Effect CommunityEC
Effect Community2y ago
4 replies
thewilkybarkid

Approaches to Securely Store Authorization Header Value in Discord Implementation

I've been looking at approaches to implement Expanding Headers Type to Exclude Authorization Header (being able to store the Authorization header value as a secret to avoid logging it).
I've looked at changing the Headers type so that the values are strings except for that key:
export type Headers = Brand.Branded<
  {
    "authorization"?: Secret.Secret
  } & ReadonlyRecord.ReadonlyRecord<string>,
  HeadersTypeId
>

Or allowing any key to be a Secret:
export type Headers = Brand.Branded<
  ReadonlyRecord.ReadonlyRecord<Secret.Secret | string>,
  HeadersTypeId
>

Both approaches seem doable; the former results in things like:
export const get: {
  <K extends string>(
    key: K
  ): (self: Headers) => Option.Option<Lowercase<K> extends "authorization" ? Secret.Secret : string>

which is a bit more complex to implement but is possibly a more straightforward API.
Trying both approaches out, however, has shown that the Headers type is shared between both request- and response-related code for clients and servers. Response headers should remain as is; using the Secret type only needs to apply to requests.
I've paused these changes to check for feedback on two related questions:
1. Would splitting the Headers type into RequestHeaders and ResponseHeaders type be a good idea? (Maybe a generic would be better, so Headers<string> for responses, but Headers<Secret | string> for requests?)
2. What headers should it be possible to set as Secret on a request, just Authorization or any?
Was this page helpful?