fix(audit): redact NotificationChannel secret config fields in audit log#200
Merged
TerrifiedBug merged 2 commits intomainfrom Apr 28, 2026
Merged
fix(audit): redact NotificationChannel secret config fields in audit log#200TerrifiedBug merged 2 commits intomainfrom
TerrifiedBug merged 2 commits intomainfrom
Conversation
The audit middleware sanitizer (src/server/middleware/audit.ts) only redacted exact-key matches for password/token/secret/etc. Channel-config secret fields slipped through unredacted, causing AuditLog.metadata to store plaintext webhook signing secrets, SMTP passwords, PagerDuty routing keys, and webhook URLs (which often embed auth tokens) on every notificationChannel.created / .updated / .deleted action. This undermined the encrypt-at-rest fix landed in PR #198, which closed plaintext storage in the channel.config column itself but left the audit-log side channel open. Changes: - Add hmacSecret, smtpPass, integrationKey, webhookUrl to SENSITIVE_KEYS. - Extract SENSITIVE_KEYS / sanitizeInput / computeDiff into a separate audit-sanitize module so they can be unit-tested without pulling in the full Prisma + NextAuth runtime via the middleware barrel. - Add unit tests covering top-level redaction, nested config redaction, arrays of channels, primitive passthrough, null/undefined, and presence of the new keys in the set.
TerrifiedBug
force-pushed
the
fix/audit-redact-channel-secrets
branch
from
53d5be0 to
4c5a770
Compare
PR #199 wired the page route and the settings-overview card but left settings-sidebar-nav.tsx untouched, so the page was unreachable from the sidebar. Add it to the Organization group alongside Service Accounts and AI (other team-level integrations) with the Webhook icon. Non-super-admin so team editors can manage event subscriptions, demo- hidden to match other integration entries.
TerrifiedBug
force-pushed
the
fix/audit-redact-channel-secrets
branch
from
4c5a770 to
71b025a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two related post-#198/#199 fixes:
1. Audit log redaction (primary) — audit-log side channel that survived the encrypt-at-rest fix in #198. The middleware sanitizer (
src/server/middleware/audit.ts) only redacted exact-key matches (password,token,secret, …). Channel-config secret sub-fields (hmacSecret,smtpPass,integrationKey,webhookUrl) slipped through, soAuditLog.metadatastored plaintext webhook signing secrets, SMTP passwords, PagerDuty routing keys, and webhook URLs (which often embed auth tokens) for every `notificationChannel.created` / `.updated` / `.deleted` action.2. Settings sidebar entry — #199 relocated Outbound Webhooks back to `/settings/webhooks` and added an overview card, but never wired it into `settings-sidebar-nav.tsx`. The page was reachable via the overview card but missing from the sidebar.
Changes
Test plan