feat: add env-aware client log policy and const lint fixes

2026-02-24 15:38:55 +09:00
parent 4ffe5110dd
commit aeb418fb9f
14 changed files with 701 additions and 47 deletions
--- a/userfront/lib/core/services/log_policy.dart
+++ b/userfront/lib/core/services/log_policy.dart
@@ -0,0 +1,123 @@
+class LogPolicy {
+  static const Set<String> _sensitiveKeys = {
+    'password',
+    'currentpassword',
+    'newpassword',
+    'oldpassword',
+    'token',
+    'accesstoken',
+    'refreshtoken',
+    'secret',
+    'clientsecret',
+    'authorization',
+    'cookie',
+    'setcookie',
+    'verificationcode',
+    'code',
+    'loginchallenge',
+    'loginverifier',
+    'sessionjwt',
+    'accessjwt',
+    'refreshjwt',
+  };
+
+  static bool isProductionEnv(String? appEnv) {
+    final env = (appEnv ?? '').trim().toLowerCase();
+    return env == 'prod' || env == 'production';
+  }
+
+  static bool parseBoolFlag(String? raw) {
+    final value = (raw ?? '').trim().toLowerCase();
+    return value == '1' ||
+        value == 'true' ||
+        value == 'yes' ||
+        value == 'y' ||
+        value == 'on';
+  }
+
+  static bool debugEnabled({
+    required String? appEnv,
+    required String? productionDebugFlag,
+  }) {
+    if (!isProductionEnv(appEnv)) {
+      return true;
+    }
+    return parseBoolFlag(productionDebugFlag);
+  }
+
+  static bool shouldRelayClientLog({
+    required String level,
+    required String? appEnv,
+    required String? productionDebugFlag,
+  }) {
+    if (debugEnabled(
+      appEnv: appEnv,
+      productionDebugFlag: productionDebugFlag,
+    )) {
+      return true;
+    }
+    final normalized = level.trim().toUpperCase();
+    return normalized == 'SEVERE' ||
+        normalized == 'ERROR' ||
+        normalized == 'WARNING' ||
+        normalized == 'WARN';
+  }
+
+  static String sanitizeMessage(String message) {
+    if (message.trim().isEmpty) {
+      return message;
+    }
+    var sanitized = message.replaceAllMapped(
+      RegExp(
+        r'"(password|currentpassword|newpassword|oldpassword|token|accesstoken|refreshtoken|secret|clientsecret|authorization|cookie|setcookie|verificationcode|code|loginchallenge|loginverifier|sessionjwt|accessjwt|refreshjwt)"\s*:\s*"[^"]*"',
+        caseSensitive: false,
+      ),
+      (match) {
+        final key = match.group(1) ?? 'sensitive';
+        return '"$key":"*****"';
+      },
+    );
+    sanitized = sanitized.replaceAllMapped(
+      RegExp(
+        r'\b(password|current_password|currentpassword|new_password|newpassword|old_password|oldpassword|token|access_token|accesstoken|refresh_token|refreshtoken|authorization|cookie|session_jwt|sessionjwt|access_jwt|accessjwt|refresh_jwt|refreshjwt)\b\s*[:=]\s*([^\s,;]+)',
+        caseSensitive: false,
+      ),
+      (match) {
+        final key = match.group(1) ?? 'sensitive';
+        return '$key=*****';
+      },
+    );
+    return sanitized;
+  }
+
+  static Map<String, dynamic> sanitizeData(Map<String, dynamic> input) {
+    final output = <String, dynamic>{};
+    for (final entry in input.entries) {
+      if (_isSensitiveKey(entry.key)) {
+        output[entry.key] = '*****';
+      } else {
+        output[entry.key] = _sanitizeValue(entry.value);
+      }
+    }
+    return output;
+  }
+
+  static dynamic _sanitizeValue(dynamic value) {
+    if (value is Map<String, dynamic>) {
+      return sanitizeData(value);
+    }
+    if (value is List) {
+      return value.map(_sanitizeValue).toList(growable: false);
+    }
+    if (value is String) {
+      return sanitizeMessage(value);
+    }
+    return value;
+  }
+
+  static bool _isSensitiveKey(String key) {
+    var normalized = key.trim().toLowerCase();
+    normalized = normalized.replaceAll(RegExp(r'[-_.\s]'), '');
+    return _sensitiveKeys.contains(normalized);
+  }
+}