Skip to content

fix(webhookService): redact password/guid from logged webhook URL#794

Open
cypres0099 wants to merge 1 commit into
BlueBubblesApp:developmentfrom
cypres0099:ben/redact-webhook-url-secrets
Open

fix(webhookService): redact password/guid from logged webhook URL#794
cypres0099 wants to merge 1 commit into
BlueBubblesApp:developmentfrom
cypres0099:ben/redact-webhook-url-secrets

Conversation

@cypres0099
Copy link
Copy Markdown

@cypres0099 cypres0099 commented Apr 17, 2026

The problem

On every webhook dispatch, `WebhookService.dispatch` logs the raw registered URL at debug level:

```ts
this.log.debug(`Dispatching event to webhook: ${i.url}`);
```

Clients commonly register webhook URLs that embed the server password as a query parameter (this is what BlueBubbles itself generates for integrations like Hermes — the `/api/v1/webhook` REST API accepts `?password=...` URLs and the Hermes adapter registers them that way). The result is that the server password is written in cleartext to `bluebubbles-server.log` on every single inbound iMessage event.

That log is readable via `/api/v1/server/logs`. Gated by the same password, so the severity is limited — but surprising, avoidable, and also leaks into any copy/paste of the log (bug reports, Discord troubleshooting). The same URL is echoed on dispatch failures a few lines down.

The fix

Add a tiny `redactWebhookUrl` helper that parses the URL and replaces `password` and `guid` query-parameter values with `***` before logging. The outgoing HTTP request still uses the original URL unchanged, so there's no functional change.

Before:

```
[WebhookService] Dispatching event to webhook: http://localhost:8645/bluebubbles-webhook?password=SuperSecret123
```

After:

```
[WebhookService] Dispatching event to webhook: http://localhost:8645/bluebubbles-webhook?password=***
```

Related

`packages/server/src/server/api/http/api/v1/middleware/logMiddleware.ts` already redacts `password` from inbound request query params (line 11: `if (Object.keys(params).includes("password")) delete params.password;`). This PR closes the matching gap on outbound webhook dispatch logs.

Happy to factor the helper into a shared util if maintainers prefer — kept it inline to keep the diff minimal.

@cypres0099
fix(webhookService): redact password/guid query params from logged we…
e2efe37 
…bhook URL

Clients commonly register webhook URLs that embed the BlueBubbles
server password (or a shared guid) as a query parameter -- this is
the format BlueBubbles itself suggests in several places, including
the Hermes integration and the /api/v1/webhook REST payload.

On every dispatch, WebhookService.dispatch logs the raw URL to the
debug log. That writes the server password in cleartext to the log
stream on every inbound iMessage event, and the log is reachable
over the REST API at /api/v1/server/logs (gated by the same password,
so any client that already has it can pull every webhook URL out of
the log -- low severity by itself, but surprising and avoidable).

This adds a small redactor that parses the URL and replaces the
password and guid query-parameter values with *** before logging.
The outgoing HTTP request still uses the original URL unchanged, so
there is no functional impact -- only the log output is sanitized.

The existing request-logging middleware at
packages/server/src/server/api/http/api/v1/middleware/logMiddleware.ts
already does the equivalent for inbound request query params, so this
closes the matching gap on outbound webhook dispatch.
@omarshahine omarshahine mentioned this pull request Apr 19, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cypres0099