tryphon 0.2.0

Type-safe configuration loading from environment variables using derive macros
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159

/// A wrapper type that masks sensitive values in `Debug` and `Display` output.
use std::collections::hash_map::DefaultHasher;
use std::fmt::{Debug, Display};
use std::hash::{Hash, Hasher};
use std::ops::Deref;

/// Use `Secret<T>` to wrap sensitive configuration values like passwords, API keys,
/// and tokens. When printed or logged, the value will appear as `***` instead of
/// the actual value, preventing accidental exposure of secrets in logs or error messages.
///
/// # Examples
///
/// ## Basic Usage
///
/// ```rust
/// use tryphon::{Config, Secret};
///
/// #[derive(Debug, Config)]
/// struct AppConfig {
///     #[env("DATABASE_PASSWORD")]
///     password: Secret<String>,
///
///     #[env("API_KEY")]
///     api_key: Secret<String>,
/// }
///
/// # unsafe { std::env::set_var("DATABASE_PASSWORD", "super-secret"); }
/// # unsafe { std::env::set_var("API_KEY", "key-12345"); }
/// let config = AppConfig::load().unwrap();
///
/// // Safe to print - secrets are masked with their hash
/// println!("{:?}", config);  // Shows: AppConfig { password: Secret(a3f8d2e1c9b4f6a7), api_key: Secret(b8e9c3d4a1f5b2e6) }
///
/// // Access the actual value when needed (via Deref)
/// let password: &String = &config.password;
/// assert_eq!(password, "super-secret");
/// ```
///
/// ## Accessing the Value
///
/// `Secret<T>` implements `Deref<Target = T>`, so you can access the wrapped value
/// transparently:
///
/// ```rust
/// use tryphon::Secret;
///
/// let secret = Secret("my-api-key".to_string());
///
/// // Access via deref
/// assert_eq!(secret.len(), 10);  // String methods work directly
/// assert_eq!(&*secret, "my-api-key");  // Explicit deref
/// ```
///
/// # Security Note
///
/// While `Secret<T>` prevents *accidental* logging of sensitive values, it does not
/// provide cryptographic protection. The actual value is still stored in memory in
/// plaintext and can be accessed intentionally via dereferencing.
#[derive(Clone)]
pub struct Secret<T>(pub T);

impl<T: Hash> Secret<T> {
    /// Computes a hash of the secret value for logging or comparison purposes.
    ///
    /// Uses Rust's standard library [`DefaultHasher`] to compute a hash of the wrapped
    /// value and returns it as a lowercase hexadecimal string. This hash is also used
    /// automatically in `Debug` and `Display` implementations.
    ///
    /// # Use Cases
    ///
    /// - **Logging**: Identify which secret was used without exposing the value
    /// - **Comparison**: Check if two secrets have the same value without revealing it
    /// - **Debugging**: Track secret changes across application runs
    ///
    /// # Security Note
    ///
    /// This hash is **not cryptographically secure** and should not be used for:
    /// - Password storage (use proper password hashing like bcrypt/argon2)
    /// - Authentication tokens
    /// - Cryptographic operations
    ///
    /// The hash algorithm ([`DefaultHasher`]) may change between Rust versions and
    /// is designed for hash tables, not security.
    ///
    /// # Returns
    ///
    /// A lowercase hexadecimal string representing the hash (e.g., `"a3f8d2e1c9b4f6a7"`).
    ///
    /// # Examples
    ///
    /// ```rust
    /// use tryphon::Secret;
    ///
    /// let secret1 = Secret("my-api-key".to_string());
    /// let secret2 = Secret("my-api-key".to_string());
    /// let secret3 = Secret("different-key".to_string());
    ///
    /// // Same values produce same hashes
    /// assert_eq!(secret1.hashed(), secret2.hashed());
    ///
    /// // Different values produce different hashes
    /// assert_ne!(secret1.hashed(), secret3.hashed());
    ///
    /// // Hash doesn't reveal the original value
    /// let hash = secret1.hashed();
    /// assert!(!hash.contains("my-api-key"));
    /// ```
    ///
    /// [`DefaultHasher`]: std::collections::hash_map::DefaultHasher
    pub fn hashed(&self) -> String {
        let mut hasher = DefaultHasher::new();
        self.0.hash(&mut hasher);
        format!("{:x}", hasher.finish())
    }
}

impl<T> Deref for Secret<T> {
    type Target = T;

    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

impl<T: Hash> Debug for Secret<T> {
    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
        f.write_str(format!("Secret({})", self.hashed()).as_str())
    }
}

impl<T: Hash> Display for Secret<T> {
    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
        f.write_str(format!("Secret({})", self.hashed()).as_str())
    }
}

#[cfg(test)]
mod tests {

    use super::Secret;

    #[test]
    fn test_secret_debug() {
        let secret = Secret("test_value".to_string());

        let str = format!("{:?}", secret);

        assert!(!str.contains("test_value"))
    }

    #[test]
    fn test_secret_display() {
        let secret = Secret("test_value".to_string());

        let str = format!("{}", secret);

        assert!(!str.contains("test_value"))
    }
}