[Security] Redact all Shopify tokens in analytics

packages/cli-kit/src/public/node/analytics.test.ts

@@ -164,12 +164,21 @@ describe('event tracking', () => {
     })
   })
 
-  test('does not send passwords to Monorail', async () => {
+  test('does not send any shopify tokens to Monorail', async () => {
     await inProjectWithFile('package.json', async (args) => {
       // Given
       const commandContent = {command: 'dev', topic: 'app'}
-      const argsWithPassword = args.concat(['--password', 'shptka_abc123'])
-      await startAnalytics({commandContent, args: argsWithPassword, currentTime: currentDate.getTime() - 100})
+      const argsWithTokens = args.concat([
+        '--password',
+        'shptka_abc123',
+        '--token',
+        'shpat_abc123',
+        '--user-token',
+        'shpua_abc123',
+        '--custom-token',
+        'shpca_abc123',
+      ])
+      await startAnalytics({commandContent, args: argsWithTokens, currentTime: currentDate.getTime() - 100})
 
       // When
       const config = {
@@ -180,7 +189,9 @@ describe('event tracking', () => {
 
       // Then
       const expectedPayloadSensitive = {
-        args: expect.stringMatching(/.*password \*\*\*\*\*/),
+        args: expect.stringMatching(
+          /.*password \*\*\*\*\*.*token \*\*\*\*\*.*user-token \*\*\*\*\*.*custom-token \*\*\*\*\*/,
+        ),
         metadata: expect.anything(),
       }
       expect(publishEventMock).toHaveBeenCalledOnce()

packages/cli-kit/src/public/node/analytics.ts

@@ -200,8 +200,8 @@ async function buildPayload({config, errorMessage, exitMode}: ReportAnalyticsEve
 
 function sanitizePayload<T>(payload: T): T {
   const payloadString = JSON.stringify(payload)
-  // Remove Theme Access passwords from the payload
-  const sanitizedPayloadString = payloadString.replace(/shptka_\w*/g, '*****')
+  // Remove Shopify tokens from the payload
+  const sanitizedPayloadString = payloadString.replace(/shp[a-z0-9]{1,6}_\w*/g, '*****')
   return JSON.parse(sanitizedPayloadString)
 }