refactor(sdk): extract header sanitization to shared utility

jdalton · jdalton · commit d769c000628b · 2025-11-19T06:34:46.000-08:00
Eliminates 100% duplication of SENSITIVE_HEADERS and sanitizeHeaders() function.

- Created src/utils/header-sanitization.ts as single source of truth
- Updated http-client.ts to import shared utility (removed 39 lines)
- Updated file-upload.ts to import shared utility (removed 39 lines)

Benefits:
- Single location for security-sensitive header redaction logic
- Easier to maintain and audit security patterns
- Reduces risk of divergence between implementations
- Smaller bundle size
diff --git a/src/file-upload.ts b/src/file-upload.ts
@@ -16,45 +16,7 @@ import type { RequestOptions as HttpsRequestOptions } from 'node:https'
 /**
  * Array of sensitive header names that should be redacted in logs
  */
-const SENSITIVE_HEADERS = [
-  'authorization',
-  'cookie',
-  'set-cookie',
-  'proxy-authorization',
-  'www-authenticate',
-  'proxy-authenticate',
-]
-
-/**
- * Sanitize headers for logging by redacting sensitive values.
- */
-function sanitizeHeaders(
-  headers: Record<string, unknown> | readonly string[] | undefined,
-): Record<string, string> | undefined {
-  if (!headers) {
-    return undefined
-  }
-
-  // Handle readonly string[] case - this shouldn't normally happen for headers
-  if (Array.isArray(headers)) {
-    return { headers: headers.join(', ') }
-  }
-
-  const sanitized: Record<string, string> = {}
-
-  // Plain object iteration works for both HeadersRecord and IncomingHttpHeaders
-  for (const [key, value] of Object.entries(headers)) {
-    const keyLower = key.toLowerCase()
-    if (SENSITIVE_HEADERS.includes(keyLower)) {
-      sanitized[key] = '[REDACTED]'
-    } else {
-      // Handle both string and string[] values
-      sanitized[key] = Array.isArray(value) ? value.join(', ') : String(value)
-    }
-  }
-
-  return sanitized
-}
+import { sanitizeHeaders } from './utils/header-sanitization'
 
 /**
  * Create multipart form-data body parts for file uploads.
diff --git a/src/http-client.ts b/src/http-client.ts
@@ -24,45 +24,7 @@ import type { ClientRequest, IncomingMessage } from 'node:http'
 /**
  * Array of sensitive header names that should be redacted in logs
  */
-const SENSITIVE_HEADERS = [
-  'authorization',
-  'cookie',
-  'set-cookie',
-  'proxy-authorization',
-  'www-authenticate',
-  'proxy-authenticate',
-]
-
-/**
- * Sanitize headers for logging by redacting sensitive values.
- */
-function sanitizeHeaders(
-  headers: Record<string, unknown> | readonly string[] | undefined,
-): Record<string, string> | undefined {
-  if (!headers) {
-    return undefined
-  }
-
-  // Handle readonly string[] case - this shouldn't normally happen for headers
-  if (Array.isArray(headers)) {
-    return { headers: headers.join(', ') }
-  }
-
-  const sanitized: Record<string, string> = {}
-
-  // Plain object iteration works for both HeadersRecord and IncomingHttpHeaders
-  for (const [key, value] of Object.entries(headers)) {
-    const keyLower = key.toLowerCase()
-    if (SENSITIVE_HEADERS.includes(keyLower)) {
-      sanitized[key] = '[REDACTED]'
-    } else {
-      // Handle both string and string[] values
-      sanitized[key] = Array.isArray(value) ? value.join(', ') : String(value)
-    }
-  }
-
-  return sanitized
-}
+import { sanitizeHeaders } from './utils/header-sanitization'
 
 /**
  * HTTP response error for Socket API requests.
diff --git a/src/utils/header-sanitization.ts b/src/utils/header-sanitization.ts
@@ -0,0 +1,45 @@
+/**
+ * List of sensitive HTTP headers that should be redacted in logs.
+ */
+export const SENSITIVE_HEADERS: readonly string[] = [
+  'authorization',
+  'cookie',
+  'set-cookie',
+  'proxy-authorization',
+  'www-authenticate',
+  'proxy-authenticate',
+]
+
+/**
+ * Sanitize headers for logging by redacting sensitive values.
+ *
+ * @param headers - Headers to sanitize (object or array)
+ * @returns Sanitized headers with sensitive values redacted
+ */
+export function sanitizeHeaders(
+  headers: Record<string, unknown> | readonly string[] | undefined,
+): Record<string, string> | undefined {
+  if (!headers) {
+    return undefined
+  }
+
+  // Handle readonly string[] case - this shouldn't normally happen for headers.
+  if (Array.isArray(headers)) {
+    return { headers: headers.join(', ') }
+  }
+
+  const sanitized: Record<string, string> = {}
+
+  // Plain object iteration works for both HeadersRecord and IncomingHttpHeaders.
+  for (const [key, value] of Object.entries(headers)) {
+    const keyLower = key.toLowerCase()
+    if (SENSITIVE_HEADERS.includes(keyLower)) {
+      sanitized[key] = '[REDACTED]'
+    } else {
+      // Handle both string and string[] values.
+      sanitized[key] = Array.isArray(value) ? value.join(', ') : String(value)
+    }
+  }
+
+  return sanitized
+}
