security: Implemented API key redaction for secure logging

- Add redact_key_for_logging() helper function to show only first/last 6 chars
- Fix API key exposure in app/service/key/key_manager.py line 68
- Apply key redaction across all Python files with API key logging
- Standardize logging security across 17 files including routers, services, handlers
This commit is contained in:
Shuai Lin
2025-07-21 02:03:19 +08:00
parent b25cf7d978
commit 6abda7d902
17 changed files with 78 additions and 46 deletions

View File

@@ -4,6 +4,7 @@ from typing import Callable, TypeVar
from app.config.config import settings
from app.log.logger import get_retry_logger
from app.utils.helpers import redact_key_for_logging
T = TypeVar("T")
logger = get_retry_logger()
@@ -37,7 +38,7 @@ class RetryHandler:
new_key = await key_manager.handle_api_failure(old_key, retries)
if new_key:
kwargs[self.key_arg] = new_key
logger.info(f"Switched to new API key: {new_key}")
logger.info(f"Switched to new API key: {redact_key_for_logging(new_key)}")
else:
logger.error(f"No valid API key available after {retries} retries.")
break