Add redact_sensitive_data function for secure logging

jessesanford · jessesanford · commit bd109dcaf0fc · 2025-07-12T04:49:01.000Z
Signed-off-by: Jesse Sanford &lt;108698+jessesanford@users.noreply.github.com&gt;
diff --git a/src/mcp/server/fastmcp/utilities/logging.py b/src/mcp/server/fastmcp/utilities/logging.py
@@ -1,7 +1,8 @@
 """Logging utilities for FastMCP."""
 
 import logging
-from typing import Literal
+from collections.abc import Mapping
+from typing import Any, Literal
 
 
 def get_logger(name: str) -> logging.Logger:
@@ -41,3 +42,52 @@ def configure_logging(
         format="%(message)s",
         handlers=handlers,
     )
+
+
+# ---------------------------------------------------------------------------
+# Helper – redact sensitive data before logging
+# ---------------------------------------------------------------------------
+
+
+def redact_sensitive_data(
+    data: Mapping[str, Any] | None,
+    sensitive_keys: set[str] | None = None,
+) -> Mapping[str, Any] | None:
+    """Return a shallow copy with sensitive values replaced by "***".
+
+    This shared helper can be used across the code-base (e.g. the transparent
+    OAuth proxy) to ensure we treat secrets consistently.
+
+    Parameters
+    ----------
+    data:
+        Original mapping (typically request/response payload).  If *None* the
+        function simply returns *None*.
+    sensitive_keys:
+        Optional set of keys that should be hidden; defaults to a common list
+        of OAuth-related secrets.
+    """
+
+    if data is None:
+        return None
+
+    sensitive_keys = sensitive_keys or {
+        "client_secret",
+        "authorization",
+        "access_token",
+        "refresh_token",
+        "code",
+    }
+
+    redacted: dict[str, Any] = {}
+    for key, value in data.items():
+        if key.lower() in sensitive_keys:
+            # Show a short prefix of auth codes; redact everything else
+            if key.lower() == "code" and isinstance(value, str):
+                redacted[key] = value[:8] + "..." if len(value) > 8 else "***"
+            else:
+                redacted[key] = "***"
+        else:
+            redacted[key] = value
+
+    return redacted
