Apply body key obfuscation to form-style request bodies

Added `id_token` to obfuscate.body_keys default

Author: onlime

CHANGELOG.md

@@ -1,6 +1,11 @@
 # CHANGELOG
 
-## [v1.2.x (Unreleased)](https://github.com/onlime/laravel-http-client-global-logger/compare/v1.2.1...main)
+## [v1.2.x (Unreleased)](https://github.com/onlime/laravel-http-client-global-logger/compare/v1.2.2...main)
+
+## [v1.2.2 (2025-06-16)](https://github.com/onlime/laravel-http-client-global-logger/compare/v1.2.1...v1.2.2)
+
+- [Security] Body key obfuscation (`obfuscate.body_keys` config) is now also applied to form-style request bodies, not only JSON bodies. This prevents accidental logging of e.g. OpenID Connect (OAuth 2.0) tokens on `POST /token` endpoint, which may contain the `refresh_token` and `client_secret`.
+- [Security] Added `id_token` as additional body key for obfuscation to the `HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_BODY_KEYS` default.
 
 ## [v1.2.1 (2025-02-26)](https://github.com/onlime/laravel-http-client-global-logger/compare/v1.2.0...v1.2.1)
 

config/http-client-global-logger.php

@@ -104,7 +104,7 @@
         )),
         'body_keys' => explode(',', env(
             'HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_BODY_KEYS',
-            'pass,password,token,apikey,access_token,refresh_token,client_secret'
+            'pass,password,token,apikey,access_token,refresh_token,id_token,client_secret'
         )),
     ],
 

src/Listeners/LogRequestSending.php

@@ -46,10 +46,19 @@ public function handleEvent(RequestSending|SendingSaloonRequest $event): void
         $message = $formatter->format($psrRequest);
 
         if ($obfuscate) {
+            $replacement = config('http-client-global-logger.obfuscate.replacement');
             foreach (config('http-client-global-logger.obfuscate.body_keys') as $key) {
+                $quoted = preg_quote($key, '/');
+                // JSON-style: "key":"value"
                 $message = preg_replace(
-                    '/(?<="'.$key.'":").*(?=")/mU',
-                    config('http-client-global-logger.obfuscate.replacement'),
+                    '/(?<="'.$quoted.'":")[^"]*(?=")/mU',
+                    $replacement,
+                    $message
+                );
+                // form-style: key=value (until & or end)
+                $message = preg_replace(
+                    '/(?<=\b'. $quoted .'=)[^&]*(?=&|$)/',
+                    $replacement,
                     $message
                 );
             }

tests/HttpClientLoggerTest.php

@@ -153,3 +153,38 @@ function setupLogger(): MockInterface
     ])->withHeader($withHeader ? 'X-Global-Logger-Trim-Always' : 'X-Dummy', 'true')
         ->get('https://example.com');
 })->with([true, false]);
+
+it('obfuscates header and body keys', function (string $body, string $expected) {
+    $logger = setupLogger();
+
+    $logger->shouldReceive('info')->withArgs(function ($message) use ($expected) {
+        expect($message)->toContain('REQUEST: GET https://example.com')
+            ->and($message)->toContain('Authorization: **********')
+            ->and($message)->toContain($expected);
+        return true;
+    })->once();
+
+    $logger->shouldReceive('info')->withArgs(function ($message) {
+        expect($message)->toContain('RESPONSE: HTTP/1.1 200 OK');
+        return true;
+    })->once();
+
+    Http::fake([
+        '*' => Http::response('', 200, [
+            'Content-Type' => 'application/json',
+        ]),
+    ])->withHeader('Authorization', 'Bearer 123')
+        ->withBody($body)
+        ->get('https://example.com');
+})->with([
+    'json-style' => [
+        '{"key":"value","apikey":"s3cr3tK3y","token":"s0meT0k3n"}',
+        '{"key":"value","apikey":"**********","token":"**********"}',
+    ],
+    // OpenID Connect example for POST /token endpoint
+    // see https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
+    'openid-connect' => [
+        'grant_type=refresh_token&refresh_token=r3fr3shT0k3n&client_id=1234&client_secret=53cr3t',
+        'grant_type=refresh_token&refresh_token=**********&client_id=1234&client_secret=**********',
+    ],
+]);