Github user stokito commented on the issue:
https://github.com/apache/commons-lang/pull/335
Thank you for your examples. Just to clarify: `maskedStart` from this PR
corresponds to `minMasked` from #332 but the discussion is about adding a
`maxUnmasked`, right?
> some messages are short and contain one time passwords
it doesn't need for a masking at all. Short term generated values, OTPs and
tokens like OAuth `access_token` (but not `refresh_token`) are safe to write to
logs. If hacker stole logs we will have nothing to do with the data.
> have a `minMasked` value of 30
Why exactly 30? What if sensitive data will be still shown in unmasked
part? For this kind of data it's better to mask whole string.
> when we print part of the address we need at least the first 15
characters to be masked
If I understood correctly, it's enough `maskedStart` of 15 and
`maxUnmasked` not needed in the case.
> a generic API the method should be flexible, in order to cover a wide
variety of usecases.
What I'm afraid is that making the API too general leads to spending a time
to read the docs, or incorrect understanding and misuse. As a developer I can
clearly know how much chars to mask because I'm expect some kind of string but
how much chars will be in real string is unknown variable for me, so
`maxUnmasked` will be always a speculation. For example java's `StringBuilder`
has a constructor with initial capacity and from my experience programmers are
never even try to use it while this is critical for performance. So adding a
new parameter `maxUnmasked` may be not so useful in real life but confusing.
---
