feat: add redactCookies() method to HarSanitizer

claude · claude · commit ce53a605d6a5 · 2026-01-15T18:35:34.000Z
Add support for redacting cookie values in both requests and responses.

- Add redactCookies() method for configuring cookies to redact
- Sanitize request cookies by name
- Sanitize response cookies by name
- Support case-insensitive cookie name matching (default)
diff --git a/src/HarSanitizer.php b/src/HarSanitizer.php
@@ -31,6 +31,11 @@ final class HarSanitizer
      */
     private array $bodyFieldsToRedact = [];
 
+    /**
+     * @var string[]
+     */
+    private array $cookiesToRedact = [];
+
     private string $redactedValue = self::DEFAULT_REDACTED_VALUE;
 
     private bool $caseSensitive = false;
@@ -74,6 +79,20 @@ public function redactBodyFields(array $fieldNames): self
         return $this;
     }
 
+    /**
+     * Set cookies that should be redacted.
+     *
+     * Applies to both request and response cookies.
+     *
+     * @param string[] $cookieNames cookie names to redact
+     */
+    public function redactCookies(array $cookieNames): self
+    {
+        $this->cookiesToRedact = $cookieNames;
+
+        return $this;
+    }
+
     /**
      * Set the value to use for redacted fields.
      *
@@ -125,7 +144,7 @@ private function sanitizeEntry(Entry $entry): void
     }
 
     /**
-     * Sanitize request headers, query params, and body fields.
+     * Sanitize request headers, query params, body fields, and cookies.
      */
     private function sanitizeRequest(Request $request): void
     {
@@ -140,10 +159,14 @@ private function sanitizeRequest(Request $request): void
         if (!empty($this->bodyFieldsToRedact) && $request->hasPostData()) {
             $this->sanitizePostData($request->getPostData());
         }
+
+        if (!empty($this->cookiesToRedact)) {
+            $this->sanitizeCookies($request);
+        }
     }
 
     /**
-     * Sanitize response headers and body fields.
+     * Sanitize response headers, body fields, and cookies.
      */
     private function sanitizeResponse(Response $response): void
     {
@@ -154,6 +177,10 @@ private function sanitizeResponse(Response $response): void
         if (!empty($this->bodyFieldsToRedact)) {
             $this->sanitizeContent($response->getContent());
         }
+
+        if (!empty($this->cookiesToRedact)) {
+            $this->sanitizeCookies($response);
+        }
     }
 
     /**
@@ -300,4 +327,16 @@ private function redactArrayFields(mixed $data): mixed
 
         return $data;
     }
+
+    /**
+     * Sanitize cookies on a request or response.
+     */
+    private function sanitizeCookies(Request|Response $message): void
+    {
+        foreach ($message->getCookies() as $cookie) {
+            if ($this->shouldRedact($cookie->getName(), $this->cookiesToRedact)) {
+                $cookie->setValue($this->redactedValue);
+            }
+        }
+    }
 }
diff --git a/tests/src/Unit/HarSanitizerTest.php b/tests/src/Unit/HarSanitizerTest.php
@@ -6,6 +6,7 @@
 
 use Deviantintegral\Har\Cache;
 use Deviantintegral\Har\Content;
+use Deviantintegral\Har\Cookie;
 use Deviantintegral\Har\Creator;
 use Deviantintegral\Har\Entry;
 use Deviantintegral\Har\Har;
@@ -566,6 +567,94 @@ public function testRedactBodyFieldsJsonPreservesSlashesAndUnicode(): void
         $this->assertEquals('[REDACTED]', $data['password']);
     }
 
+    public function testRedactCookies(): void
+    {
+        $har = $this->createHarWithRequestCookies([
+            'session_id' => 'abc123',
+            'tracking' => 'xyz789',
+            'preferences' => 'dark_mode',
+        ]);
+
+        $sanitizer = new HarSanitizer();
+        $sanitizer->redactCookies(['session_id', 'tracking']);
+
+        $sanitized = $sanitizer->sanitize($har);
+
+        $cookies = $sanitized->getLog()->getEntries()[0]->getRequest()->getCookies();
+        $cookieMap = $this->cookiesToMap($cookies);
+
+        $this->assertEquals('[REDACTED]', $cookieMap['session_id']);
+        $this->assertEquals('[REDACTED]', $cookieMap['tracking']);
+        $this->assertEquals('dark_mode', $cookieMap['preferences']);
+    }
+
+    public function testRedactResponseCookies(): void
+    {
+        $har = $this->createHarWithResponseCookies([
+            'session_id' => 'secret-session',
+            'auth_token' => 'secret-token',
+            'locale' => 'en_US',
+        ]);
+
+        $sanitizer = new HarSanitizer();
+        $sanitizer->redactCookies(['session_id', 'auth_token']);
+
+        $sanitized = $sanitizer->sanitize($har);
+
+        $cookies = $sanitized->getLog()->getEntries()[0]->getResponse()->getCookies();
+        $cookieMap = $this->cookiesToMap($cookies);
+
+        $this->assertEquals('[REDACTED]', $cookieMap['session_id']);
+        $this->assertEquals('[REDACTED]', $cookieMap['auth_token']);
+        $this->assertEquals('en_US', $cookieMap['locale']);
+    }
+
+    public function testRedactCookiesCaseInsensitive(): void
+    {
+        $har = $this->createHarWithRequestCookies([
+            'SESSION_ID' => 'secret1',
+            'Session_Id' => 'secret2',
+        ]);
+
+        $sanitizer = new HarSanitizer();
+        $sanitizer->redactCookies(['session_id']);
+
+        $sanitized = $sanitizer->sanitize($har);
+
+        $cookies = $sanitized->getLog()->getEntries()[0]->getRequest()->getCookies();
+        $cookieMap = $this->cookiesToMap($cookies);
+
+        $this->assertEquals('[REDACTED]', $cookieMap['SESSION_ID']);
+        $this->assertEquals('[REDACTED]', $cookieMap['Session_Id']);
+    }
+
+    public function testRedactCookiesFluentInterface(): void
+    {
+        $sanitizer = new HarSanitizer();
+
+        $result = $sanitizer->redactCookies(['session_id']);
+
+        $this->assertSame($sanitizer, $result);
+    }
+
+    public function testRedactCookiesOriginalUnmodified(): void
+    {
+        $har = $this->createHarWithRequestCookies([
+            'session_id' => 'original-value',
+        ]);
+
+        $originalValue = $har->getLog()->getEntries()[0]->getRequest()->getCookies()[0]->getValue();
+
+        $sanitizer = new HarSanitizer();
+        $sanitizer->redactCookies(['session_id']);
+        $sanitizer->sanitize($har);
+
+        // Original should be unchanged
+        $currentValue = $har->getLog()->getEntries()[0]->getRequest()->getCookies()[0]->getValue();
+        $this->assertEquals($originalValue, $currentValue);
+        $this->assertEquals('original-value', $currentValue);
+    }
+
     public function testWithRealFixture(): void
     {
         $repository = $this->getHarFileRepository();
@@ -879,4 +968,67 @@ private function createHarWithTextResponse(string $text): Har
 
         return $this->createHarWithResponse($response);
     }
+
+    /**
+     * @param array<string, string> $cookies
+     */
+    private function createHarWithRequestCookies(array $cookies): Har
+    {
+        $cookieObjects = [];
+        foreach ($cookies as $name => $value) {
+            $cookie = (new Cookie())->setName($name)->setValue($value);
+            $cookieObjects[] = $cookie;
+        }
+
+        $request = (new Request())
+            ->setMethod('GET')
+            ->setUrl(new Uri('https://example.com'))
+            ->setHeaders([])
+            ->setCookies($cookieObjects)
+            ->setHttpVersion('HTTP/1.1');
+
+        return $this->createHarWithRequest($request);
+    }
+
+    /**
+     * @param array<string, string> $cookies
+     */
+    private function createHarWithResponseCookies(array $cookies): Har
+    {
+        $cookieObjects = [];
+        foreach ($cookies as $name => $value) {
+            $cookie = (new Cookie())->setName($name)->setValue($value);
+            $cookieObjects[] = $cookie;
+        }
+
+        $content = (new Content())
+            ->setSize(0)
+            ->setCompression(0);
+
+        $response = (new Response())
+            ->setStatus(200)
+            ->setStatusText('OK')
+            ->setHeaders([])
+            ->setCookies($cookieObjects)
+            ->setHttpVersion('HTTP/1.1')
+            ->setContent($content)
+            ->setRedirectURL(new Uri(''));
+
+        return $this->createHarWithResponse($response);
+    }
+
+    /**
+     * @param Cookie[] $cookies
+     *
+     * @return array<string, string>
+     */
+    private function cookiesToMap(array $cookies): array
+    {
+        $map = [];
+        foreach ($cookies as $cookie) {
+            $map[$cookie->getName()] = $cookie->getValue();
+        }
+
+        return $map;
+    }
 }
