Skip to content

fix(security): replace SecretString with String for API response tokens#3008

Merged
hubcio merged 4 commits intomasterfrom
fix_sdk_secrecy
Mar 25, 2026
Merged

fix(security): replace SecretString with String for API response tokens#3008
hubcio merged 4 commits intomasterfrom
fix_sdk_secrecy

Conversation

@spetz
Copy link
Copy Markdown
Contributor

@spetz spetz commented Mar 21, 2026

SDK consumers had to depend on the secrecy crate just to read
token values returned from create-PAT and login endpoints.
These are API response fields intentionally exposed to the
caller over the wire — wrapping them in SecretString added
friction (custom Debug impls, serialize_secret annotations,
expose_secret() calls) without meaningful security benefit.

Changes RawPersonalAccessToken.token and TokenInfo.token from
SecretString to plain String. Leaves SecretString in place for
actual secrets: user passwords, credentials, and PAT values
used in login commands.

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 21, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.13%. Comparing base (601e597) to head (e4d264a).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff              @@
##             master    #3008      +/-   ##
============================================
- Coverage     72.18%   72.13%   -0.06%     
  Complexity      930      930              
============================================
  Files          1122     1120       -2     
  Lines         93502    93489      -13     
  Branches      70851    70849       -2     
============================================
- Hits          67494    67437      -57     
- Misses        23441    23461      +20     
- Partials       2567     2591      +24
Components Coverage Δ
Rust Core 72.87% <100.00%> (-0.07%) ⬇️
Java SDK 62.08% <ø> (ø)
C# SDK 67.43% <ø> (-0.21%) ⬇️
Python SDK 81.43% <ø> (ø)
Node SDK 91.53% <ø> (+0.12%) ⬆️
Go SDK 38.68% <ø> (ø)
Files with missing lines Coverage Δ
...onal_access_tokens/create_personal_access_token.rs 88.88% <ø> (ø)
core/cli/src/commands/binary_system/login.rs 50.00% <ø> (ø)
core/common/src/traits/binary_mapper.rs 79.34% <100.00%> (-0.06%) ⬇️
core/sdk/src/http/http_client.rs 91.45% <ø> (ø)
core/server/src/http/mapper.rs 85.24% <100.00%> (ø)
core/server/src/http/personal_access_tokens.rs 87.23% <ø> (ø)

... and 31 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@spetz spetz force-pushed the fix_sdk_secrecy branch from d115232 to bbcc922 Compare March 21, 2026 16:40
mmodzelewski
mmodzelewski previously approved these changes Mar 23, 2026
View reviewed changes
@hubcio hubcio merged commit cea62a9 into master Mar 25, 2026
79 checks passed
@hubcio hubcio deleted the fix_sdk_secrecy branch March 25, 2026 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hubcio hubcio hubcio approved these changes

@mmodzelewski mmodzelewski mmodzelewski approved these changes

@numinnex numinnex Awaiting requested review from numinnex

+3 more reviewers

@krishvishal krishvishal krishvishal approved these changes

@ryankert01 ryankert01 ryankert01 approved these changes

@atharvalade atharvalade atharvalade approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@spetz @hubcio @krishvishal @mmodzelewski @ryankert01 @atharvalade