embystream 0.0.36

Another Emby streaming application (frontend/backend separation) written in Rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

use form_urlencoded::Serializer;

/// Privacy utilities for handling sensitive data.
pub struct Privacy;

impl Default for Privacy {
    fn default() -> Self {
        Self::new()
    }
}

impl Privacy {
    /// Creates a new Privacy instance.
    pub fn new() -> Self {
        Privacy
    }

    /// Desensitizes a sensitive string by showing the first 4 characters and masking the rest.
    ///
    /// # Arguments
    ///
    /// * `s` - The string to desensitize.
    ///
    /// # Returns
    ///
    /// A desensitized string. If empty, returns "<empty>".
    /// If length <= 4, returns the original string.
    /// Otherwise, returns the first 4 characters followed by "***".
    pub fn desensitize(&self, s: &str) -> String {
        if s.is_empty() {
            "<empty>".to_string()
        } else if s.len() <= 4 {
            s.to_string()
        } else {
            format!("{}***", &s[..4])
        }
    }

    pub fn mask_google_drive_token(raw: &str) -> String {
        let trimmed = raw.trim();
        if trimmed.is_empty() {
            return "<empty>".to_string();
        }

        let (scheme, token) = trimmed
            .split_once(' ')
            .map(|(prefix, value)| (format!("{prefix} "), value))
            .unwrap_or_else(|| (String::new(), trimmed));

        let chars: Vec<char> = token.chars().collect();
        if chars.is_empty() {
            return format!("{scheme}<empty>");
        }
        if chars.len() <= 8 {
            return format!("{scheme}{}", "*".repeat(chars.len()));
        }

        let prefix: String = chars.iter().take(4).copied().collect();
        let suffix: String = chars
            .iter()
            .rev()
            .take(4)
            .copied()
            .collect::<Vec<_>>()
            .into_iter()
            .rev()
            .collect();
        format!("{scheme}{prefix}...{suffix}")
    }

    pub fn sanitize_google_drive_internal_path_for_log(path: &str) -> String {
        let Some((base, query)) = path.split_once('?') else {
            return path.to_string();
        };

        let sanitized_query = form_urlencoded::parse(query.as_bytes())
            .into_owned()
            .map(|(key, value)| {
                if key == "token" {
                    (key, Self::mask_google_drive_token(value.as_str()))
                } else {
                    (key, value)
                }
            })
            .fold(
                Serializer::new(String::new()),
                |mut serializer, (key, value)| {
                    serializer.append_pair(&key, &value);
                    serializer
                },
            )
            .finish();

        format!("{base}?{sanitized_query}")
    }
}

#[cfg(test)]
mod tests {
    use super::Privacy;

    #[test]
    fn mask_google_drive_token_keeps_prefix_and_suffix_only() {
        assert_eq!(
            Privacy::mask_google_drive_token("Bearer access-token"),
            "Bearer acce...oken"
        );
        assert_eq!(Privacy::mask_google_drive_token("short"), "*****");
        assert_eq!(Privacy::mask_google_drive_token(""), "<empty>");
    }

    #[test]
    fn sanitize_google_drive_internal_path_masks_token_query() {
        let path = "/_origin/google-drive/gd-node/file%2Did%2D123?\
token=Bearer+access-token&foo=bar";

        assert_eq!(
            Privacy::sanitize_google_drive_internal_path_for_log(path),
            "/_origin/google-drive/gd-node/file%2Did%2D123?\
token=Bearer+acce...oken&foo=bar"
        );
    }
}