Fix secrets v1 (#10)

Wolox · Aug 14, 2019 · aca4e35 · aca4e35
1 parent 7bdac59
commit aca4e35
Show file tree

Hide file tree

Showing 6 changed files with 311 additions and 77 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,9 @@
 # Change Log
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## 1.0.1
+* Add `obfuscateBody` and `obfuscatePlaceholder` option for secure sensitive data in body.
+
 ## 1.0.0
 * Add some documentation in README.
 * Refactor old `index.js` in multiple files.

diff --git a/README.md b/README.md
@@ -59,7 +59,9 @@ logger.foo('hello world');
 
 # Middlewares
 ## Logs for request beginning and end
-We provide an ExpressJs middleware that automatically logs when a request starts and ends. Simply import it and use it like any other middleware:
+We provide an ExpressJs middleware that automatically logs when a request starts and ends. Simply import it and use it like any other middleware.
+
+### Basic Usage
 ```
 const { logger, expressMiddleware } = require('express-wolox-logger');
 
@@ -73,6 +75,71 @@ This in conjunction with the basic logs will output:
 [2019-06-14 17:35:13.781 +0000] INFO  (17439 on my-pc.local): Ended GET /logger/test with status: 200 in 10 ms
 ```
 
+### Advanced Usage
+The exported `expressRequestIdMiddleware` function takes one argument, [`options`](#optionsStartEnd) and returns a `middleware`.
+
+<a id=optionsStartEnd></a>
+#### `options` (Object)
+
+##### `loggerFn` (Function)
+Logger function used for start and end log actions.
+
+##### `obfuscatePlaceholder` (String)
+Default: [SECURE]
+
+String to replace obfuscated body.
+
+##### `obfuscateBody` (Object|Boolean)
+Default: true
+
+Options for obfuscate body of request, could be a boolean (true or false) that applies to all requests or a object to an specific endpoint and method.
+
+#### Example
+```
+{
+  obfuscateBody: {
+    '/some_url': { // this should be a regex of url to obfuscate
+      POST: true // method to obfuscate
+    }
+  }
+}
+```
+
+
+### Obfuscating body of specific request
+```
+const { logger, expressMiddleware } = require('express-wolox-logger');
+
+app.use(expressMiddleware({ loggerFn: logger.info, obfuscatePlaceholder: '[SECRET]', obfuscateBody: { '/secure': { POST: true } } }));
+```
+This in conjunction with the basic logs will output:
+```
+[2019-06-14 17:35:13.770 +0000] INFO  (17439 on my-pc.local): Started POST /secure with params: {}, query: {}, body: [SECRET].
+[2019-06-14 17:35:13.772 +0000] INFO  (17439 on my-pc.local): hello world
+[2019-06-14 17:35:13.781 +0000] INFO  (17439 on my-pc.local): Ended POST /secure with status: 200 in 10 ms
+[2019-06-14 17:35:13.770 +0000] INFO  (17439 on my-pc.local): Started GET /secure with params: {}, query: {}, body: {}.
+[2019-06-14 17:35:13.772 +0000] INFO  (17439 on my-pc.local): hello world
+[2019-06-14 17:35:13.781 +0000] INFO  (17439 on my-pc.local): Ended GET /secure with status: 200 in 10 ms
+```
+
+### Obfuscating body of all requests
+```
+const { logger, expressMiddleware } = require('express-wolox-logger');
+
+app.use(expressMiddleware({ loggerFn: logger.info, obfuscatePlaceholder: '[SECRET]', obfuscateBody: true }));
+```
+This in conjunction with the basic logs will output:
+```
+[2019-06-14 17:35:13.770 +0000] INFO  (17439 on my-pc.local): Started POST /secure with params: {}, query: {}, body: [SECRET].
+[2019-06-14 17:35:13.772 +0000] INFO  (17439 on my-pc.local): hello world
+[2019-06-14 17:35:13.781 +0000] INFO  (17439 on my-pc.local): Ended POST /secure with status: 200 in 10 ms
+[2019-06-14 17:35:13.770 +0000] INFO  (17439 on my-pc.local): Started GET /secure with params: {}, query: {}, body: [SECRET].
+[2019-06-14 17:35:13.772 +0000] INFO  (17439 on my-pc.local): hello world
+[2019-06-14 17:35:13.781 +0000] INFO  (17439 on my-pc.local): Ended GET /secure with status: 200 in 10 ms
+```
+
+
+
 ## Request Ids
 We also provide an ExpressJs middleware that appends a `request id` to all logs made for a single request. This is useful for better tracking logs when there are several requests going on concurrently. Again, simply import it and use it like any other middleware.
 

diff --git a/lib/middlewares.js b/lib/middlewares.js
@@ -3,21 +3,58 @@ const shortid = require('shortid');
 
 const { namespace, setRequestId } = require('./namespace');
 
-const expressMiddleware = opts => (req, res, next) => {
-  const { method, params, query, body } = req;
-  const url = req.originalUrl || req.url;
-  const { loggerFn } = opts || {};
+const secure = '[SECURE]';
 
-  loggerFn(`Started ${url} ${method} with params:`, params || {}, 'query:', query || {}, 'body:', body || {});
-  const begin = Date.now();
-  const onFinish = namespace.bind((error, response) => {
-    const end = Date.now();
-    const responseTime = error ? '-' : end - begin;
-    const status = response.statusCode;
-    loggerFn(`Ended ${method} ${url} with status: ${status} in ${responseTime} ms`);
-  });
-  onFinished(res, onFinish);
-  next();
+const getSecureBody = ({ params, url, method, body, placeholder }) => {
+  try {
+    if (params === true) {
+      return placeholder;
+    }
+    if (params && typeof params === 'object') {
+      const path = Object.keys(params).find(pathRegex => new RegExp(pathRegex).test(url));
+      if (path && params[path] && params[path][method]) {
+        // TODO: Here we should add the specific param obfuscation logic
+        return placeholder;
+      }
+    }
+    return body;
+  } catch (_) {
+    return placeholder;
+  }
+};
+
+const expressMiddleware = opts => {
+  // TODO: add a check that all the config is safe
+  const { loggerFn, obfuscateBody = true, obfuscatePlaceholder = secure } = opts || {};
+  return (req, res, next) => {
+    const { method, params, query, body } = req;
+    const url = req.originalUrl || req.url;
+    const formattedBody = getSecureBody({
+      params: obfuscateBody,
+      url,
+      method,
+      body,
+      placeholder: obfuscatePlaceholder
+    });
+
+    loggerFn(
+      `Started ${url} ${method} with params:`,
+      params || {},
+      'query:',
+      query || {},
+      'body:',
+      formattedBody || {}
+    );
+    const begin = Date.now();
+    const onFinish = namespace.bind((error, response) => {
+      const end = Date.now();
+      const responseTime = error ? '-' : end - begin;
+      const status = response.statusCode;
+      loggerFn(`Ended ${method} ${url} with status: ${status} in ${responseTime} ms`);
+    });
+    onFinished(res, onFinish);
+    next();
+  };
 };
 
 const expressRequestIdMiddleware = opts => (req, res, next) => {