Sanitize log output: avoid leaking sensitive data and fix error handling in Azure HTTP client

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Author: rhopp

src/api/azure/http/azure-http.client.ts

@@ -1,8 +1,24 @@
 import { BaseHttpClient } from '../../common/http/base-http.client';
-import { AxiosError } from 'axios';
+import { ApiError } from '../../common/errors/api.errors';
 import { AzureApiError } from '../errors/azure.errors';
 import { LoggerFactory, Logger } from '../../../logger/logger';
 
+function sanitizeErrorData(data: unknown): string {
+  if (data == null) return 'no data';
+  if (typeof data === 'string') return data.slice(0, 2000);
+  if (typeof data === 'object') {
+    const { message, typeKey, errorCode, statusCode } = data as Record<string, unknown>;
+    const parts = [
+      message != null ? `message=${message}` : null,
+      typeKey != null ? `typeKey=${typeKey}` : null,
+      errorCode != null ? `errorCode=${errorCode}` : null,
+      statusCode != null ? `statusCode=${statusCode}` : null,
+    ].filter(Boolean);
+    return parts.length > 0 ? parts.join(', ') : '[response data omitted]';
+  }
+  return String(data);
+}
+
 export interface AzureHttpClientConfig {
   organization: string;
   host: string;
@@ -43,21 +59,36 @@ export class AzureHttpClient extends BaseHttpClient {
 
     this.client.interceptors.response.use(
       response => response,
-      (error: AxiosError) => {
-        if (error.response) {
-          this.logger.error(`Azure DevOps API Error: ${error.response.status} ${error.response.statusText} - ${JSON.stringify(error.response.data)}`);
+      (error) => {
+        // Build the AzureApiError first, so wrapping always succeeds regardless of logging
+        let azureError: AzureApiError;
+
+        // BaseHttpClient already transforms AxiosError → ApiError
+        // Map ApiError to Azure-specific errors first
+        if (error instanceof ApiError) {
+          azureError = new AzureApiError(error.message, error.status, error.data, error);
+          try {
+            this.logger.error(`Azure DevOps API Error: ${error.status} - ${sanitizeErrorData(error.data)}`);
+          } catch { /* logging must not break error propagation */ }
+        } else if (error.response) {
+          // Fallback: Handle raw AxiosError if BaseHttpClient interceptor didn't catch it
+          azureError = new AzureApiError(error.message, error.response.status, error.response.data, error);
+          try {
+            this.logger.error(`Azure DevOps API Error: ${error.response.status} ${error.response.statusText} - ${sanitizeErrorData(error.response.data)}`);
+          } catch { /* logging must not break error propagation */ }
         } else if (error.request) {
-          this.logger.error(`Azure DevOps API Error: No response received - ${JSON.stringify(error.request)}`);
+          azureError = new AzureApiError('No response received from Azure DevOps', undefined, undefined, error);
+          try {
+            const { method, baseURL, url, timeout } = error.request?.config ?? error.config ?? {};
+            this.logger.error(`Azure DevOps API Error: No response received - ${method?.toUpperCase()} ${baseURL ?? ''}${url ?? ''} (timeout: ${timeout})`);
+          } catch { /* logging must not break error propagation */ }
         } else {
-          this.logger.error(`Azure DevOps API Error: Request setup failed - ${error}`);
+          azureError = new AzureApiError('Request setup failed', undefined, undefined, error);
+          try {
+            this.logger.error(`Azure DevOps API Error: Request setup failed - ${error}`);
+          } catch { /* logging must not break error propagation */ }
         }
-        // Wrap AxiosError in a custom AzureApiError
-        const azureError = new AzureApiError(
-          error.message,
-          error.response?.status,
-          error.response?.data,
-          error
-        );
+
         return Promise.reject(azureError);
       }
     );

src/api/azure/services/azure-variable-group.service.ts

@@ -39,7 +39,8 @@ export class AzureVariableGroupService {
         `${this.project}/_apis/distributedtask/variablegroups?${this.getApiVersionParam()}`,
         payload
       );
-      this.logger.info(`AzureCI group creation response: ${JSON.stringify(response)}`);
+      const { id, name } = (response as any) ?? {};
+      this.logger.info(`Variable group created: id=${id}, name=${name}`);
     } catch (error) {
       this.logger.error(`Failed to create variable group '${groupName}': ${error}`);
       throw error;

src/api/rhdh/developerhub.ts

@@ -42,7 +42,8 @@ export class DeveloperHub {
     componentScaffoldOptions: ScaffolderScaffoldOptions
   ): Promise<ComponentIdResponse> {
     try {
-      this.logger.info(`Creating component with options: ${JSON.stringify(componentScaffoldOptions)}`);
+      const { templateRef, values: { name, repoName, namespace, ciType, hostType } = {} } = componentScaffoldOptions ?? {};
+      this.logger.info(`Creating component: template=${templateRef}, name=${name}, repo=${repoName}, namespace=${namespace}, ci=${ciType}, host=${hostType}`);
       const response: AxiosResponse<ComponentIdResponse> = await this.axios.post(
         `${this.url}/api/scaffolder/v2/tasks`,
         componentScaffoldOptions