Fix cookie redaction in logs (#17914)

* removed incorrect redaction logic * updated paths that werent working * Added new redaction function * Reverting unintentional change * don't force lowercase provider names * extracted cookieNames * set cookie based on driver settings suggested by ian * add unit test * redact the entire cookie header * updated the tests * move redact text to constants --------- Co-authored-by: Azri Kahar <42867097+azrikahar@users.noreply.github.com> Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com>
2026-02-12 14:35:26 -05:00 · 2023-03-24 15:04:22 +01:00
parent 27706f7067
commit 73bbfaf058
5 changed files with 165 additions and 72 deletions
--- a/api/src/logger.test.ts
+++ b/api/src/logger.test.ts
@@ -0,0 +1,140 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
+
+const REFRESH_TOKEN_COOKIE_NAME = 'directus_refresh_token';
+
+vi.mock('./env', async () => {
+	const MOCK_ENV = {
+		AUTH_PROVIDERS: 'ranger,monospace',
+		AUTH_RANGER_DRIVER: 'oauth2',
+		AUTH_MONOSPACE_DRIVER: 'openid',
+		REFRESH_TOKEN_COOKIE_NAME,
+		LOG_LEVEL: 'info',
+		LOG_STYLE: 'raw',
+	};
+	return {
+		default: MOCK_ENV,
+		getEnv: () => MOCK_ENV,
+	};
+});
+
+import { Writable } from 'node:stream';
+import pino from 'pino';
+import { REDACT_TEXT } from './constants';
+import { httpLoggerOptions } from './logger';
+
+const logOutput = vi.fn();
+
+let stream: Writable;
+
+beforeEach(() => {
+	stream = new Writable({
+		write(chunk) {
+			logOutput(JSON.parse(chunk.toString()));
+		},
+	});
+});
+
+afterEach(() => {
+	vi.clearAllMocks();
+});
+
+describe('req.headers.authorization', () => {
+	test('Should redact bearer token in Authorization header', () => {
+		const instance = pino(httpLoggerOptions, stream);
+		instance.info({
+			req: {
+				headers: {
+					authorization: `Bearer test-access-token-value`,
+				},
+			},
+		});
+		expect(logOutput.mock.calls[0][0]).toMatchObject({
+			req: {
+				headers: {
+					authorization: REDACT_TEXT,
+				},
+			},
+		});
+	});
+});
+
+describe('req.headers.cookie', () => {
+	test('Should redact refresh token when there is only one entry', () => {
+		const instance = pino(httpLoggerOptions, stream);
+		instance.info({
+			req: {
+				headers: {
+					cookie: `${REFRESH_TOKEN_COOKIE_NAME}=test-refresh-token-value`,
+				},
+			},
+		});
+		expect(logOutput.mock.calls[0][0]).toMatchObject({
+			req: {
+				headers: {
+					cookie: REDACT_TEXT,
+				},
+			},
+		});
+	});
+
+	test('Should redact refresh token with multiple entries', () => {
+		const instance = pino(httpLoggerOptions, stream);
+		instance.info({
+			req: {
+				headers: {
+					cookie: `custom_test_cookie=custom_test_value; access_token=test-access-token-value; oauth2.ranger=test-oauth2-value; openid.monospace=test-openid-value; ${REFRESH_TOKEN_COOKIE_NAME}=test-refresh-token-value`,
+				},
+			},
+		});
+		expect(logOutput.mock.calls[0][0]).toMatchObject({
+			req: {
+				headers: {
+					cookie: REDACT_TEXT,
+				},
+			},
+		});
+	});
+});
+
+describe('res.headers', () => {
+	test('Should redact refresh token when there is only one entry', () => {
+		const instance = pino(httpLoggerOptions, stream);
+		instance.info({
+			res: {
+				headers: {
+					'set-cookie': `${REFRESH_TOKEN_COOKIE_NAME}=test-refresh-token-value; Max-Age=604800; Path=/; Expires=Tue, 14 Feb 2023 12:00:00 GMT; HttpOnly; SameSite=Lax`,
+				},
+			},
+		});
+		expect(logOutput.mock.calls[0][0]).toMatchObject({
+			res: {
+				headers: {
+					'set-cookie': REDACT_TEXT,
+				},
+			},
+		});
+	});
+
+	test('Should redact refresh token with multiple entries', () => {
+		const instance = pino(httpLoggerOptions, stream);
+		instance.info({
+			res: {
+				headers: {
+					'set-cookie': [
+						`access_token=test-access-token-value; Max-Age=604800; Path=/; Expires=Tue, 14 Feb 2023 12:00:00 GMT; HttpOnly; SameSite=Lax`,
+						`oauth2.ranger=test-oauth2-value; Max-Age=604800; Path=/; Expires=Tue, 14 Feb 2023 12:00:00 GMT; HttpOnly; SameSite=Lax`,
+						`openid.monospace=test-openid-value; Max-Age=604800; Path=/; Expires=Tue, 14 Feb 2023 12:00:00 GMT; HttpOnly; SameSite=Lax`,
+						`${REFRESH_TOKEN_COOKIE_NAME}=test-refresh-token-value; Max-Age=604800; Path=/; Expires=Tue, 14 Feb 2023 12:00:00 GMT; HttpOnly; SameSite=Lax`,
+					],
+				},
+			},
+		});
+		expect(logOutput.mock.calls[0][0]).toMatchObject({
+			res: {
+				headers: {
+					'set-cookie': REDACT_TEXT,
+				},
+			},
+		});
+	});
+});