) {
+      return value;
+    }
+
+    seen.add(value);
+    const redacted: Record<string, unknown> = {};
+    for (const [key, nested] of Object.entries(value)) {
+      redacted[key] = redactValueInternal(nested, seen);
+    }
+
+    return redacted;
+  }
+
+  return value;
+}
+
+export function redactLogValue<T>(
+  value: T,
+  debugEnabled = isLogRedactionDebugEnabled(),
+): T {
+  if (debugEnabled) {
+    return value;
+  }
+
+  return redactValueInternal(value, new WeakSet<object>()) as T;
+}
+
+export function redactLogArgs(
+  args: unknown[],
+  debugEnabled = isLogRedactionDebugEnabled(),
+): unknown[] {
+  if (debugEnabled) {
+    return args;
+  }
+
+  return args.map((arg) => redactLogValue(arg, false));
+}