A way to disable sensitive data in logs

[agavignet]

Hi,

I have a feature request that might only concern the EngineIO.

When logs are enabled through a logging object, as shown below:

self.client = socketio.Client(logger=sio_logger, engineio_logger=eio_logger, reconnection=False)

It appears that URLs are logged in traces. For example:

2024-01-29T11:22:40.478 [eio:43488] [INFO] Attempting polling connection to https://blabla.com/socket.io?api_token=XXX&...

The issue is that this URL, in my case, contains sensitive data (API Token), and I do not want it to be logged, obviously. I have no choice but to disable logs. As logs can be crucial for investigations, it would be nice to have an option to hide non-internal query parameters from logs.

Thanks
Adrien

[miguelgrinberg]

I have no problem with removing the query string in logs, so if you want to submit a PR with that I'll review it.

But if you are concerned about security, I strongly recommend you use a more modern method of authentication with Socket.IO. Sending tokens in URLs is insecure, since these URLs can also get logged and cached by web clients and web servers. Current versions of the Socket.IO protocol support sending an authentication payload in the connection request, so if you have access to your server I recommend you switch to that.

[agavignet]

Thanks for you quick answer, your recommendation makes perfect sense, will look into it 👍