auth-sanitizer 0.1.5 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c91251e1007c195c50ee201a4c41cd42b618ca427a6be9cbbbf6fbb9e27c9954
-  data.tar.gz: 07dc8e308d6177992350f763615c9abecb77fc4e807d6b34d332e1a1880b17de
+  metadata.gz: 633789bb7c954fcea43d081527da59affeb9e4859773ccb94ba98b6a5dc767c5
+  data.tar.gz: dd4f09c0461cee4cc31ee4900771e34c5349f2a7cb43028c582753cd055d5c7d
 SHA512:
-  metadata.gz: 22a80ac4d3a37a9570bb2cc875c5f725b989a6b6e93be87d03c9e0145e598deadf8da4c90114f2a5ad4b28ab253f491d31679c7b459015571069f52aac651750
-  data.tar.gz: 8a03ebabaebda0de8ea0144e613fe5198d6f03d8b1612e431a272fab6bed71f846f75794932714d0abd7a34c70925ea08b6e582c48a01d61132e4bddcd019e7d
+  metadata.gz: bde13e5621861e7361f273917922ece5353a87178addca4b835b00d879c30aea7dd3fe1b8e16db3bd88dde05a1164d52c19bde07ca7785d7de45bed7e0660bba
+  data.tar.gz: 463eecc6672abdaadc05b0d8c0b22e8ab0a05793265fdfe76ac3ccd4d49bf26b1b4bd9b7011ac23cfeee69c1d8e2eeb55f8f82546cc0e7a7eb651b95d870eb52

data/CHANGELOG.md

@@ -30,6 +30,38 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+## [0.2.1] - 2026-06-06
+
+- TAG: [v0.2.1][0.2.1t]
+- COVERAGE: 100.00% -- 145/145 lines in 6 files
+- BRANCH COVERAGE: 100.00% -- 28/28 branches in 6 files
+- 84.62% documented
+
+### Fixed
+
+- Removed the duplicate RBS declaration for `Auth::Sanitizer::VERSION`, fixing
+  `RBS::DuplicatedDeclarationError` in downstream projects.
+- Fixed the README support table to list Ruby 2.3 as supported but untested,
+  matching the current runtime support and CI policy.
+
+## [0.2.0] - 2026-06-04
+
+- TAG: [v0.2.0][0.2.0t]
+- COVERAGE: 100.00% -- 145/145 lines in 6 files
+- BRANCH COVERAGE: 100.00% -- 28/28 branches in 6 files
+- 84.62% documented
+
+### Changed
+
+- Changed `FilteredAttributes#inspect` to redact narrow patterns from
+  `super.inspect` instead of rebuilding object inspect output, preserving host
+  inspect behavior.
+
+### Fixed
+
+- Redacted configured attributes inside standard Ruby hash inspect fragments,
+  including nested attribute hashes.
+
 ## [0.1.5] - 2026-06-03
 
 - TAG: [v0.1.5][0.1.5t]
@@ -119,7 +151,11 @@ Please file a bug if you notice a violation of semantic versioning.
 
 - Initial release
 
-[Unreleased]: https://github.com/ruby-oauth/auth-sanitizer/compare/v0.1.5...HEAD
+[Unreleased]: https://github.com/ruby-oauth/auth-sanitizer/compare/v0.2.1...HEAD
+[0.2.1]: https://github.com/ruby-oauth/auth-sanitizer/compare/v0.2.0...v0.2.1
+[0.2.1t]: https://github.com/ruby-oauth/auth-sanitizer/releases/tag/v0.2.1
+[0.2.0]: https://github.com/ruby-oauth/auth-sanitizer/compare/v0.1.5...v0.2.0
+[0.2.0t]: https://github.com/ruby-oauth/auth-sanitizer/releases/tag/v0.2.0
 [0.1.5]: https://github.com/ruby-oauth/auth-sanitizer/compare/v0.1.4...v0.1.5
 [0.1.5t]: https://github.com/ruby-oauth/auth-sanitizer/releases/tag/v0.1.5
 [0.1.4]: https://github.com//ruby-oauth/auth-sanitizer/compare/v0.1.3...v0.1.4

data/LICENSE.md

@@ -7,4 +7,4 @@ Choose the option that best fits your use case:
 
 ## Copyright Notice
 
-Copyright (c) 2026 Peter H. Boling
+- Copyright (c) 2026 Peter H. Boling

data/README.md

@@ -27,7 +27,7 @@ inspection and log output.
 The gem is intentionally narrow in scope. It does not change HTTP requests, token objects, persistence, or application
 configuration for you. Instead, it gives host gems and applications two reusable redaction surfaces:
 
-- `Auth::Sanitizer::FilteredAttributes` redacts selected instance variables from `#inspect`.
+- `Auth::Sanitizer::FilteredAttributes` redacts selected attributes from standard Ruby `#inspect` output.
 - `Auth::Sanitizer::SanitizedLogger` wraps an existing logger and redacts sensitive values from string log messages.
 
 Out of the box, logger sanitization filters the key names most commonly found in OAuth and OpenID Connect debug output:
@@ -69,6 +69,7 @@ This gem is used by the following libraries to ensure clean output:
 - oauth-tty
 - oauth2
 - omniauth-ldap
+- omniauth-identity
 
 ## 💡 Info you can shake a stick at
 
@@ -78,7 +79,7 @@ This gem is used by the following libraries to ensure clean output:
 | Works with Truffle Ruby | [![Truffle Ruby 22.3 Compat][💎truby-22.3i]][🚎truby-22.3-wf] [![Truffle Ruby 23.0 Compat][💎truby-23.0i]][🚎truby-23.0-wf] [![Truffle Ruby 23.1 Compat][💎truby-23.1i]][🚎truby-23.1-wf] <br/> [![Truffle Ruby 24.2 Compat][💎truby-24.2i]][🚎truby-24.2-wf] [![Truffle Ruby 25.0 Compat][💎truby-25.0i]][🚎truby-25.0-wf] [![Truffle Ruby current Compat][💎truby-c-i]][🚎9-t-wf]|
 | Works with MRI Ruby 4 | [![Ruby 4.0 Compat][💎ruby-4.0i]][🚎11-c-wf] [![Ruby current Compat][💎ruby-c-i]][🚎11-c-wf] [![Ruby HEAD Compat][💎ruby-headi]][🚎3-hd-wf]|
 | Works with MRI Ruby 3 | [![Ruby 3.0 Compat][💎ruby-3.0i]][🚎ruby-3.0-wf] [![Ruby 3.1 Compat][💎ruby-3.1i]][🚎ruby-3.1-wf] [![Ruby 3.2 Compat][💎ruby-3.2i]][🚎ruby-3.2-wf] [![Ruby 3.3 Compat][💎ruby-3.3i]][🚎ruby-3.3-wf] [![Ruby 3.4 Compat][💎ruby-3.4i]][🚎ruby-3.4-wf]|
-| Works with MRI Ruby 2 | ![Ruby 2.2 Compat][💎ruby-2.2i] <br/> [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎ruby-2.4-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎ruby-2.5-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎ruby-2.6-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎ruby-2.7-wf]|
+| Works with MRI Ruby 2 | ![Ruby 2.2 Compat][💎ruby-2.2i] ![Ruby 2.3 Compat][💎ruby-2.3i] <br/> [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎ruby-2.4-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎ruby-2.5-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎ruby-2.6-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎ruby-2.7-wf]|
 | Support & Community | [![Join Me on Daily.dev's RubyFriends][✉️ruby-friends-img]][✉️ruby-friends] [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] [![Get help from me on Upwork][👨🏼‍🏫expsup-upwork-img]][👨🏼‍🏫expsup-upwork] [![Get help from me on Codementor][👨🏼‍🏫expsup-codementor-img]][👨🏼‍🏫expsup-codementor] |
 | Source | [![Source on GitLab.com][📜src-gl-img]][📜src-gl] [![Source on CodeBerg.org][📜src-cb-img]][📜src-cb] [![Source on Github.com][📜src-gh-img]][📜src-gh] [![The best SHA: dQw4w9WgXcQ!][🧮kloc-img]][🧮kloc] |
 | Documentation | [![Current release on RubyDoc.info][📜docs-cr-rd-img]][🚎yard-current] [![YARD on Galtzo.com][📜docs-head-rd-img]][🚎yard-head] [![Maintainer Blog][🚂maint-blog-img]][🚂maint-blog] [![GitLab Wiki][📜gl-wiki-img]][📜gl-wiki] [![GitHub Wiki][📜gh-wiki-img]][📜gh-wiki] |
@@ -357,8 +358,43 @@ class OAuthCredential
 end
 ```
 
-Declared names are matched against instance variable names. For example, `filtered_attributes :access_token` redacts
-`@access_token` in `#inspect`.
+`FilteredAttributes#inspect` delegates to `super.inspect` first, then redacts only narrow, standard Ruby inspect
+fragments for configured names. This preserves host object inspect behavior instead of rebuilding the object's output.
+
+For example, `filtered_attributes :access_token` redacts `@access_token="..."` in normal object inspect output:
+
+```ruby
+OAuthCredential.new("secret", Time.now).inspect
+# => #<OAuthCredential:0x... @access_token=[FILTERED], @expires_at=2026-06-04 08:00:00 -0600>
+```
+
+Configured names are also redacted when they appear as string-valued keys inside standard Ruby hash inspect fragments,
+which is useful for adapter models that store attributes in an internal hash:
+
+```ruby
+class IdentityRecord
+  include Auth::Sanitizer::FilteredAttributes
+
+  filtered_attributes :password_digest
+
+  def initialize(identity_data)
+    @identity_data = identity_data
+  end
+end
+
+IdentityRecord.new({id: 1, password_digest: "$2a$secret"}).inspect
+# => #<IdentityRecord:0x... @identity_data={id: 1, password_digest: [FILTERED]}>
+```
+
+The inspect redactor intentionally leaves unsupported or highly customized inspect formats unchanged. It only replaces
+quoted string values in these standard shapes:
+
+- `@name="value"`
+- `{name: "value"}`
+- `{:name => "value"}`
+- `{"name" => "value"}`
+
+This conservative behavior avoids breaking host models whose `inspect` output has application-specific formatting.
 
 Calling `filtered_attributes` again replaces the class-level list:
 
@@ -427,11 +463,12 @@ response = TokenResponse.new(
 )
 
 response.inspect
-# => #<TokenResponse:123456 @access_token=[FILTERED], @refresh_token=[FILTERED], @scope="profile email">
+# => #<TokenResponse:0x... @access_token=[FILTERED], @refresh_token=[FILTERED], @scope="profile email">
 ```
 
 Only the configured attributes are redacted. Other instance variables remain visible so inspected objects are still
-useful while debugging.
+useful while debugging. Inspect filtering is conservative: unsupported custom formats are left unchanged rather than
+risking a malformed `inspect` result.
 
 ### Redact Logger Output
 
@@ -826,6 +863,7 @@ Thanks for RTFM. ☺️
 [🚎15-🪪-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/license-eye.yml
 [🚎15-🪪-wfi]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/license-eye.yml/badge.svg
 [💎ruby-2.2i]: https://img.shields.io/badge/Ruby-2.2_(%F0%9F%9A%ABCI)-AABBCC?style=for-the-badge&logo=ruby&logoColor=white
+[💎ruby-2.3i]: https://img.shields.io/badge/Ruby-2.3_(%F0%9F%9A%ABCI)-AABBCC?style=for-the-badge&logo=ruby&logoColor=white
 [💎ruby-2.4i]: https://img.shields.io/badge/Ruby-2.4-DF00CA?style=for-the-badge&logo=ruby&logoColor=white
 [💎ruby-2.5i]: https://img.shields.io/badge/Ruby-2.5-DF00CA?style=for-the-badge&logo=ruby&logoColor=white
 [💎ruby-2.6i]: https://img.shields.io/badge/Ruby-2.6-DF00CA?style=for-the-badge&logo=ruby&logoColor=white
@@ -875,7 +913,7 @@ Thanks for RTFM. ☺️
 [📌gitmoji]: https://gitmoji.dev
 [📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
 [🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
-[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.138-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
+[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.145-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
 [🔐security]: https://github.com/ruby-oauth/auth-sanitizer/blob/main/SECURITY.md
 [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat
 [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year
@@ -896,3 +934,14 @@ Thanks for RTFM. ☺️
 [💎appraisal2]: https://github.com/appraisal-rb/appraisal2
 [💎appraisal2-img]: https://img.shields.io/badge/appraised_by-appraisal2-34495e.svg?plastic&logo=ruby&logoColor=white
 [💎d-in-dvcs]: https://railsbling.com/posts/dvcs/put_the_d_in_dvcs/
+
+<!-- kettle-jem:metadata:start -->
+| Field | Value |
+|---|---|
+| Package | auth-sanitizer |
+| Description | 💎 Configurable KV output redaction. Sanitize/filter your secrets. |
+| Homepage | https://github.com/ruby-oauth/auth-sanitizer |
+| Source | https://github.com/ruby-oauth/auth-sanitizer/tree/v0.2.0 |
+| License | `MIT` |
+| Funding | https://github.com/sponsors/pboling, https://issuehunt.io/u/pboling, https://ko-fi.com/pboling, https://liberapay.com/pboling/donate, https://opencollective.com/ruby-oauth, https://patreon.com/galtzo, https://polar.sh/pboling, https://thanks.dev/u/gh/pboling, https://tidelift.com/funding/github/rubygems/auth-sanitizer, https://www.buymeacoffee.com/pboling |
+<!-- kettle-jem:metadata:end -->

data/lib/auth/sanitizer/filtered_attributes.rb

@@ -93,16 +93,34 @@ module Auth
       #
       # @return [String]
       def inspect
-        return super if thing_filter.things.empty?
+        inspected = super
+        return inspected if thing_filter.things.empty?
 
-        inspected_vars = instance_variables.map do |var|
-          if thing_filter.filtered?(var)
-            "#{var}=#{thing_filter.label}"
-          else
-            "#{var}=#{instance_variable_get(var).inspect}"
+        redact_inspected_values(inspected.dup)
+      end
+
+      private
+
+      INSPECTED_STRING_VALUE = /"(?:(?:\\.)|[^"\\])*"/
+      INSPECTED_REDACTABLE_VALUE = /
+        (?:
+          (@([A-Za-z_]\w*[!?=]?)=) |
+          ([,{]\s*([A-Za-z_]\w*[!?=]?):\s*) |
+          ([,{]\s*:([A-Za-z_]\w*[!?=]?)\s*=>\s*) |
+          ([,{]\s*"([A-Za-z_]\w*[!?=]?)"\s*=>\s*)
+        )
+        #{INSPECTED_STRING_VALUE}
+      /x
+      private_constant :INSPECTED_STRING_VALUE, :INSPECTED_REDACTABLE_VALUE
+
+      def redact_inspected_values(inspected)
+        inspected.gsub(INSPECTED_REDACTABLE_VALUE) do |match|
+          captures = Regexp.last_match.captures
+          prefix, = captures.each_slice(2).detect do |(_candidate_prefix, candidate_key)|
+            thing_filter.things.include?(candidate_key)
           end
+          prefix ? "#{prefix}#{thing_filter.label}" : match
         end
-        "#<#{self.class}:#{object_id} #{inspected_vars.join(", ")}>"
       end
     end
   end

data/lib/auth/sanitizer/version.rb

@@ -3,7 +3,7 @@
 module Auth
   module Sanitizer
     module Version
-      VERSION = "0.1.5"
+      VERSION = "0.2.1"
     end
     VERSION = Version::VERSION # Traditional Constant Location
   end

data/sig/auth/sanitizer.rbs

@@ -1,10 +1,3 @@
-module Auth
-  module Sanitizer
-    VERSION: String
-    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
-  end
-end
-
 module AuthSanitizer
   module Loader
     FILES: Array[String]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: auth-sanitizer
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.2.1
 platform: ruby
 authors:
 - Peter H. Boling
@@ -46,7 +46,7 @@ dependencies:
         version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.9
+        version: 1.1.10
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -56,27 +56,27 @@ dependencies:
         version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.9
+        version: 1.1.10
 - !ruby/object:Gem::Dependency
   name: kettle-dev
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.8
+        version: 2.1.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.8
+        version: 2.1.0
 - !ruby/object:Gem::Dependency
   name: bundler-audit
   requirement: !ruby/object:Gem::Requirement
@@ -131,20 +131,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.0.6
+        version: 3.1.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.0.6
+        version: 3.1.1
 - !ruby/object:Gem::Dependency
   name: kettle-test
   requirement: !ruby/object:Gem::Requirement
@@ -279,10 +279,10 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://auth-sanitizer.galtzo.com
-  source_code_uri: https://github.com/ruby-oauth/auth-sanitizer/tree/v0.1.5
-  changelog_uri: https://github.com/ruby-oauth/auth-sanitizer/blob/v0.1.5/CHANGELOG.md
+  source_code_uri: https://github.com/ruby-oauth/auth-sanitizer/tree/v0.2.1
+  changelog_uri: https://github.com/ruby-oauth/auth-sanitizer/blob/v0.2.1/CHANGELOG.md
   bug_tracker_uri: https://github.com/ruby-oauth/auth-sanitizer/issues
-  documentation_uri: https://www.rubydoc.info/gems/auth-sanitizer/0.1.5
+  documentation_uri: https://www.rubydoc.info/gems/auth-sanitizer/0.2.1
   funding_uri: https://github.com/sponsors/pboling
   wiki_uri: https://github.com/ruby-oauth/auth-sanitizer/wiki
   news_uri: https://www.railsbling.com/tags/auth-sanitizer