From e7e5eeffabd4db2fb7ef2e412b962e75d04f265b Mon Sep 17 00:00:00 2001
From: Kevin Wang <wy721@qq.com>
Date: Thu, 19 Mar 2026 04:04:34 +0000
Subject: [PATCH] fix(gateway): redact cf_api_token in ListDnsCredentials
 response

The ListDnsCredentials API was returning the full Cloudflare API token
in plaintext. Redact it to show only the first and last 4 characters
(e.g., "pSFc...lQs") to prevent credential leakage via the admin API.
---
 gateway/src/admin_service.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/gateway/src/admin_service.rs b/gateway/src/admin_service.rs
index d04f7593..0c320ae9 100644
--- a/gateway/src/admin_service.rs
+++ b/gateway/src/admin_service.rs
@@ -693,7 +693,7 @@ fn dns_cred_to_proto(cred: DnsCredential) -> DnsCredentialInfo {
     let (provider_type, cf_api_token, cf_api_url) = match &cred.provider {
         DnsProvider::Cloudflare { api_token, api_url } => (
             "cloudflare".to_string(),
-            api_token.clone(),
+            redact_token(api_token),
             api_url.clone().unwrap_or_default(),
         ),
     };
@@ -710,6 +710,15 @@ fn dns_cred_to_proto(cred: DnsCredential) -> DnsCredentialInfo {
     }
 }
 
+fn redact_token(token: &str) -> String {
+    let len = token.len();
+    if len <= 8 {
+        "*".repeat(len)
+    } else {
+        format!("{}...{}", &token[..4], &token[len - 4..])
+    }
+}
+
 /// Convert proto ZtDomainConfig to internal ZtDomainConfig
 fn proto_to_zt_domain_config(
     proto: &ProtoZtDomainConfig,