BAWES-Universe · jynbil1 · May 17, 2026 · chatgpt-codex-connector · May 17, 2026
diff --git a/backend/views/api-log/view.php b/backend/views/api-log/view.php
@@ -10,6 +10,19 @@
 $this->params['breadcrumbs'][] = ['label' => Yii::t('app', 'Api Logs'), 'url' => ['index']];
 $this->params['breadcrumbs'][] = $this->title;
 \yii\web\YiiAsset::register($this);
+
+$redactApiLogValue = function ($value) {
+    if ($value === null || $value === '') {
+        return $value;
+    }
+
+    $redacted = (string)$value;
+    $redacted = preg_replace('/\b(Authorization|Proxy-Authorization)\s*[:=]\s*(?:Bearer|Basic)?\s*[^\r\n,;]+/i', '$1: ***REDACTED***', $redacted);
+    $redacted = preg_replace('/\b(Bearer|Basic)\s+[A-Za-z0-9._~+\/=-]+/i', '$1 ***REDACTED***', $redacted);
+    $redacted = preg_replace('/([\'"]?(?:api[_-]?key|secret|token|access[_-]?token|refresh[_-]?token|password|client[_-]?secret)[\'"]?\s*[:=]\s*[\'"]?)[^\'",\r\n&]+/i', '$1***REDACTED***', $redacted);
+
+    return $redacted;
+};
 ?>
 <div class="api-log-view">
 
@@ -33,10 +46,34 @@
             'restaurant_uuid',
             'method',
             'endpoint',
-            'request_headers:ntext',
-            'request_body:ntext',
-            'response_headers:ntext',
-            'response_body:ntext',
+            [
+                'attribute' => 'request_headers',
+                'format' => 'ntext',
+                'value' => function ($model) use ($redactApiLogValue) {
+                    return $redactApiLogValue($model->request_headers);
+                },
+            ],
+            [
+                'attribute' => 'request_body',
+                'format' => 'ntext',
+                'value' => function ($model) use ($redactApiLogValue) {
+                    return $redactApiLogValue($model->request_body);
+                },
+            ],
+            [
+                'attribute' => 'response_headers',
+                'format' => 'ntext',
+                'value' => function ($model) use ($redactApiLogValue) {
+                    return $redactApiLogValue($model->response_headers);
+                },
+            ],
+            [
+                'attribute' => 'response_body',
+                'format' => 'ntext',
+                'value' => function ($model) use ($redactApiLogValue) {
+                    return $redactApiLogValue($model->response_body);
+                },
+            ],
             'created_at',
         ],
     ]) ?>

diff --git a/tests/check-api-log-view-redaction.sh b/tests/check-api-log-view-redaction.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+target="backend/views/api-log/view.php"
+
+for direct in \
+  "request_headers:ntext" \
+  "request_body:ntext" \
+  "response_headers:ntext" \
+  "response_body:ntext"
+do
+  if grep -q "$direct" "$target"; then
+    echo "api log view still renders $direct directly" >&2
+    exit 1
+  fi
+done
+
+grep -q "redactApiLogValue" "$target"
+grep -q "Authorization" "$target"
+grep -q "Bearer" "$target"
+grep -q "Basic" "$target"
+grep -q "api\\[_-\\]?key" "$target"
+grep -q "secret" "$target"
+grep -q "token" "$target"
+grep -q "\\*\\*\\*REDACTED\\*\\*\\*" "$target"
+
+echo "API log view redaction guard passed."