Redact tokens from logs (#6347)

2026-04-25 03:00:53 -04:00 · 2021-06-17 10:57:52 -04:00
parent d7835e036a
commit 2868fd6bf6
5 changed files with 46 additions and 23 deletions
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -1,6 +1,5 @@
 import cookieParser from 'cookie-parser';
 import express, { RequestHandler } from 'express';
-import expressLogger from 'express-pino-logger';
 import fse from 'fs-extra';
 import path from 'path';
 import qs from 'qs';
@@ -30,7 +29,7 @@ import { emitAsyncSafe } from './emitter';
 import env from './env';
 import { InvalidPayloadException } from './exceptions';
 import { initializeExtensions, registerExtensionEndpoints, registerExtensionHooks } from './extensions';
-import logger from './logger';
+import logger, { expressLogger } from './logger';
 import authenticate from './middleware/authenticate';
 import cache from './middleware/cache';
 import { checkIP } from './middleware/check-ip';
@@ -71,7 +70,7 @@ export default async function createApp(): Promise<express.Application> {

 	await emitAsyncSafe('middlewares.init.before', { app });

-	app.use(expressLogger({ logger }) as RequestHandler);
+	app.use(expressLogger);

 	app.use((req, res, next) => {
 		(
--- a/api/src/logger.ts
+++ b/api/src/logger.ts
@@ -1,7 +1,16 @@
+import { Request, RequestHandler } from 'express';
 import pino, { LoggerOptions } from 'pino';
+import pinoHTTP, { stdSerializers } from 'pino-http';
+import { URL } from 'url';
 import env from './env';

-const pinoOptions: LoggerOptions = { level: env.LOG_LEVEL || 'info' };
+const pinoOptions: LoggerOptions = {
+	level: env.LOG_LEVEL || 'info',
+	redact: {
+		paths: ['req.headers.authorization', 'req.cookies.directus_refresh_token'],
+		censor: '--redact--',
+	},
+};

 if (env.LOG_STYLE !== 'raw') {
 	pinoOptions.prettyPrint = true;
@@ -10,4 +19,25 @@ if (env.LOG_STYLE !== 'raw') {

 const logger = pino(pinoOptions);

+export const expressLogger = pinoHTTP({
+	logger,
+	serializers: {
+		req(request: Request) {
+			const output = stdSerializers.req(request);
+			output.url = redactQuery(output.url);
+			return output;
+		},
+	},
+}) as RequestHandler;
+
 export default logger;
+
+function redactQuery(originalPath: string) {
+	const url = new URL(originalPath, 'http://example.com/');
+
+	if (url.searchParams.has('access_token')) {
+		url.searchParams.set('access_token', '--redacted--');
+	}
+
+	return url.pathname + url.search;
+}
--- a/api/src/types/shims.d.ts
+++ b/api/src/types/shims.d.ts
@@ -1,3 +1,5 @@
+import PinoHttp from '@types/pino-http';
+
 declare module 'grant' {
 	const grant: any;
 	export default grant;
@@ -12,3 +14,11 @@ declare module 'exif-reader' {
 	const exifReader: (buf: Buffer) => Record<string, any>;
 	export default exifReader;
 }
+
+declare module 'pino-http' {
+	const pinoHttp: PinoHttp;
+	export default pinoHttp;
+	export const stdSerializers: {
+		req: (req: any) => Record<string, any>;
+	};
+}