@jaypie/express 1.2.13 → 1.2.15

package/dist/cjs/summarizeRequest.helper.d.ts

@@ -2,7 +2,7 @@ import type { Request } from "express";
 export interface RequestSummary {
     baseUrl: string;
     body: unknown;
-    headers: Request["headers"];
+    headers: Record<string, string | string[] | undefined>;
     method: string;
     query: Request["query"];
     url: string;

package/dist/esm/index.js

@@ -4,7 +4,7 @@ import { CorsError, BadRequestError, UnhandledError, GatewayTimeoutError, Unavai
 import { force, envBoolean, JAYPIE, HTTP, getHeaderFrom, jaypieHandler } from '@jaypie/kit';
 import expressCors from 'cors';
 import { loadEnvSecrets, getContentTypeForFormat, formatStreamError } from '@jaypie/aws';
-import { log } from '@jaypie/logger';
+import { log, redactAuth } from '@jaypie/logger';
 import { hasDatadogEnv, submitMetric, DATADOG } from '@jaypie/datadog';
 
 //
@@ -1390,71 +1390,61 @@ function getCurrentInvokeUuid(req) {
     return getJaypieAdapterUuid();
 }
 
-//
-//
-// Helpers
-//
 /**
- * Safely get a header value from response.
+ * Safely set a header value on response.
  * Handles both Express Response and Lambda adapter responses.
  * Defensive against dd-trace instrumentation issues.
  */
-function safeGetHeader(res, name) {
+function safeSetHeader(res, name, value) {
     try {
         // Try internal method first (completely bypasses dd-trace)
-        if (typeof res._internalGetHeader === "function") {
-            return res._internalGetHeader(name);
+        if (typeof res._internalSetHeader === "function") {
+            res._internalSetHeader(name, value);
+            return;
         }
         // Fall back to _headers Map access (Lambda adapter, avoids dd-trace)
         if (res._headers instanceof Map) {
-            const value = res._headers.get(name.toLowerCase());
-            return value ? String(value) : undefined;
+            res._headers.set(name.toLowerCase(), value);
+            return;
         }
-        // Fall back to getHeader (more standard than get)
-        if (typeof res.getHeader === "function") {
-            const value = res.getHeader(name);
-            return value ? String(value) : undefined;
+        // Fall back to setHeader (more standard than set)
+        if (typeof res.setHeader === "function") {
+            res.setHeader(name, value);
+            return;
         }
-        // Last resort: try get
-        if (typeof res.get === "function") {
-            const value = res.get(name);
-            return value ? String(value) : undefined;
+        // Last resort: try set
+        if (typeof res.set === "function") {
+            res.set(name, value);
         }
     }
     catch {
-        // Silently fail - caller will handle missing value
+        // Silently fail - header just won't be set
     }
-    return undefined;
 }
 /**
- * Safely set a header value on response.
+ * Safely remove a header from response.
  * Handles both Express Response and Lambda adapter responses.
  * Defensive against dd-trace instrumentation issues.
  */
-function safeSetHeader(res, name, value) {
+function safeRemoveHeader(res, name) {
     try {
         // Try internal method first (completely bypasses dd-trace)
-        if (typeof res._internalSetHeader === "function") {
-            res._internalSetHeader(name, value);
+        if (typeof res._internalRemoveHeader === "function") {
+            res._internalRemoveHeader(name);
             return;
         }
         // Fall back to _headers Map access (Lambda adapter, avoids dd-trace)
         if (res._headers instanceof Map) {
-            res._headers.set(name.toLowerCase(), value);
+            res._headers.delete(name.toLowerCase());
             return;
         }
-        // Fall back to setHeader (more standard than set)
-        if (typeof res.setHeader === "function") {
-            res.setHeader(name, value);
-            return;
-        }
-        // Last resort: try set
-        if (typeof res.set === "function") {
-            res.set(name, value);
+        // Fall back to removeHeader (standard Node.js http.ServerResponse)
+        if (typeof res.removeHeader === "function") {
+            res.removeHeader(name);
         }
     }
     catch {
-        // Silently fail - header just won't be set
+        // Silently fail - header just won't be removed
     }
 }
 //
@@ -1479,11 +1469,8 @@ const decorateResponse = (res, { handler = "", version = process.env.PROJECT_VER
         //
         // Decorate Headers
         //
-        // X-Powered-By, override "Express" but nothing else
-        const currentPoweredBy = safeGetHeader(extRes, HTTP.HEADER.POWERED_BY);
-        if (!currentPoweredBy || currentPoweredBy === "Express") {
-            safeSetHeader(extRes, HTTP.HEADER.POWERED_BY, JAYPIE.LIB.EXPRESS);
-        }
+        // Remove X-Powered-By
+        safeRemoveHeader(extRes, HTTP.HEADER.POWERED_BY);
         // X-Project-Environment
         if (process.env.PROJECT_ENV) {
             safeSetHeader(extRes, HTTP.HEADER.PROJECT.ENVIRONMENT, process.env.PROJECT_ENV);
@@ -1523,6 +1510,11 @@ const decorateResponse = (res, { handler = "", version = process.env.PROJECT_VER
 // about the environment's secret parameters, the special adapter,
 // HTTP, etc.  There must be a better way to organize this
 
+//
+//
+// Constants
+//
+const SENSITIVE_HEADERS = new Set(["authorization", "cookie", "set-cookie"]);
 //
 //
 // Function Definition
@@ -1533,10 +1525,19 @@ function summarizeRequest(req) {
     if (Buffer.isBuffer(body)) {
         body = body.toString();
     }
+    // Redact sensitive headers
+    const headers = {
+        ...req.headers,
+    };
+    for (const key of Object.keys(headers)) {
+        if (SENSITIVE_HEADERS.has(key.toLowerCase())) {
+            headers[key] = redactAuth(headers[key]);
+        }
+    }
     return {
         baseUrl: req.baseUrl,
         body,
-        headers: req.headers,
+        headers,
         method: req.method,
         query: req.query,
         url: req.url,