@viss-develop/affiliate-sdk/SECURITY.md

React Native Affiliate SDK with AppsFlyer integration

# Security Documentation

## Logging Security

### ⚠️ **Previous Security Issues**

The original SDK had several critical security vulnerabilities in its logging:

#### **1. Sensitive Data Exposure**
```typescript
// ❌ EXPOSED SENSITIVE DATA
console.log('🚀 Initializing AppsFlyer with config:', {
    devKey: config.devKey,  // Exposed AppsFlyer dev key
    appId: config.appId,    // Exposed app ID
    isDebug: config.isDebug
});

console.log('📊 Install Conversion Data Details:', {
    status,
    data,                   // Exposed full user data
    fullResponseData: res,  // Exposed complete response
    keys: Object.keys(res)
});
```

#### **2. Full Response Logging**
```typescript
// ❌ EXPOSED COMPLETE RESPONSE
console.log('🔍 Full response structure:', JSON.stringify(res, null, 2));
```

#### **3. Local Storage Values**
```typescript
// ❌ EXPOSED STORED VALUES
console.log(`💾 Saved ${key} to local storage:`, value);
console.log(`📖 Retrieved ${key} from local storage:`, value);
```

### ✅ **Security Improvements**

#### **1. Secure Logging Utility**
Implemented a `SecureLogger` class that:
- **Respects debug mode**: Only logs when `isDebug: true`
- **Masks sensitive data**: Automatically masks sensitive keys
- **Provides different log levels**: `log()`, `error()`, `warn()`

```typescript
class SecureLogger {
    private isDebug: boolean = false;

    setDebugMode(enabled: boolean) {
        this.isDebug = enabled;
    }

    private maskSensitiveData(data: any): any {
        // Masks sensitive keys like devKey, apiToken, clickId, etc.
        const sensitiveKeys = ['devKey', 'apiToken', 'clickId', 'click_id', 'campaignId', 'campaign_id'];
        // Returns masked data for logging
    }
}
```

#### **2. Data Masking**
Sensitive data is automatically masked:
```typescript
// Before: "abc123def456"
// After:  "abc1***def4"
```

#### **3. Production-Safe Defaults**
- **Debug mode off by default**: `isDebug: false` in production
- **No sensitive data exposure**: All sensitive data is masked
- **Controlled logging**: Only essential errors are logged in production

### 🔒 **Security Features**

#### **1. Automatic Data Masking**
The logger automatically masks:
- `devKey` → `abc1***def4`
- `apiToken` → `tok1***ken4`
- `clickId` → `cli1***id4`
- `campaignId` → `***`
- `fullResponseData` → `[MASKED]`
- `data` object → `[MASKED_DATA]`

#### **2. Debug Mode Control**
```typescript
// Development (debug on)
await initAppsFlyer({
    devKey: 'your-dev-key',
    appId: 'your-app-id',
    apiToken: 'your-api-token',
    isDebug: true  // ✅ Logs are visible
});

// Production (debug off)
await initAppsFlyer({
    devKey: 'your-dev-key',
    appId: 'your-app-id',
    apiToken: 'your-api-token',
    isDebug: false // ✅ No sensitive data logged
});
```

#### **3. Error Handling**
- **Production errors**: Only essential error messages (no sensitive data)
- **Development errors**: Full error details for debugging
- **Masked error data**: Sensitive information in errors is masked

### 📋 **Usage Guidelines**

#### **For Development**
```typescript
// Enable debug mode for development
await initAppsFlyer({
    devKey: 'your-dev-key',
    appId: 'your-app-id',
    apiToken: 'your-api-token',
    isDebug: true  // Shows masked logs
});
```

#### **For Production**
```typescript
// Disable debug mode for production
await initAppsFlyer({
    devKey: 'your-dev-key',
    appId: 'your-app-id',
    apiToken: 'your-api-token',
    isDebug: false // No logs, maximum security
});
```

### 🛡️ **Security Best Practices**

1. **Always set `isDebug: false` in production**
2. **Never log sensitive data directly**
3. **Use the secure logger for all logging**
4. **Regularly audit logging statements**
5. **Monitor for any new sensitive data exposure**

### 🔍 **Verification**

To verify the security improvements:

1. **Check production logs**: No sensitive data should be visible
2. **Test debug mode**: Sensitive data should be masked
3. **Verify masking**: Sensitive keys should show as `abc1***def4` format
4. **Confirm no exposure**: No raw `devKey`, `apiToken`, or `clickId` values

### 📝 **Migration Guide**

If you're upgrading from a previous version:

1. **Update initialization**: Ensure `isDebug` is set appropriately
2. **Review existing logs**: Check for any custom logging that might expose data
3. **Test in development**: Verify logs are properly masked
4. **Deploy to production**: Confirm no sensitive data is logged

The SDK is now production-ready with secure logging practices! 🎯