nhost · szilarddoro · Apr 26, 2023 · Apr 26, 2023 · Apr 26, 2023 · Apr 26, 2023
diff --git a/.changeset/long-trainers-pretend.md b/.changeset/long-trainers-pretend.md
@@ -0,0 +1,5 @@
+---
+'hasura-auth': patch
+---
+
+chore(logs): add masked headers and query parameters to logs
diff --git a/src/app.ts b/src/app.ts
@@ -1,13 +1,12 @@
-import express from 'express';
-import helmet from 'helmet';
 import { json } from 'body-parser';
 import cors from 'cors';
-
-import router from './routes';
+import express from 'express';
+import helmet from 'helmet';
 import { serverErrors } from './errors';
+import { httpLogger, uncaughtErrorLogger } from './logger';
 import { authMiddleware } from './middleware/auth';
 import { addOpenApiRoute } from './openapi';
-import { uncaughtErrorLogger, httpLogger } from './logger';
+import router from './routes';
 
 const app = express();
 
@@ -16,12 +15,11 @@ if (process.env.NODE_ENV === 'production') {
 }
 
 addOpenApiRoute(app);
-app.use(httpLogger);
 
+app.use(httpLogger);
 app.use(helmet(), json(), cors());
 app.use(authMiddleware);
-
 app.use(router);
-
 app.use(uncaughtErrorLogger, serverErrors);
+
 export { app };
diff --git a/src/logger.ts b/src/logger.ts
@@ -1,6 +1,6 @@
-import winston from 'winston';
-import expressWinston, { LoggerOptions } from 'express-winston';
 import { Response } from 'express';
+import expressWinston, { LoggerOptions } from 'express-winston';
+import winston from 'winston';
 export const LOG_LEVEL = process.env.AUTH_LOG_LEVEL || 'info';
 
 // * Create a common Winston logger that can be used in both middlewares and manually
@@ -12,13 +12,39 @@ export const logger = winston.createLogger({
 // * Give more importance to Unauthorized and Forbidden status codes to give more visibility to hacking attempts
 const SUSPICIOUS_REQUEST_CODES = [401, 403];
 
-const rewriteUrl = (url: string) => {
-  if (LOG_LEVEL !== 'debug' && (url.includes('?') || url.includes('#'))) {
-    const pathname = new URL(url, 'http://noop').pathname;
-    const char = url.includes('?') ? '?' : '#';
-    return `${pathname}${char}*****`;
+const maskUrl = (url: string) => {
+  if (LOG_LEVEL === 'debug' || (!url.includes('?') && !url.includes('#'))) {
+    return url;
+  }
+
+  const { pathname, searchParams, hash } = new URL(url, 'http://noop');
+  const queryParameters = Array.from(searchParams.keys());
+
+  if (queryParameters.length > 0) {
+    return `${pathname}?${queryParameters
+      .map((param) => `${param}=*****`)
+      .join('&')})}`;
   }
-  return url;
+
+  if (hash) {
+    return `${pathname}#*****`;
+  }
+
+  return pathname;
+};
+
+const maskHeaders = (headers: Record<string, unknown>) => {
+  if (LOG_LEVEL === 'DEBUG') {
+    return headers;
+  }
+
+  return Object.keys(headers).reduce(
+    (returnableHeaders, key) => ({
+      ...returnableHeaders,
+      [key]: '*****',
+    }),
+    {}
+  );
 };
 
 const loggerOptions: LoggerOptions = {
@@ -27,7 +53,7 @@ const loggerOptions: LoggerOptions = {
   metaField: null,
   responseField: null,
   msg: (req, res) =>
-    `${req.method} ${rewriteUrl(req.url)} ${res.statusCode} ${
+    `${req.method} ${maskUrl(req.url)} ${res.statusCode} ${
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       (res as any).responseTime
     }ms`,
@@ -45,7 +71,8 @@ const loggerOptions: LoggerOptions = {
       meta.url = url;
       meta.headers = headers;
     } else {
-      meta.url = rewriteUrl(url);
+      meta.url = maskUrl(url);
+      meta.headers = maskHeaders(headers);
     }
     const userId = auth?.userId;
     if (userId) {

diff --git a/src/utils/__generated__/graphql-request.ts b/src/utils/__generated__/graphql-request.ts