Merge pull request #422 from MadAppGang/feature/exclude-auth-header

respect logger settings for auth headers
MadAppGang · Sep 3, 2024 · ecb753d · ecb753d
2 parents 099ae04 + 7e0c113
commit ecb753d
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 4 deletions.
diff --git a/cmd/config-boltdb.yaml b/cmd/config-boltdb.yaml
@@ -61,7 +61,7 @@ services:
       region: ""
 login:
   loginWith:
-    username: false
+    username: true
     phone: true
     email: false
     federated: false
@@ -83,6 +83,9 @@ logger:
   # logs format (json, text)
   format: json
   # exclude body for HTTP requests that can contain sensitive data
-  logSensitiveData: false
+  logSensitiveData: true
   common:
     level: debug
+  api:
+    level: debug
+    httpDetailing: dump
diff --git a/web/admin/router.go b/web/admin/router.go
@@ -58,6 +58,7 @@ func NewRouter(settings RouterSettings) (model.Router, error) {
 		settings.LoggerSettings.DumpRequest,
 		settings.LoggerSettings.Format,
 		settings.LoggerSettings.Admin,
+		settings.LoggerSettings.LogSensitiveData,
 		settings.Cors)
 
 	ar.initRoutes()
@@ -70,6 +71,7 @@ func buildMiddleware(
 	dumpRequest bool,
 	format string,
 	logParams model.LoggerParams,
+	logSensitiveData bool,
 	corsHandler *cors.Cors,
 ) *negroni.Negroni {
 	var handlers []negroni.Handler
@@ -79,6 +81,7 @@ func buildMiddleware(
 		format,
 		logParams,
 		model.HTTPLogDetailing(dumpRequest, logParams.HTTPDetailing),
+		!logSensitiveData,
 		"/login",
 	)
 	handlers = append(handlers, lm)

diff --git a/web/api/routes.go b/web/api/routes.go
@@ -83,6 +83,7 @@ func buildBaseMiddleware(
 		format,
 		logParams,
 		model.HTTPLogDetailing(dumpRequest, logParams.HTTPDetailing),
+		!logSensitiveData,
 		exclude...)
 
 	result := negroni.New(

diff --git a/web/management/routes.go b/web/management/routes.go
@@ -18,6 +18,7 @@ func (ar *Router) initRoutes(loggerSettings model.LoggerSettings) {
 		loggerSettings.Format,
 		loggerSettings.Management,
 		model.HTTPLogDetailing(loggerSettings.DumpRequest, loggerSettings.Management.HTTPDetailing),
+		!loggerSettings.LogSensitiveData,
 	)
 
 	ar.router.Use(middleware.RequestID)

diff --git a/web/middleware/logger.go b/web/middleware/logger.go
@@ -17,9 +17,10 @@ func NegroniHTTPLogger(
 	format string,
 	logParams model.LoggerParams,
 	httpDetailing model.HTTPDetailing,
+	excludeAuth bool,
 	exclude ...string,
 ) negroni.Handler {
-	logger := HTTPLogger(component, format, logParams, httpDetailing, exclude...)
+	logger := HTTPLogger(component, format, logParams, httpDetailing, excludeAuth, exclude...)
 
 	return negroni.HandlerFunc(func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
 		logger(next).ServeHTTP(w, r)
@@ -35,6 +36,7 @@ func HTTPLogger(
 	format string,
 	logParams model.LoggerParams,
 	httpDetailing model.HTTPDetailing,
+	excludeAuth bool,
 	exclude ...string,
 ) func(http.Handler) http.Handler {
 	if httpDetailing == model.HTTPLogNone ||
@@ -52,7 +54,7 @@ func HTTPLogger(
 				logging.FieldComponent, component,
 				"method", r.Method,
 				"url", r.URL.String(),
-				"headers", r.Header,
+				"headers", redactHeaders(r.Header, excludeAuth),
 				"body", string(body))
 		}
 
@@ -101,3 +103,45 @@ func HTTPLogger(
 	hl := httplog.LoggerWithFormatterAndName(component, httplog.DefaultLogFormatterWithRequestHeadersAndBody)
 	return hl
 }
+
+func redactHeaders(headers http.Header, excludeAuth bool) http.Header {
+	if !excludeAuth {
+		return headers
+	}
+
+	result := make(http.Header, len(headers))
+
+	for k, vv := range headers {
+		if strings.EqualFold(k, "Authorization") {
+			cc := make([]string, len(vv))
+			for i, v := range vv {
+				cc[i] = redactAuthValue(v)
+			}
+			result[k] = cc
+		} else {
+			result[k] = vv
+		}
+
+	}
+
+	return result
+}
+
+func redactAuthValue(v string) string {
+	expectedPrefix := "bearer"
+
+	actualPrefix := ""
+	if len(v) >= len(expectedPrefix) {
+		actualPrefix = v[:len(expectedPrefix)]
+	}
+
+	if strings.EqualFold(actualPrefix, expectedPrefix) {
+		if len(v) <= len(expectedPrefix)+1 {
+			return actualPrefix + " <empty>"
+		}
+
+		return actualPrefix + " <redacted>"
+	}
+
+	return "<redacted>"
+}
diff --git a/web/spa/router.go b/web/spa/router.go
@@ -25,6 +25,7 @@ func NewRouter(setting SPASettings, middlewares []negroni.Handler) (model.Router
 		setting.LoggerSettings.DumpRequest,
 		setting.LoggerSettings.Format,
 		setting.LoggerSettings.SPA,
+		!setting.LoggerSettings.LogSensitiveData,
 		middlewares,
 	)
 
@@ -50,13 +51,15 @@ func buildMiddleware(
 	dumpRequest bool,
 	format string,
 	logParams model.LoggerParams,
+	logSensitiveData bool,
 	middlewares []negroni.Handler,
 ) *negroni.Negroni {
 	lm := middleware.NegroniHTTPLogger(
 		settingName,
 		format,
 		logParams,
 		model.HTTPLogDetailing(dumpRequest, logParams.HTTPDetailing),
+		!logSensitiveData,
 	)
 
 	handlers := []negroni.Handler{