restore-redact 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +85 -0
- package/package.json +1 -1
package/README.md
ADDED
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
# restore-redact
|
|
2
|
+
|
|
3
|
+
Detect secrets in objects or strings, replace them with opaque UUID tokens, and restore the original values on demand.
|
|
4
|
+
|
|
5
|
+
Built on [`@leakguard/guard`](https://www.npmjs.com/package/@leakguard/guard) for detection and redaction.
|
|
6
|
+
|
|
7
|
+
## Install
|
|
8
|
+
|
|
9
|
+
```sh
|
|
10
|
+
npm install restore-redact
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
## Usage
|
|
14
|
+
|
|
15
|
+
```js
|
|
16
|
+
const { detect, restore, clear } = require('restore-redact');
|
|
17
|
+
|
|
18
|
+
const input = {
|
|
19
|
+
service: 'payment-gateway',
|
|
20
|
+
apiKey: 'sk_live_4eC39HqLyjWDarjtT1zdp7dc',
|
|
21
|
+
};
|
|
22
|
+
|
|
23
|
+
const redacted = detect(input);
|
|
24
|
+
// {
|
|
25
|
+
// service: 'payment-gateway',
|
|
26
|
+
// apiKey: '[REDACTED:a3f1c2d4-...]'
|
|
27
|
+
// }
|
|
28
|
+
|
|
29
|
+
const restored = restore(redacted);
|
|
30
|
+
// { service: 'payment-gateway', apiKey: 'sk_live_4eC39HqLyjWDarjtT1zdp7dc' }
|
|
31
|
+
|
|
32
|
+
clear(); // wipe the in-memory store
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
Works on plain strings too:
|
|
36
|
+
|
|
37
|
+
```js
|
|
38
|
+
const redacted = detect('token=sk_live_4eC39HqLyjWDarjtT1zdp7dc');
|
|
39
|
+
// 'token=[REDACTED:a3f1c2d4-...]'
|
|
40
|
+
|
|
41
|
+
restore(redacted);
|
|
42
|
+
// 'token=sk_live_4eC39HqLyjWDarjtT1zdp7dc'
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
## API
|
|
46
|
+
|
|
47
|
+
### `detect(data)`
|
|
48
|
+
|
|
49
|
+
Scans `data` (string, object, or array) for secrets. Each unique secret value is assigned a `[REDACTED:<uuid>]` token and the original value is stored in an in-memory Map. Returns the redacted copy; the original is not mutated.
|
|
50
|
+
|
|
51
|
+
The same secret value appearing multiple times in `data` gets the same token.
|
|
52
|
+
|
|
53
|
+
If no secrets are found, `data` is returned as-is.
|
|
54
|
+
|
|
55
|
+
### `restore(redactedData)`
|
|
56
|
+
|
|
57
|
+
Walks `redactedData` (string, object, or array), finds all `[REDACTED:<uuid>]` tokens, and replaces each with the original value from the store. Tokens with no matching entry (e.g. after `clear()`) are left as-is.
|
|
58
|
+
|
|
59
|
+
### `clear()`
|
|
60
|
+
|
|
61
|
+
Wipes the in-memory store. Any tokens produced before `clear()` can no longer be resolved.
|
|
62
|
+
|
|
63
|
+
## Detected secret types
|
|
64
|
+
|
|
65
|
+
Detection is provided by `@leakguard/guard` and covers:
|
|
66
|
+
|
|
67
|
+
- API keys (`sk_live_*`, `sk_test_*`, and similar patterns)
|
|
68
|
+
- JWTs
|
|
69
|
+
- Private keys
|
|
70
|
+
- Passwords
|
|
71
|
+
- Connection strings
|
|
72
|
+
- Auth tokens
|
|
73
|
+
- Credit card numbers
|
|
74
|
+
- Social security numbers
|
|
75
|
+
- High-entropy strings
|
|
76
|
+
|
|
77
|
+
## Notes
|
|
78
|
+
|
|
79
|
+
- The store is **module-level** and shared across all calls in the same process. Call `clear()` when a request or task completes if you don't want secrets accumulating in memory.
|
|
80
|
+
- `detect` / `restore` handle nested objects and arrays recursively.
|
|
81
|
+
- Unknown token UUIDs passed to `restore` are left unchanged rather than throwing.
|
|
82
|
+
|
|
83
|
+
## License
|
|
84
|
+
|
|
85
|
+
ISC
|