fix(webhooks): mask custom outgoing webhook headers in profile response (#6798)

Co-authored-by: Chikke Srujan <chikke.srujan@Chikke-Srujan-N7WRTY72X7.local> Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>
2025-10-27 19:46:48 +08:00 · 2024-12-14 12:54:26 +05:30
parent 5aa8ea03a8
commit 09cf7a3ea9
2 changed files with 52 additions and 11 deletions
--- a/crates/api_models/src/admin.rs
+++ b/crates/api_models/src/admin.rs
@ -11,7 +11,7 @@ use common_utils::{
 use common_utils::{crypto::OptionalEncryptableName, ext_traits::ValueExt};
 #[cfg(feature = "v2")]
 use masking::ExposeInterface;
-use masking::Secret;
+use masking::{PeekInterface, Secret};
 use serde::{Deserialize, Serialize};
 use url;
 use utoipa::ToSchema;
@ -2198,7 +2198,7 @@ pub struct ProfileResponse {

    /// These key-value pairs are sent as additional custom headers in the outgoing webhook request.
    #[schema(value_type = Option<Object>, example = r#"{ "key1": "value-1", "key2": "value-2" }"#)]
-    pub outgoing_webhook_custom_http_headers: Option<HashMap<String, Secret<String>>>,
+    pub outgoing_webhook_custom_http_headers: Option<MaskedHeaders>,

    /// Merchant Connector id to be stored for tax_calculator connector
    #[schema(value_type = Option<String>)]
@ -2317,7 +2317,7 @@ pub struct ProfileResponse {

    /// These key-value pairs are sent as additional custom headers in the outgoing webhook request.
    #[schema(value_type = Option<Object>, example = r#"{ "key1": "value-1", "key2": "value-2" }"#)]
-    pub outgoing_webhook_custom_http_headers: Option<HashMap<String, Secret<String>>>,
+    pub outgoing_webhook_custom_http_headers: Option<MaskedHeaders>,

    /// Will be used to determine the time till which your payment will be active once the payment session starts
    #[schema(value_type = Option<u32>, example = 900)]
@ -2616,6 +2616,43 @@ pub struct BusinessPayoutLinkConfig {
    pub payout_test_mode: Option<bool>,
 }

+#[derive(Clone, Debug, serde::Serialize)]
+pub struct MaskedHeaders(HashMap<String, String>);
+
+impl MaskedHeaders {
+    fn mask_value(value: &str) -> String {
+        let value_len = value.len();
+
+        let masked_value = if value_len <= 4 {
+            "*".repeat(value_len)
+        } else {
+            value
+                .char_indices()
+                .map(|(index, ch)| {
+                    if index < 2 || index >= value_len - 2 {
+                        // Show the first two and last two characters, mask the rest with '*'
+                        ch
+                    } else {
+                        // Mask the remaining characters
+                        '*'
+                    }
+                })
+                .collect::<String>()
+        };
+
+        masked_value
+    }
+
+    pub fn from_headers(headers: HashMap<String, Secret<String>>) -> Self {
+        let masked_headers = headers
+            .into_iter()
+            .map(|(key, value)| (key, Self::mask_value(value.peek())))
+            .collect();
+
+        Self(masked_headers)
+    }
+}
+
 #[derive(Clone, Debug, serde::Deserialize, serde::Serialize, ToSchema)]
 pub struct BusinessGenericLinkConfig {
    /// Custom domain name to be used for hosting the link