Merge pull request #578 from Dstack-TEE/fix/redact-dns-credential-token

fix(gateway): redact cf_api_token in ListDnsCredentials response

Author: kvinwang

gateway/src/admin_service.rs

@@ -693,7 +693,7 @@ fn dns_cred_to_proto(cred: DnsCredential) -> DnsCredentialInfo {
     let (provider_type, cf_api_token, cf_api_url) = match &cred.provider {
         DnsProvider::Cloudflare { api_token, api_url } => (
             "cloudflare".to_string(),
-            api_token.clone(),
+            redact_token(api_token),
             api_url.clone().unwrap_or_default(),
         ),
     };
@@ -710,6 +710,15 @@ fn dns_cred_to_proto(cred: DnsCredential) -> DnsCredentialInfo {
     }
 }
 
+fn redact_token(token: &str) -> String {
+    let len = token.len();
+    if len <= 8 {
+        "*".repeat(len)
+    } else {
+        format!("{}...{}", &token[..4], &token[len - 4..])
+    }
+}
+
 /// Convert proto ZtDomainConfig to internal ZtDomainConfig
 fn proto_to_zt_domain_config(
     proto: &ProtoZtDomainConfig,