fix(qa): preserve adjacent control ui redaction

2026-06-27 00:29:34 +00:00 · 2026-06-20 05:56:36 +02:00
parent 1cda1fc9a0
commit 1df2cc5f02
2 changed files with 32 additions and 7 deletions
--- a/extensions/qa-lab/src/lab-server.test.ts
+++ b/extensions/qa-lab/src/lab-server.test.ts
@@ -425,6 +425,19 @@ describe("qa-lab server", () => {
    };
    expect(startupStatus.status.gateway.url).toBe("https://gateway.example.test/?panel=chat");

+    lab.setControlUi({
+      controlUiUrl:
+        "/control-ui/?token=late-token&api_key=late-api-key&id_token=late-id-token&panel=chat#token=fragment-token",
+    });
+    const relativeBootstrap = (await (
+      await fetchWithRetry(`${lab.baseUrl}/api/bootstrap`)
+    ).json()) as {
+      controlUiUrl: string | null;
+      controlUiEmbeddedUrl: string | null;
+    };
+    expect(relativeBootstrap.controlUiUrl).toBe("/control-ui/?panel=chat");
+    expect(relativeBootstrap.controlUiEmbeddedUrl).toBe("/control-ui/?panel=chat");
+
    const messageResponse = await fetch(`${lab.baseUrl}/api/inbound/message`, {
      method: "POST",
      headers: {
--- a/extensions/qa-lab/src/lab-server.ts
+++ b/extensions/qa-lab/src/lab-server.ts
@@ -148,6 +148,24 @@ const CONTROL_UI_CREDENTIAL_QUERY_KEYS = new Set([
  "refresh_token",
  "token",
 ]);
+const CONTROL_UI_CREDENTIAL_QUERY_PATTERN =
+  /([?&])(?:access_token|api_?key|auth|deviceToken|id_token|password|refresh_token|token)=[^&#\s]*&?/gi;
+
+function stripSensitiveQueryParamsFromText(rawUrl: string): string {
+  let sanitized = rawUrl;
+  for (;;) {
+    const next = sanitized
+      .replace(CONTROL_UI_CREDENTIAL_QUERY_PATTERN, (match: string, separator: string) =>
+        match.endsWith("&") ? separator : "",
+      )
+      .replace(/[?&]$/, "")
+      .replace("?&", "?");
+    if (next === sanitized) {
+      return next;
+    }
+    sanitized = next;
+  }
+}

 function stripSensitiveQueryParams(rawUrl: string): string {
  try {
@@ -159,13 +177,7 @@ function stripSensitiveQueryParams(rawUrl: string): string {
    }
    return url.toString();
  } catch {
-    return rawUrl
-      .replace(
-        /([?&])(?:access_token|api_?key|auth|deviceToken|id_token|password|refresh_token|token)=[^&#\s]*&?/gi,
-        (match: string, separator: string) => (match.endsWith("&") ? separator : ""),
-      )
-      .replace(/[?&]$/, "")
-      .replace("?&", "?");
+    return stripSensitiveQueryParamsFromText(rawUrl);
  }
 }