add secure logging mechanism, improve logging further

desci-labs · Dec 23, 2024 · 8c2df74 · 8c2df74
1 parent 0d43f86
commit 8c2df74
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 7 deletions.
diff --git a/desci-server/kubernetes/deployment_dev.yaml b/desci-server/kubernetes/deployment_dev.yaml
@@ -95,6 +95,7 @@ spec:
           export ELASTIC_SEARCH_USER="{{ .Data.ELASTIC_SEARCH_USER }}"
           export ELASTIC_SEARCH_PW="{{ .Data.ELASTIC_SEARCH_PW }}"
           export OPEN_ALEX_DATABASE_URL="{{ .Data.OPEN_ALEX_DATABASE_URL }}"
+          export LOG_ENCRYPTION_KEY="{{ .Data.LOG_ENCRYPTION_KEY }}"
           export DEBUG_TEST=0;
           echo "appfinish";
           {{- end -}}

diff --git a/desci-server/kubernetes/deployment_prod.yaml b/desci-server/kubernetes/deployment_prod.yaml
@@ -95,6 +95,7 @@ spec:
           export ELASTIC_SEARCH_USER="{{ .Data.ELASTIC_SEARCH_USER }}"
           export ELASTIC_SEARCH_PW="{{ .Data.ELASTIC_SEARCH_PW }}"
           export OPEN_ALEX_DATABASE_URL="{{ .Data.OPEN_ALEX_DATABASE_URL }}"
+          export LOG_ENCRYPTION_KEY="{{ .Data.LOG_ENCRYPTION_KEY }}"
           export IGNORE_LINE=0;
           export DEBUG_TEST=0;
           echo "appfinish";

diff --git a/desci-server/src/services/auth.ts b/desci-server/src/services/auth.ts
@@ -8,7 +8,7 @@ import { prisma as client } from '../client.js';
 import { logger as parentLogger } from '../logger.js';
 import { MagicCodeEmailHtml } from '../templates/emails/utils/emailRenderer.js';
 import createRandomCode from '../utils/createRandomCode.js';
-import { hideEmail } from '../utils.js';
+import { encryptForLog, hideEmail } from '../utils.js';
 
 AWS.config.update({ region: 'us-east-2' });
 sgMail.setApiKey(process.env.SENDGRID_API_KEY);
@@ -44,6 +44,8 @@ const magicLinkRedeem = async (email: string, token: string): Promise<User> => {
   if (!link) {
     throw Error('No magic link found for the provided email.');
   }
+
+  const logEncryptionKeyPresent = process.env.LOG_ENCRYPTION_KEY && process.env.LOG_ENCRYPTION_KEY.length > 0;
   logger.trace(
     {
       fn: 'magicLinkRedeem',
@@ -54,6 +56,12 @@ const magicLinkRedeem = async (email: string, token: string): Promise<User> => {
       linkEqualsToken: link.token === token,
       latestLinkExpiry: link.expiresAt,
       latestLinkId: link.id,
+      ...(logEncryptionKeyPresent
+        ? {
+            eTokenProvided: encryptForLog(token, process.env.LOG_ENCRYPTION_KEY),
+            eEmail: encryptForLog(email, process.env.LOG_ENCRYPTION_KEY),
+          }
+        : {}),
     },
     '[MAGIC]auth::magicLinkRedeem comparison debug',
   );
@@ -83,6 +91,21 @@ const magicLinkRedeem = async (email: string, token: string): Promise<User> => {
         },
       },
     });
+    logger.info(
+      {
+        fn: 'magicLinkRedeem',
+        linkId: link.id,
+        token: 'XXXX' + token.slice(-2),
+        ...(logEncryptionKeyPresent
+          ? {
+              eTokenProvided: encryptForLog(token, process.env.LOG_ENCRYPTION_KEY),
+              eEmail: encryptForLog(email, process.env.LOG_ENCRYPTION_KEY),
+            }
+          : {}),
+        newFailedAttempts: link.failedAttempts + 1,
+      },
+      'Invalid token attempt',
+    );
     throw Error('Invalid token.');
   }
 

diff --git a/desci-server/src/utils.ts b/desci-server/src/utils.ts
@@ -1,4 +1,4 @@
-import { randomBytes } from 'crypto';
+import { randomBytes, createCipheriv } from 'crypto';
 import fs from 'fs';
 import * as path from 'path';
 import { Readable } from 'stream';
@@ -62,10 +62,11 @@ export const hexToCid = (hexCid: string) => {
 
 export const convertCidTo0xHex = (cid: string) => {
   const rawHex = CID.parse(cid).toString(base16);
-  const paddedAndPrefixed = "0x"
+  const paddedAndPrefixed =
+    '0x' +
     // left pad to even pairs if odd length
-    + (rawHex.length % 2 !== 0 ? "0" : "")
-    + rawHex;
+    (rawHex.length % 2 !== 0 ? '0' : '') +
+    rawHex;
   return paddedAndPrefixed;
 };
 
@@ -113,8 +114,7 @@ export function ensureUuidEndsWithDot(uuid: string): string {
   return uuid.endsWith('.') ? uuid : uuid + '.';
 }
 
-export const unpadUuid = (uuid: string): string =>
-  uuid.replace(".", "");
+export const unpadUuid = (uuid: string): string => uuid.replace('.', '');
 
 export async function calculateTotalZipUncompressedSize(zipPath: string): Promise<number> {
   return new Promise((resolve, reject) => {
@@ -293,3 +293,16 @@ export function toKebabCase(name: string) {
 
   return trimmedName;
 }
+
+/*
+ ** Used to log sensitive information in a secure way
+ */
+export const encryptForLog = (text: string, key: string) => {
+  const paddedKey = key.padEnd(32, '0');
+  const keyBytes = new Uint8Array(Buffer.from(paddedKey));
+
+  const cipher = createCipheriv('aes-256-ecb' as any, keyBytes, null);
+  let encrypted = cipher.update(text, 'utf8', 'base64');
+  encrypted += cipher.final('base64');
+  return encrypted;
+};