From ee5819e988bd99bf3d3d5db85a67d19bba3eefcd Mon Sep 17 00:00:00 2001
From: Matthew Martin <phy1729@gmail.com>
Date: Sat, 14 Sep 2024 10:31:27 -0500
Subject: [PATCH] Implement Debug on Decoding/EncodingKey while redacting
 sensitive fields

---
 src/decoding.rs | 17 ++++++++++++++++-
 src/encoding.rs | 11 +++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/decoding.rs b/src/decoding.rs
index 8d87f03d..e7f72963 100644
--- a/src/decoding.rs
+++ b/src/decoding.rs
@@ -1,3 +1,5 @@
+use std::fmt::{Debug, Formatter};
+
 use base64::{engine::general_purpose::STANDARD, Engine};
 use serde::de::DeserializeOwned;
 
@@ -47,9 +49,22 @@ pub(crate) enum DecodingKeyKind {
     RsaModulusExponent { n: Vec<u8>, e: Vec<u8> },
 }
 
+impl Debug for DecodingKeyKind {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::SecretOrDer(_) => f.debug_tuple("SecretOrDer").field(&"[redacted]").finish(),
+            Self::RsaModulusExponent { .. } => f
+                .debug_struct("RsaModulusExponent")
+                .field("n", &"[redacted]")
+                .field("e", &"[redacted]")
+                .finish(),
+        }
+    }
+}
+
 /// All the different kind of keys we can use to decode a JWT.
 /// This key can be re-used so make sure you only initialize it once if you can for better performance.
-#[derive(Clone)]
+#[derive(Clone, Debug)]
 pub struct DecodingKey {
     pub(crate) family: AlgorithmFamily,
     pub(crate) kind: DecodingKeyKind,
diff --git a/src/encoding.rs b/src/encoding.rs
index 26f5c4c3..16d248d2 100644
--- a/src/encoding.rs
+++ b/src/encoding.rs
@@ -1,3 +1,5 @@
+use std::fmt::{Debug, Formatter};
+
 use base64::{engine::general_purpose::STANDARD, Engine};
 use serde::ser::Serialize;
 
@@ -96,6 +98,15 @@ impl EncodingKey {
     }
 }
 
+impl Debug for EncodingKey {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("EncodingKey")
+            .field("family", &self.family)
+            .field("content", &"[redacted]")
+            .finish()
+    }
+}
+
 /// Encode the header and claims given and sign the payload using the algorithm from the header and the key.
 /// If the algorithm given is RSA or EC, the key needs to be in the PEM format.
 ///