Redact secrets from log output#623
Merged
marionbarker merged 1 commit intodevfrom May 4, 2026
Merged
Conversation
Adds a LogRedactor helper and applies it across every known leaky log site so users can share logs without leaking APNs tokens, p8 keys, Nightscout URLs and tokens, Dexcom usernames, key/team IDs, or bundle identifiers. LogManager.log also runs a safety-net sweep that catches PEM PRIVATE KEY blocks, ?token= query values, and JWTs regardless of the call site.
bjorkert
added a commit
that referenced
this pull request
Apr 27, 2026
marionbarker
approved these changes
May 4, 2026
Collaborator
marionbarker
left a comment
There was a problem hiding this comment.
I think this is pretty important.
I tested it and all new log entries were redacted but older ones were not.
When the log was shared - the older entries were in the clear.
I'm going to merge this and we can decide if filtering needs to be added when sharing the logs. I'm thinking not. The logs have a finite life so unmasked entries will be short-lived.
MtlPhil
pushed a commit
to achkars-org/LoopFollow
that referenced
this pull request
May 6, 2026
Brings in all changes from loopandlearn/LoopFollow dev up to 6.1.0. Resolved conflicts by taking upstream throughout, except LogManager where both the watch and telemetry log categories are kept. Key changes from upstream: - Add iOS 17.2+ push-to-start for Live Activity renewal (loopandlearn#622) - Fix LA restart classification, foreground race, troubleshooting logs (loopandlearn#615) - Redact secrets from log output (loopandlearn#623) - Add anonymous telemetry (loopandlearn#626) - Add units selection (loopandlearn#558) - Fix stats inclusive date range (loopandlearn#629) - Deduplicate Nightscout treatment entries by id (loopandlearn#569) - Fix alarm sound session activation failures in background (loopandlearn#596) - Recognize Atlas DASH pod in Omnipod heartbeat scan (loopandlearn#633) - Default migrationStep to latest on fresh installs (loopandlearn#631) - Update to fastlane 2.233.1 (loopandlearn#632) https://claude.ai/code/session_01VK2furpEaEmysQvEd1h77f
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Logs can contain bits of information that some users would rather not share. To make people more comfortable sharing logs when asking for help, this change masks sensitive data before they're written to the file, while keeping the lines readable enough to actually debug from.
How it works
A new
LogRedactorhelper provides small functions for the common shapes:tail/head— keep last/first 8 chars of an opaque tokenurl— keep scheme + a redacted host hint, drop path and query. Known managed Nightscout hosts (nightscoutpro.com,10be.de,herokuapp.com) are kept as the suffix; anything else is reduced to the TLDkeyId/teamId— reveal last 2 chars of a 10-char Apple IDbundleId— keep TLD + app name, mask middle (so suffixes like.watchkitappstay visible)username— preserve email-vs-not shape, drop the valuefingerprint— short sha256 prefix for opaque blobs (QR contents, settings JSON)sweep— runs on every log line as a safety net, catching PEM PRIVATE KEY blocks,?token=…query values, and JWTs no matter which call site emits themThe per-call-site helpers are precise; the central
sweepinLogManager.logis a net so future log lines also benefit without anyone having to remember.What changed
Per-call-site redaction at the known sites that previously echoed values verbatim:
AppDelegate— APNs device token at registration;userInfodumps reduced to key listsNightScoutViewController—NSLogof the full URL routed throughLogManagerand maskedMainViewController— Nightscout URL in the BFU foreground logImportExportSettingsViewModel,RemoteSettingsViewModel— QR / settings JSON replaced with a fingerprint;nightscoutURLanddexcomUsernamemaskedLoopAPNSService—bundleIdmasked next to the (already prefix-masked) device tokenJWTManager— Apple Key ID in the JWT generation logPushNotificationManager,NightscoutUtils,SettingsMigrationManager—prints converted to debugLogManagercalls (no raw JSON, no fulldebugDescription)ObservableUserDefaultsValue,ObservableValue— removedprints that fired on every value change