Skip to content

Mask API key in serpapi account output#7

Open
ilyazub wants to merge 7 commits into
mainfrom
auth-masking
Open

Mask API key in serpapi account output#7
ilyazub wants to merge 7 commits into
mainfrom
auth-masking

Conversation

@ilyazub

@ilyazub ilyazub commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This pull request introduces several improvements and changes to the release workflow and CLI authentication experience. The most significant updates are the migration of Homebrew formula management from GoReleaser to a custom GitHub Actions workflow, enhancements to the login flow to prevent accidental overwrites, and improved handling of sensitive information in account output.

Release workflow and Homebrew formula management:

  • The Homebrew formula update process is now handled by a dedicated homebrew job in the GitHub Actions workflow (.github/workflows/release.yml). This job generates and pushes the updated formula directly to the homebrew-tap repository using a deploy key, replacing the previous GoReleaser-based approach.
  • The Homebrew configuration has been removed from .goreleaser.yml, and announcement steps are now explicitly skipped to avoid duplicate or unnecessary release notifications.

CLI authentication and output improvements:

  • The login command now checks if the user is already authenticated. If so, it prompts interactively before overwriting existing credentials, and in non-interactive environments, it avoids silent overwrites. This prevents accidental loss of valid credentials and improves user experience.
  • The account command now masks the API key in its output, showing only the first and last four characters, to prevent accidental exposure of sensitive information. [1] [2]

ilyazub added 6 commits June 29, 2026 06:44
account: shows 76a8…9588 (first4…last4) instead of full key.
login: detects existing auth, shows email+status, asks before overwrite.
Non-interactive pipes exit immediately if already authenticated.
An agent usability test revealed that serpapi --help shows no examples,
forcing agents and new users to guess the parameter format.
- maskAPIKey: use regex on raw bytes instead of map round-trip to
  preserve API field order
- login: exit non-zero in non-interactive mode when already logged in
  so CI key rotation scripts detect the no-op
- release.yml: use grep -F for checksum lookup (dots in filenames
  are not regex wildcards)

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the CLI UX and release automation by (1) adding richer help examples, (2) making serpapi login safer around existing credentials, and (3) reducing accidental API key exposure by masking api_key in serpapi account output. It also migrates Homebrew formula publishing from GoReleaser to a dedicated GitHub Actions job.

Changes:

  • Add multi-line Example help text for serpapi and serpapi search.
  • Update login to detect an existing valid session and avoid overwriting without confirmation (or fail in non-interactive mode).
  • Mask api_key in account command output and move Homebrew formula updates into a dedicated homebrew workflow job.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
pkg/cmd/search.go Adds richer serpapi search help examples.
pkg/cmd/root.go Adds top-level CLI usage examples.
pkg/cmd/login.go Adds “already logged in” detection and overwrite prevention logic.
pkg/cmd/account.go Masks api_key before printing account JSON output.
.goreleaser.yml Removes Homebrew publishing config and skips announcements.
.github/workflows/release.yml Adds a dedicated Homebrew formula update job using a deploy key.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/cmd/account.go
Comment thread pkg/cmd/login.go
Comment on lines +50 to +52
// Non-interactive: exit non-zero so CI detects the no-op
return &clierrors.UsageError{Message: fmt.Sprintf("Already logged in as %s. Delete %s to re-authenticate.", account.AccountEmail, config.Path())}
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in 0590580

Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/release.yml
… idempotent commit

- account.go: build masked JSON into fresh buffer to avoid sub-slice aliasing
- login.go: return plain error (exit 1) instead of UsageError (exit 2) for
  already-authenticated non-interactive case
- release.yml: use printf for deploy key, pin github.com host key,
  enable StrictHostKeyChecking
- release.yml: guard git commit with diff check for idempotent re-runs

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Comment thread pkg/cmd/account.go
Comment on lines +41 to 59
var reAPIKey = regexp.MustCompile(`("api_key"\s*:\s*")([^"]{9,})(")`)

// maskAPIKey replaces the api_key value in raw JSON with a masked version (first 4 + last 4).
// Operates on raw bytes to preserve original field order.
func maskAPIKey(raw json.RawMessage) json.RawMessage {
return reAPIKey.ReplaceAllFunc(raw, func(match []byte) []byte {
sub := reAPIKey.FindSubmatch(match)
if len(sub) < 4 {
return match
}
key := string(sub[2])
masked := key[:4] + "…" + key[len(key)-4:]
var buf []byte
buf = append(buf, sub[1]...)
buf = append(buf, masked...)
buf = append(buf, sub[3]...)
return buf
})
}
Comment on lines +42 to +44
get_sha() {
echo "$CHECKSUMS" | grep -F "$1" | awk '{print $1}'
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants