fix: exclude token query string from logs (#188)

Author: fenos

src/monitoring/logger.ts

@@ -1,26 +1,27 @@
 import pino from 'pino'
 import { getConfig } from '../utils/config'
+import { FastifyRequest } from 'fastify'
+import { URL } from 'url'
 
 const { logLevel } = getConfig()
 
 export const logger = pino({
   transport: buildTransport(),
   formatters: {
-    level(label, number) {
-      return { level: number }
+    level(label) {
+      return { level: label }
     },
   },
   serializers: {
     res(reply) {
       return {
-        url: reply.url,
         statusCode: reply.statusCode,
       }
     },
     req(request) {
       return {
         method: request.method,
-        url: request.url,
+        url: redactQueryParamFromRequest(request, ['token']),
         headers: whitelistHeaders(request.headers),
         hostname: request.hostname,
         remoteAddress: request.ip,
@@ -92,3 +93,14 @@ const whitelistHeaders = (headers: Record<string, unknown>) => {
 
   return responseMetadata
 }
+
+export function redactQueryParamFromRequest(req: FastifyRequest, params: string[]) {
+  const lUrl = new URL(req.url, `${req.protocol}://${req.hostname}`)
+
+  params.forEach((param) => {
+    if (lUrl.searchParams.has(param)) {
+      lUrl.searchParams.set(param, 'redacted')
+    }
+  })
+  return `${lUrl.pathname}${lUrl.search}`
+}

src/plugins/log-request.ts

@@ -1,4 +1,5 @@
 import fastifyPlugin from 'fastify-plugin'
+import { redactQueryParamFromRequest } from '../monitoring'
 
 interface RequestLoggerOptions {
   excludeUrls?: string[]
@@ -12,7 +13,7 @@ export default (options: RequestLoggerOptions) =>
       }
 
       const rMeth = req.method
-      const rUrl = req.url
+      const rUrl = redactQueryParamFromRequest(req, ['token'])
       const uAgent = req.headers['user-agent']
       const rId = req.id
       const cIP = req.ip