fix(data-warehouse): redact openweather appid from error messages

OpenWeather sends the API key as the `appid` query param, so `response.url`
contains it. `raise_for_status()` embeds that URL in the HTTPError message, which
would leak the key into the sync's stored error and logs. Re-raise with the
`appid` value redacted (keeping the host prefix intact for non-retryable-error
matching). Adds tests for the redaction helper and the end-to-end fetch path.

Generated-By: PostHog Code
Task-Id: b4a325cd-69a4-4d18-887a-793c05cf7755

Author: Gilbert09

posthog/temporal/data_imports/sources/openweather/openweather.py

@@ -1,3 +1,4 @@
+import re
 import dataclasses
 from collections.abc import Iterator
 from datetime import UTC, datetime
@@ -75,6 +76,15 @@ def _build_url(path: str, params: dict[str, Any]) -> str:
     return f"{OPENWEATHER_BASE_URL}{path}?{urlencode(params)}"
 
 
+# The API key is passed as the `appid` query param, so it ends up in `response.url`. `raise_for_status()`
+# embeds that URL in its message, which would otherwise leak the key into the sync's stored error and logs.
+_APPID_RE = re.compile(r"(appid=)[^&\s]+", re.IGNORECASE)
+
+
+def _redact_appid(text: str) -> str:
+    return _APPID_RE.sub(r"\1REDACTED", text)
+
+
 @retry(
     retry=retry_if_exception_type((OpenWeatherRetryableError, requests.ReadTimeout, requests.ConnectionError)),
     stop=stop_after_attempt(MAX_RETRY_ATTEMPTS),
@@ -90,7 +100,12 @@ def _fetch(session: requests.Session, url: str, logger: FilteringBoundLogger) ->
 
     if not response.ok:
         logger.error(f"OpenWeather API error: status={response.status_code}, body={response.text}")
-        response.raise_for_status()
+        try:
+            response.raise_for_status()
+        except requests.HTTPError as exc:
+            # Re-raise with the `appid` redacted so the key never reaches stored errors / logs, keeping the
+            # `... for url: https://api.openweathermap.org` prefix intact for `get_non_retryable_errors()`.
+            raise requests.HTTPError(_redact_appid(str(exc)), response=exc.response) from None
 
     return response.json()
 

posthog/temporal/data_imports/sources/openweather/tests/test_openweather.py

@@ -15,6 +15,7 @@
     _dt_to_iso,
     _fetch,
     _normalize_rows,
+    _redact_appid,
     get_rows,
     openweather_source,
     parse_locations,
@@ -85,6 +86,20 @@ def test_dt_to_iso(self, dt, expected):
         assert _dt_to_iso(dt) == expected
 
 
+class TestRedactAppid:
+    @pytest.mark.parametrize(
+        "text, expected",
+        [
+            ("https://x/?lat=1&appid=secret", "https://x/?lat=1&appid=REDACTED"),
+            ("https://x/?appid=secret&lat=1", "https://x/?appid=REDACTED&lat=1"),
+            ("APPID=secret", "APPID=REDACTED"),  # case-insensitive
+            ("no key here", "no key here"),
+        ],
+    )
+    def test_redact(self, text, expected):
+        assert _redact_appid(text) == expected
+
+
 class TestBuildUrl:
     def test_includes_coords_and_appid(self):
         url = _build_url("/data/2.5/weather", {"lat": 51.5, "lon": -0.12, "appid": "secret-key"})
@@ -162,6 +177,29 @@ def test_client_error_raises_for_status(self):
         with pytest.raises(requests.HTTPError):
             _fetch_once(session, "https://example.com", structlog.get_logger())
 
+    def test_error_message_redacts_appid(self):
+        # The API key is passed as `appid`, so the raise_for_status URL must not leak it into the error.
+        resp = mock.MagicMock()
+        resp.status_code = 401
+        resp.ok = False
+        resp.text = '{"cod":401,"message":"Invalid API key."}'
+        resp.raise_for_status.side_effect = requests.HTTPError(
+            "401 Client Error: Unauthorized for url: "
+            "https://api.openweathermap.org/data/2.5/weather?lat=51.5&lon=-0.12&appid=SUPERSECRETKEY",
+            response=requests.Response(),
+        )
+        session = mock.MagicMock()
+        session.get.return_value = resp
+
+        with pytest.raises(requests.HTTPError) as exc_info:
+            _fetch_once(session, "https://example.com", structlog.get_logger())
+
+        message = str(exc_info.value)
+        assert "SUPERSECRETKEY" not in message
+        assert "appid=REDACTED" in message
+        # The host prefix is preserved so non-retryable-error matching still works.
+        assert "for url: https://api.openweathermap.org" in message
+
 
 class TestValidateCredentials:
     @pytest.mark.parametrize(