use Redacted for ApiSecurity

packages/platform-node/examples/api.ts

@@ -12,7 +12,7 @@ import {
 } from "@effect/platform"
 import { NodeHttpServer, NodeRuntime } from "@effect/platform-node"
 import { Schema } from "@effect/schema"
-import { Context, Effect, Layer } from "effect"
+import { Context, Effect, Layer, Redacted } from "effect"
 import { createServer } from "node:http"
 
 class User extends Schema.Class<User>("User")({
@@ -31,7 +31,7 @@ const security = ApiSecurity.bearer()
 const securityMiddleware = ApiBuilder.middlewareSecurity(
   security,
   CurrentUser,
-  (token) => Effect.succeed(new User({ id: 1000, name: `Authenticated with ${token}` }))
+  (token) => Effect.succeed(new User({ id: 1000, name: `Authenticated with ${Redacted.value(token)}` }))
 )
 
 const users = ApiGroup.make("users").pipe(

packages/platform/src/ApiBuilder.ts

@@ -14,6 +14,7 @@ import * as Layer from "effect/Layer"
 import * as Option from "effect/Option"
 import { type Pipeable, pipeArguments } from "effect/Pipeable"
 import type { ReadonlyRecord } from "effect/Record"
+import * as Redacted from "effect/Redacted"
 import type { Scope } from "effect/Scope"
 import type { Covariant, Mutable, NoInfer } from "effect/Types"
 import { unify } from "effect/Unify"
@@ -478,7 +479,7 @@ export const securityDecode = <Security extends ApiSecurity.ApiSecurity>(
       const prefixLen = `${self.prefix} `.length
       return Effect.map(
         HttpServerRequest.HttpServerRequest,
-        (request) => (request.headers.authorization ?? "").slice(prefixLen) as any
+        (request) => Redacted.make((request.headers.authorization ?? "").slice(prefixLen)) as any
       )
     }
     case "ApiKey": {
@@ -491,14 +492,14 @@ export const securityDecode = <Security extends ApiSecurity.ApiSecurity>(
           : HttpServerRequest.schemaHeaders(schema)
       )
       return Effect.match(decode, {
-        onFailure: () => "" as any,
-        onSuccess: (match) => match[self.key]
+        onFailure: () => Redacted.make("") as any,
+        onSuccess: (match) => Redacted.make(match[self.key])
       })
     }
     case "Basic": {
       const empty: ApiSecurity.ApiSecurity.Type<Security> = {
         username: "",
-        password: ""
+        password: Redacted.make("")
       } as any
       return HttpServerRequest.HttpServerRequest.pipe(
         Effect.flatMap((request) => Encoding.decodeBase64String(request.headers.authorization ?? "")),
@@ -511,7 +512,7 @@ export const securityDecode = <Security extends ApiSecurity.ApiSecurity>(
             }
             return {
               username: parts[0],
-              password: parts[1]
+              password: Redacted.make(parts[1])
             } as any
           }
         })

packages/platform/src/ApiSecurity.ts

@@ -4,6 +4,7 @@
 import * as Context from "effect/Context"
 import { dual } from "effect/Function"
 import { type Pipeable, pipeArguments } from "effect/Pipeable"
+import type { Redacted } from "effect/Redacted"
 import type { Covariant } from "effect/Types"
 
 /**
@@ -51,7 +52,7 @@ export declare namespace ApiSecurity {
  * @since 1.0.0
  * @category models
  */
-export interface Bearer extends ApiSecurity.Proto<string> {
+export interface Bearer extends ApiSecurity.Proto<Redacted> {
   readonly _tag: "Bearer"
   readonly prefix: string
 }
@@ -60,7 +61,7 @@ export interface Bearer extends ApiSecurity.Proto<string> {
  * @since 1.0.0
  * @category models
  */
-export interface ApiKey extends ApiSecurity.Proto<string> {
+export interface ApiKey extends ApiSecurity.Proto<Redacted> {
   readonly _tag: "ApiKey"
   readonly in: "header" | "query"
   readonly key: string
@@ -80,7 +81,7 @@ export interface Basic extends ApiSecurity.Proto<Credentials> {
  */
 export interface Credentials {
   readonly username: string
-  readonly password: string
+  readonly password: Redacted
 }
 
 const Proto = {