From 5874c681cb0f3c005c8cc95085b39aa669fc24a2 Mon Sep 17 00:00:00 2001
From: Jan Sandbrink <j.sandbrink@openproject.com>
Date: Wed, 17 Dec 2025 10:49:14 +0100
Subject: [PATCH] Filter more sensitive data in VCR

* All kinds of HTTP Authorization headers
* client_id, client_secret and refresh_token passed in request body
* refresh_token received from IDP

This is a bit more exhaustive than the filtering performed previously.
---
 .../commands/create_folder_command_spec.rb    |  2 ++
 spec/support/vcr.rb                           | 34 ++++++++++++++-----
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/modules/storages/spec/common/storages/adapters/providers/nextcloud/commands/create_folder_command_spec.rb b/modules/storages/spec/common/storages/adapters/providers/nextcloud/commands/create_folder_command_spec.rb
index 852b13833a1..e093d2f8b78 100644
--- a/modules/storages/spec/common/storages/adapters/providers/nextcloud/commands/create_folder_command_spec.rb
+++ b/modules/storages/spec/common/storages/adapters/providers/nextcloud/commands/create_folder_command_spec.rb
@@ -104,6 +104,8 @@ module Storages
             private
 
             def delete_created_folder(folder)
+              return if folder.nil?
+
               Input::DeleteFolder.build(location: folder.location).bind do |input_data|
                 Registry.resolve("nextcloud.commands.delete_folder").call(storage:, auth_strategy:, input_data:)
               end
diff --git a/spec/support/vcr.rb b/spec/support/vcr.rb
index fcc698440ac..75209a65be4 100644
--- a/spec/support/vcr.rb
+++ b/spec/support/vcr.rb
@@ -48,26 +48,44 @@ VCR.configure do |config|
     i.response.body.force_encoding("UTF-8")
   end
 
-  config.filter_sensitive_data "<BASIC_AUTH>" do |interaction|
-    header = interaction.request.headers["Authorization"]&.first&.split
+  config.filter_sensitive_data "<SECRET>" do |interaction|
+    _type, secret = interaction.request.headers["Authorization"]&.first&.split(" ", 2)
 
-    header.last if header&.first == "Basic"
+    secret
   end
 
-  config.filter_sensitive_data "<BEARER TOKEN>" do |interaction|
-    header = interaction.request.headers["Authorization"]&.first&.split
+  config.filter_sensitive_data "<CLIENT_SECRET>" do |interaction|
+    content_type = interaction.request.headers["Content-Type"]&.first
 
-    header.last if header&.first == "Bearer"
+    if content_type&.include?("application/x-www-form-urlencoded")
+      URI.decode_www_form(interaction.request.body).to_h["client_secret"]
+    end
+  end
+
+  config.filter_sensitive_data "<REFRESH_TOKEN>" do |interaction|
+    content_type = interaction.request.headers["Content-Type"]&.first
+
+    if content_type&.include?("application/x-www-form-urlencoded")
+      URI.decode_www_form(interaction.request.body).to_h["refresh_token"]
+    end
   end
 
   config.filter_sensitive_data "<ACCESS_TOKEN>" do |interaction|
-    header_value = interaction.response.headers["Content-Type"]&.first
+    content_type = interaction.response.headers["Content-Type"]&.first
 
-    if header_value&.include?("application/json")
+    if content_type&.include?("application/json")
       MultiJson.load(interaction.response.body)["access_token"]
     end
   end
 
+  config.filter_sensitive_data "<REFRESH_TOKEN>" do |interaction|
+    content_type = interaction.response.headers["Content-Type"]&.first
+
+    if content_type&.include?("application/json")
+      MultiJson.load(interaction.response.body)["refresh_token"]
+    end
+  end
+
   config.default_cassette_options = {
     record: ENV.fetch("VCR_RECORD_MODE", :once).to_sym,
     allow_playback_repeats: true,