From 7e0c113d3353eb54118b1ecda421d9383b769022 Mon Sep 17 00:00:00 2001
From: Dmitrii Kozlov <dmitrii.kozlov@madappgang.com>
Date: Mon, 2 Sep 2024 23:19:44 +0300
Subject: [PATCH] respect logger settings for auth headers

---
 cmd/config-boltdb.yaml   |  7 ++++--
 web/admin/router.go      |  3 +++
 web/api/routes.go        |  1 +
 web/management/routes.go |  1 +
 web/middleware/logger.go | 48 ++++++++++++++++++++++++++++++++++++++--
 web/spa/router.go        |  3 +++
 6 files changed, 59 insertions(+), 4 deletions(-)

diff --git a/cmd/config-boltdb.yaml b/cmd/config-boltdb.yaml
index 26d5f3ee..3b7a1ff3 100644
--- a/cmd/config-boltdb.yaml
+++ b/cmd/config-boltdb.yaml
@@ -61,7 +61,7 @@ services:
       region: ""
 login:
   loginWith:
-    username: false
+    username: true
     phone: true
     email: false
     federated: false
@@ -83,6 +83,9 @@ logger:
   # logs format (json, text)
   format: json
   # exclude body for HTTP requests that can contain sensitive data
-  logSensitiveData: false
+  logSensitiveData: true
   common:
     level: debug
+  api:
+    level: debug
+    httpDetailing: dump
diff --git a/web/admin/router.go b/web/admin/router.go
index d614b1e4..f7051365 100644
--- a/web/admin/router.go
+++ b/web/admin/router.go
@@ -58,6 +58,7 @@ func NewRouter(settings RouterSettings) (model.Router, error) {
 		settings.LoggerSettings.DumpRequest,
 		settings.LoggerSettings.Format,
 		settings.LoggerSettings.Admin,
+		settings.LoggerSettings.LogSensitiveData,
 		settings.Cors)
 
 	ar.initRoutes()
@@ -70,6 +71,7 @@ func buildMiddleware(
 	dumpRequest bool,
 	format string,
 	logParams model.LoggerParams,
+	logSensitiveData bool,
 	corsHandler *cors.Cors,
 ) *negroni.Negroni {
 	var handlers []negroni.Handler
@@ -79,6 +81,7 @@ func buildMiddleware(
 		format,
 		logParams,
 		model.HTTPLogDetailing(dumpRequest, logParams.HTTPDetailing),
+		!logSensitiveData,
 		"/login",
 	)
 	handlers = append(handlers, lm)
diff --git a/web/api/routes.go b/web/api/routes.go
index 3258cf4c..4f3d947e 100644
--- a/web/api/routes.go
+++ b/web/api/routes.go
@@ -83,6 +83,7 @@ func buildBaseMiddleware(
 		format,
 		logParams,
 		model.HTTPLogDetailing(dumpRequest, logParams.HTTPDetailing),
+		!logSensitiveData,
 		exclude...)
 
 	result := negroni.New(
diff --git a/web/management/routes.go b/web/management/routes.go
index 78d3b81d..7881b570 100644
--- a/web/management/routes.go
+++ b/web/management/routes.go
@@ -18,6 +18,7 @@ func (ar *Router) initRoutes(loggerSettings model.LoggerSettings) {
 		loggerSettings.Format,
 		loggerSettings.Management,
 		model.HTTPLogDetailing(loggerSettings.DumpRequest, loggerSettings.Management.HTTPDetailing),
+		!loggerSettings.LogSensitiveData,
 	)
 
 	ar.router.Use(middleware.RequestID)
diff --git a/web/middleware/logger.go b/web/middleware/logger.go
index d050e2d3..ae86f0f7 100644
--- a/web/middleware/logger.go
+++ b/web/middleware/logger.go
@@ -17,9 +17,10 @@ func NegroniHTTPLogger(
 	format string,
 	logParams model.LoggerParams,
 	httpDetailing model.HTTPDetailing,
+	excludeAuth bool,
 	exclude ...string,
 ) negroni.Handler {
-	logger := HTTPLogger(component, format, logParams, httpDetailing, exclude...)
+	logger := HTTPLogger(component, format, logParams, httpDetailing, excludeAuth, exclude...)
 
 	return negroni.HandlerFunc(func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
 		logger(next).ServeHTTP(w, r)
@@ -35,6 +36,7 @@ func HTTPLogger(
 	format string,
 	logParams model.LoggerParams,
 	httpDetailing model.HTTPDetailing,
+	excludeAuth bool,
 	exclude ...string,
 ) func(http.Handler) http.Handler {
 	if httpDetailing == model.HTTPLogNone ||
@@ -52,7 +54,7 @@ func HTTPLogger(
 				logging.FieldComponent, component,
 				"method", r.Method,
 				"url", r.URL.String(),
-				"headers", r.Header,
+				"headers", redactHeaders(r.Header, excludeAuth),
 				"body", string(body))
 		}
 
@@ -101,3 +103,45 @@ func HTTPLogger(
 	hl := httplog.LoggerWithFormatterAndName(component, httplog.DefaultLogFormatterWithRequestHeadersAndBody)
 	return hl
 }
+
+func redactHeaders(headers http.Header, excludeAuth bool) http.Header {
+	if !excludeAuth {
+		return headers
+	}
+
+	result := make(http.Header, len(headers))
+
+	for k, vv := range headers {
+		if strings.EqualFold(k, "Authorization") {
+			cc := make([]string, len(vv))
+			for i, v := range vv {
+				cc[i] = redactAuthValue(v)
+			}
+			result[k] = cc
+		} else {
+			result[k] = vv
+		}
+
+	}
+
+	return result
+}
+
+func redactAuthValue(v string) string {
+	expectedPrefix := "bearer"
+
+	actualPrefix := ""
+	if len(v) >= len(expectedPrefix) {
+		actualPrefix = v[:len(expectedPrefix)]
+	}
+
+	if strings.EqualFold(actualPrefix, expectedPrefix) {
+		if len(v) <= len(expectedPrefix)+1 {
+			return actualPrefix + " <empty>"
+		}
+
+		return actualPrefix + " <redacted>"
+	}
+
+	return "<redacted>"
+}
diff --git a/web/spa/router.go b/web/spa/router.go
index 8a4b4c51..63c21c64 100644
--- a/web/spa/router.go
+++ b/web/spa/router.go
@@ -25,6 +25,7 @@ func NewRouter(setting SPASettings, middlewares []negroni.Handler) (model.Router
 		setting.LoggerSettings.DumpRequest,
 		setting.LoggerSettings.Format,
 		setting.LoggerSettings.SPA,
+		!setting.LoggerSettings.LogSensitiveData,
 		middlewares,
 	)
 
@@ -50,6 +51,7 @@ func buildMiddleware(
 	dumpRequest bool,
 	format string,
 	logParams model.LoggerParams,
+	logSensitiveData bool,
 	middlewares []negroni.Handler,
 ) *negroni.Negroni {
 	lm := middleware.NegroniHTTPLogger(
@@ -57,6 +59,7 @@ func buildMiddleware(
 		format,
 		logParams,
 		model.HTTPLogDetailing(dumpRequest, logParams.HTTPDetailing),
+		!logSensitiveData,
 	)
 
 	handlers := []negroni.Handler{