Add print plugins for RESTClient debugging with security redaction

Author: Jeehut

Sources/HandySwift/HandySwift.docc/Essentials/New Types.md

@@ -109,6 +109,32 @@ Note that the ``Debouncer`` was stored in a property so ``Debouncer/cancelAll()`
 
 > Note: If you need multiple debouncing operations in one view, you don't need multiple debouncers. Just pass an `id` to the delay function. 
 
+### Networking & Debugging
+
+Building REST API clients is common in modern apps. HandySwift provides ``RESTClient`` to simplify this:
+
+```swift
+let client = RESTClient(
+    baseURL: URL(string: "https://api.example.com")!,
+    baseHeaders: ["Authorization": "Bearer \(token)"],
+    errorBodyToMessage: { _ in "Error" }
+)
+
+let user: User = try await client.fetchAndDecode(method: .get, path: "users/me")
+```
+
+When debugging API issues, add print plugins with the `debugOnly: true` parameter:
+
+```swift
+let client = RESTClient(
+    baseURL: URL(string: "https://api.example.com")!,
+    requestPlugins: [PrintRequestPlugin(debugOnly: true)],   // Debug requests
+    responsePlugins: [PrintResponsePlugin(debugOnly: true)], // Debug responses
+    errorBodyToMessage: { try JSONDecoder().decode(YourAPIErrorType.self, from: $0).message }
+)
+```
+
+These plugins are particularly helpful when adopting new APIs, providing detailed request/response information to help diagnose issues. The `debugOnly: true` parameter ensures they only operate in DEBUG builds, making them safe to leave in your code.
 
 ## Topics
 
@@ -127,6 +153,12 @@ Note that the ``Debouncer`` was stored in a property so ``Debouncer/cancelAll()`
 - ``Debouncer``
 - ``OperatingSystem`` (short: ``OS``)
 
+### Networking & Debugging
+
+- ``RESTClient``
+- ``PrintRequestPlugin``
+- ``PrintResponsePlugin``
+
 ### Other
 
 - ``delay(by:qosClass:_:)-8iw4f``

Sources/HandySwift/Types/PrintRequestPlugin.swift

@@ -0,0 +1,137 @@
+import Foundation
+
+#if canImport(FoundationNetworking)
+   import FoundationNetworking
+#endif
+
+/// A plugin for debugging HTTP requests by printing request details to the console.
+///
+/// This plugin prints comprehensive request information including URL, HTTP method, headers, and body content.
+/// It's designed as a debugging tool and should only be used temporarily during development.
+///
+/// ## Usage
+///
+/// Add to your RESTClient for debugging:
+///
+/// ```swift
+/// let client = RESTClient(
+///     baseURL: URL(string: "https://api.example.com")!,
+///     requestPlugins: [PrintRequestPlugin()],  // debugOnly: true, redactAPIKey: true by default
+///     errorBodyToMessage: { _ in "Error" }
+/// )
+/// ```
+///
+/// Both `debugOnly` and `redactAPIKey` default to `true` for security. You can disable these built-in protections if needed:
+///
+/// ```swift
+/// // Default behavior (recommended)
+/// PrintRequestPlugin()  // debugOnly: true, redactAPIKey: true
+///
+/// // Disable debugOnly to log in production (discouraged)
+/// PrintRequestPlugin(debugOnly: false)
+///
+/// // Disable redactAPIKey for debugging auth issues (use carefully)
+/// PrintRequestPlugin(redactAPIKey: false)
+/// ```
+///
+/// ## Output Example
+///
+/// ```
+/// [RESTClient] Sending POST request to 'https://api.example.com/v1/users'
+///
+/// Headers:
+///   Authorization: Bearer [redacted]
+///   Content-Type: application/json
+///   User-Agent: MyApp/1.0
+///
+/// Body:
+/// {
+///   "name": "John Doe",
+///   "email": "[email protected]"
+/// }
+/// ```
+///
+/// - Note: By default, logging only occurs in DEBUG builds and API keys are redacted for security.
+/// - Important: The plugin is safe to leave in your code with default settings thanks to `debugOnly` protection.
+@available(iOS 16, macOS 13, tvOS 16, watchOS 9, *)
+public struct PrintRequestPlugin: RESTClient.RequestPlugin {
+   /// Whether logging should only occur in DEBUG builds.
+   ///
+   /// When `true` (default), requests are only logged in DEBUG builds.
+   /// When `false`, requests are logged in both DEBUG and release builds (not recommended for production).
+   public let debugOnly: Bool
+
+   /// Whether to redact API keys from Authorization headers in output.
+   ///
+   /// When `true` (default), Authorization headers are replaced with "[redacted]" for security.
+   /// When `false`, the full header value is shown (use carefully for debugging auth issues).
+   public let redactAPIKey: Bool
+
+   /// Creates a new print request plugin.
+   ///
+   /// - Parameters:
+   ///   - debugOnly: Whether logging should only occur in DEBUG builds. Defaults to `true`.
+   ///   - redactAPIKey: Whether to redact API keys from Authorization headers. Defaults to `true`.
+   public init(debugOnly: Bool = true, redactAPIKey: Bool = true) {
+      self.debugOnly = debugOnly
+      self.redactAPIKey = redactAPIKey
+   }
+
+   /// Applies the plugin to the request, printing request details if conditions are met.
+   ///
+   /// This method is called automatically by RESTClient before sending the request.
+   ///
+   /// - Parameter request: The URLRequest to potentially log and pass through unchanged.
+   public func apply(to request: inout URLRequest) {
+      if self.debugOnly {
+         #if DEBUG
+            self.printRequest(request)
+         #endif
+      } else {
+         self.printRequest(request)
+      }
+   }
+
+   /// Prints detailed request information to the console.
+   ///
+   /// - Parameter request: The URLRequest to print details for.
+   private func printRequest(_ request: URLRequest) {
+      var requestBodyString: String?
+      if let bodyData = request.httpBody {
+         requestBodyString = String(data: bodyData, encoding: .utf8)
+      }
+
+      // Clean headers formatting - sorted alphabetically for consistency
+      let cleanHeaders = (request.allHTTPHeaderFields ?? [:])
+         .sorted { $0.key < $1.key }
+         .map { "  \($0.key): \(self.shouldRedactHeader($0.key) ? "[redacted]" : $0.value)" }
+         .joined(separator: "\n")
+      let headersString = cleanHeaders.isEmpty ? "  (none)" : "\n\(cleanHeaders)"
+
+      print(
+         "[RESTClient] Sending \(request.httpMethod!) request to '\(request.url!)'\n\nHeaders:\(headersString)\n\nBody:\n\(requestBodyString ?? "No body")"
+      )
+   }
+
+   /// Determines whether a header should be redacted for security.
+   ///
+   /// - Parameter headerName: The header name to check.
+   /// - Returns: `true` if the header should be redacted when `redactAPIKey` is enabled.
+   private func shouldRedactHeader(_ headerName: String) -> Bool {
+      guard self.redactAPIKey else { return false }
+
+      let lowercasedName = headerName.lowercased()
+
+      // Exact header name matches
+      let exactMatches = [
+         "authorization", "cookie", "set-cookie", "x-api-key", "x-auth-token",
+         "x-access-token", "bearer", "apikey", "api-key", "access-token",
+         "refresh-token", "jwt", "session-token", "csrf-token", "x-csrf-token", "x-session-id",
+      ]
+
+      // Substring patterns that indicate sensitive content
+      let sensitivePatterns = ["password", "secret", "token"]
+
+      return exactMatches.contains(lowercasedName) || sensitivePatterns.contains { lowercasedName.contains($0) }
+   }
+}

Sources/HandySwift/Types/PrintResponsePlugin.swift

@@ -0,0 +1,149 @@
+import Foundation
+
+#if canImport(FoundationNetworking)
+   import FoundationNetworking
+#endif
+
+/// A plugin for debugging HTTP responses by printing response details to the console.
+///
+/// This plugin prints comprehensive response information including status code, headers, and body content.
+/// It's designed as a debugging tool and should only be used temporarily during development.
+///
+/// ## Usage
+///
+/// Add to your RESTClient for debugging:
+///
+/// ```swift
+/// let client = RESTClient(
+///     baseURL: URL(string: "https://api.example.com")!,
+///     responsePlugins: [PrintResponsePlugin()],  // debugOnly: true, redactAPIKey: true by default
+///     errorBodyToMessage: { _ in "Error" }
+/// )
+/// ```
+///
+/// Both `debugOnly` and `redactAPIKey` default to `true` for security. You can disable these built-in protections if needed:
+///
+/// ```swift
+/// // Default behavior (recommended)
+/// PrintResponsePlugin()  // debugOnly: true, redactAPIKey: true
+///
+/// // Disable debugOnly to log in production (discouraged)
+/// PrintResponsePlugin(debugOnly: false)
+///
+/// // Disable redactAPIKey for debugging auth issues (use carefully)
+/// PrintResponsePlugin(redactAPIKey: false)
+/// ```
+///
+/// ## Output Example
+///
+/// ```
+/// [RESTClient] Response 200 from 'https://api.example.com/v1/users/123'
+///
+/// Response headers:
+///   Content-Type: application/json
+///   Date: Wed, 08 Aug 2025 10:30:00 GMT
+///   Server: nginx/1.18.0
+///   Set-Cookie: session_token=[redacted]
+///   X-Request-ID: req_abc123def456
+///
+/// Response body:
+/// {
+///   "id": 123,
+///   "name": "John Doe",
+///   "email": "[email protected]",
+///   "created_at": "2023-08-01T10:30:00Z"
+/// }
+/// ```
+///
+/// - Note: By default, logging only occurs in DEBUG builds and API keys are redacted for security.
+/// - Important: The plugin is safe to leave in your code with default settings thanks to `debugOnly` protection.
+@available(iOS 16, macOS 13, tvOS 16, watchOS 9, *)
+public struct PrintResponsePlugin: RESTClient.ResponsePlugin {
+   /// Whether logging should only occur in DEBUG builds.
+   ///
+   /// When `true` (default), responses are only logged in DEBUG builds.
+   /// When `false`, responses are logged in both DEBUG and release builds (not recommended for production).
+   public let debugOnly: Bool
+
+   /// Whether to redact API keys from sensitive headers in output.
+   ///
+   /// When `true` (default), sensitive headers like Authorization and Set-Cookie are replaced with "[redacted]" for security.
+   /// When `false`, the full header value is shown (use carefully for debugging auth issues).
+   public let redactAPIKey: Bool
+
+   /// Creates a new print response plugin.
+   ///
+   /// - Parameters:
+   ///   - debugOnly: Whether logging should only occur in DEBUG builds. Defaults to `true`.
+   ///   - redactAPIKey: Whether to redact API keys from sensitive headers. Defaults to `true`.
+   public init(debugOnly: Bool = true, redactAPIKey: Bool = true) {
+      self.debugOnly = debugOnly
+      self.redactAPIKey = redactAPIKey
+   }
+
+   /// Applies the plugin to the response, printing response details if conditions are met.
+   ///
+   /// This method is called automatically by RESTClient after receiving the response.
+   /// The response and data are passed through unchanged.
+   ///
+   /// - Parameters:
+   ///   - response: The HTTPURLResponse to potentially log.
+   ///   - data: The response body data to potentially log.
+   /// - Throws: Does not throw errors, but passes through any errors from the response processing.
+   public func apply(to response: inout HTTPURLResponse, data: inout Data) throws {
+      if self.debugOnly {
+         #if DEBUG
+            self.printResponse(response, data: data)
+         #endif
+      } else {
+         self.printResponse(response, data: data)
+      }
+   }
+
+   /// Prints detailed response information to the console.
+   ///
+   /// - Parameters:
+   ///   - response: The HTTPURLResponse to print details for.
+   ///   - data: The response body data to print.
+   private func printResponse(_ response: HTTPURLResponse, data: Data) {
+      var responseBodyString: String?
+      if !data.isEmpty {
+         responseBodyString = String(data: data, encoding: .utf8)
+      }
+
+      // Clean headers formatting - sorted alphabetically for consistency, no AnyHashable wrappers
+      var headersString = ""
+      let cleanHeaders = response.allHeaderFields
+         .compactMapValues { "\($0)" }
+         .sorted { "\($0.key)" < "\($1.key)" }
+         .map { "  \($0.key): \(self.shouldRedactHeader("\($0.key)") ? "[redacted]" : $0.value)" }
+         .joined(separator: "\n")
+      headersString = cleanHeaders.isEmpty ? "  (none)" : "\n\(cleanHeaders)"
+
+      print(
+         "[RESTClient] Response \(response.statusCode) from '\(response.url!)'\n\nResponse headers:\(headersString)\n\nResponse body:\n\(responseBodyString ?? "No body")"
+      )
+   }
+
+   /// Determines whether a header should be redacted for security.
+   ///
+   /// - Parameter headerName: The header name to check.
+   /// - Returns: `true` if the header should be redacted when `redactAPIKey` is enabled.
+   private func shouldRedactHeader(_ headerName: String) -> Bool {
+      guard self.redactAPIKey else { return false }
+
+      let lowercasedName = headerName.lowercased()
+
+      // Exact header name matches
+      let exactMatches = [
+         "authorization", "cookie", "set-cookie", "x-api-key", "x-auth-token",
+         "x-access-token", "bearer", "apikey", "api-key", "access-token",
+         "refresh-token", "jwt", "session-token", "csrf-token", "x-csrf-token", "x-session-id",
+      ]
+
+      // Substring patterns that indicate sensitive content
+      let sensitivePatterns = ["password", "secret", "token"]
+
+      return exactMatches.contains(lowercasedName) || sensitivePatterns.contains { lowercasedName.contains($0) }
+   }
+}

Sources/HandySwift/Types/RESTClient.swift

@@ -188,9 +188,11 @@ public final class RESTClient: Sendable {
       extraQueryItems: [URLQueryItem] = [],
       errorContext: String? = nil
    ) async throws(APIError) -> Data {
-      let url = self.baseURL
-         .appending(path: path)
-         .appending(queryItems: self.baseQueryItems + extraQueryItems)
+      let allQueryItems = self.baseQueryItems + extraQueryItems
+      var url = self.baseURL.appending(path: path)
+      if !allQueryItems.isEmpty {
+         url = url.appending(queryItems: allQueryItems)
+      }
 
       var request = URLRequest(url: url)
       request.httpMethod = method.rawValue
@@ -226,8 +228,6 @@ public final class RESTClient: Sendable {
    }
 
    private func performRequest(_ request: URLRequest, errorContext: String?) async throws(APIError) -> (Data, URLResponse) {
-      self.logRequestIfDebug(request)
-
       let data: Data
       let response: URLResponse
       do {
@@ -236,7 +236,6 @@ public final class RESTClient: Sendable {
          throw APIError.failedToLoadData(error, self.errorContext(requestContext: errorContext))
       }
 
-      self.logResponseIfDebug(response, data: data)
       return (data, response)
    }
 
@@ -305,30 +304,4 @@ public final class RESTClient: Sendable {
          throw .unexpectedStatusCode(httpResponse.statusCode, self.errorContext(requestContext: errorContext))
       }
    }
-
-   private func logRequestIfDebug(_ request: URLRequest) {
-      #if DEBUG
-         var requestBodyString: String?
-         if let bodyData = request.httpBody {
-            requestBodyString = String(data: bodyData, encoding: .utf8)
-         }
-
-         print(
-            "[\(self)] Sending \(request.httpMethod!) request to '\(request.url!)': \(request)\n\nHeaders:\n\(request.allHTTPHeaderFields ?? [:])\n\nBody:\n\(requestBodyString ?? "No body")"
-         )
-      #endif
-   }
-
-   private func logResponseIfDebug(_ response: URLResponse, data: Data?) {
-      #if DEBUG
-         var responseBodyString: String?
-         if let data = data {
-            responseBodyString = String(data: data, encoding: .utf8)
-         }
-
-         print(
-            "[\(self)] Received response & body from '\(response.url!)': \(response)\n\nResponse headers:\n\((response as? HTTPURLResponse)?.allHeaderFields ?? [:])\n\nResponse body:\n\(responseBodyString ?? "No body")"
-         )
-      #endif
-   }
 }