Redact tokens from logs (#6347)

directus · Jun 17, 2021 · 2868fd6 · 2868fd6
1 parent d7835e0
commit 2868fd6
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 23 deletions.
diff --git a/api/package.json b/api/package.json
@@ -95,7 +95,6 @@
 		"execa": "^5.1.1",
 		"exif-reader": "^1.0.3",
 		"express": "^4.17.1",
-		"express-pino-logger": "^6.0.0",
 		"express-session": "^1.17.2",
 		"fs-extra": "^10.0.0",
 		"grant": "^5.4.14",
@@ -125,6 +124,7 @@
 		"otplib": "^12.0.1",
 		"pino": "^6.11.3",
 		"pino-colada": "^2.1.0",
+		"pino-http": "^5.5.0",
 		"prettier": "^2.3.1",
 		"qs": "^6.9.4",
 		"rate-limiter-flexible": "^2.2.2",

diff --git a/api/src/app.ts b/api/src/app.ts
@@ -1,6 +1,5 @@
 import cookieParser from 'cookie-parser';
 import express, { RequestHandler } from 'express';
-import expressLogger from 'express-pino-logger';
 import fse from 'fs-extra';
 import path from 'path';
 import qs from 'qs';
@@ -30,7 +29,7 @@ import { emitAsyncSafe } from './emitter';
 import env from './env';
 import { InvalidPayloadException } from './exceptions';
 import { initializeExtensions, registerExtensionEndpoints, registerExtensionHooks } from './extensions';
-import logger from './logger';
+import logger, { expressLogger } from './logger';
 import authenticate from './middleware/authenticate';
 import cache from './middleware/cache';
 import { checkIP } from './middleware/check-ip';
@@ -71,7 +70,7 @@ export default async function createApp(): Promise<express.Application> {
 
 	await emitAsyncSafe('middlewares.init.before', { app });
 
-	app.use(expressLogger({ logger }) as RequestHandler);
+	app.use(expressLogger);
 
 	app.use((req, res, next) => {
 		(

diff --git a/api/src/logger.ts b/api/src/logger.ts
@@ -1,7 +1,16 @@
+import { Request, RequestHandler } from 'express';
 import pino, { LoggerOptions } from 'pino';
+import pinoHTTP, { stdSerializers } from 'pino-http';
+import { URL } from 'url';
 import env from './env';
 
-const pinoOptions: LoggerOptions = { level: env.LOG_LEVEL || 'info' };
+const pinoOptions: LoggerOptions = {
+	level: env.LOG_LEVEL || 'info',
+	redact: {
+		paths: ['req.headers.authorization', 'req.cookies.directus_refresh_token'],
+		censor: '--redact--',
+	},
+};
 
 if (env.LOG_STYLE !== 'raw') {
 	pinoOptions.prettyPrint = true;
@@ -10,4 +19,25 @@ if (env.LOG_STYLE !== 'raw') {
 
 const logger = pino(pinoOptions);
 
+export const expressLogger = pinoHTTP({
+	logger,
+	serializers: {
+		req(request: Request) {
+			const output = stdSerializers.req(request);
+			output.url = redactQuery(output.url);
+			return output;
+		},
+	},
+}) as RequestHandler;
+
 export default logger;
+
+function redactQuery(originalPath: string) {
+	const url = new URL(originalPath, 'http://example.com/');
+
+	if (url.searchParams.has('access_token')) {
+		url.searchParams.set('access_token', '--redacted--');
+	}
+
+	return url.pathname + url.search;
+}
diff --git a/api/src/types/shims.d.ts b/api/src/types/shims.d.ts
@@ -1,3 +1,5 @@
+import PinoHttp from '@types/pino-http';
+
 declare module 'grant' {
 	const grant: any;
 	export default grant;
@@ -12,3 +14,11 @@ declare module 'exif-reader' {
 	const exifReader: (buf: Buffer) => Record<string, any>;
 	export default exifReader;
 }
+
+declare module 'pino-http' {
+	const pinoHttp: PinoHttp;
+	export default pinoHttp;
+	export const stdSerializers: {
+		req: (req: any) => Record<string, any>;
+	};
+}
diff --git a/package-lock.json b/package-lock.json