From 0f0f666ea64cfb5ade1e60a6f3b7ab2625476ed3 Mon Sep 17 00:00:00 2001
From: Samuel Elliott <samuel@fancy.org.uk>
Date: Fri, 25 Jul 2025 19:05:36 +0100
Subject: [PATCH] Hide refresh_token/client_secret/naIdToken fields in logs,
 ignore Cloudflare HTML errors

---
 src/api/util.ts   | 9 +++++++++
 src/util/debug.ts | 6 +++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/api/util.ts b/src/api/util.ts
index 077d13d..4d516bb 100644
--- a/src/api/util.ts
+++ b/src/api/util.ts
@@ -27,6 +27,15 @@ export class ErrorResponse<T = unknown> extends Error {
 
         Object.defineProperty(this, ErrorResponseSymbol, {enumerable: false, value: ErrorResponseSymbol});
 
+        if (response.status === 502 &&
+            response.headers.get('Server') === 'cloudflare' &&
+            response.headers.get('Content-Type')?.match(/^text\/html(;|$)/)
+        ) {
+            // Cloudflare returns it's own HTML error page for HTTP 502 errors
+            // Logging this isn't helpful so just discard it
+            body = 'Bad Gateway\n';
+        }
+
         if (body instanceof ArrayBuffer) {
             body = (new TextDecoder()).decode(body);
         }
diff --git a/src/util/debug.ts b/src/util/debug.ts
index 329b29e..d426ac7 100644
--- a/src/util/debug.ts
+++ b/src/util/debug.ts
@@ -70,10 +70,10 @@ function applyFormatters(args: [formatter: string, ...args: unknown[]], self = d
 
 const censor_fields = [
     'token',
-    // NA OIDC
-    'access_token', 'id_token',
+    // OAuth/OIDC
+    'access_token', 'id_token', 'refresh_token', 'client_secret',
     // Coral
-    'accessToken', 'supportId',
+    'accessToken', 'supportId', 'naIdToken',
     // Moon
     'serialNumber', 'notificationToken',
 ];