Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bodyBlacklist doesn't work for responses #253

Open
hpurmann opened this issue Nov 11, 2020 · 4 comments
Open

bodyBlacklist doesn't work for responses #253

hpurmann opened this issue Nov 11, 2020 · 4 comments

Comments

@hpurmann
Copy link

hpurmann commented Nov 11, 2020
edited
Loading

When using this library, I noticed that the bodyBlacklist feature doesn't work as I thought it should.

bodyBlacklist

I expected the following code to include the request/response bodies in the logs but strip top-level key/value pairs where the key is "secret".

expressWinston.responseWhitelist.push('body')
expressWinston.requestWhitelist.push('body')

expressWinston.bodyBlacklist.push('secret')

However, when performing a request such as

curl localhost:3000/test -H "content-type:application/json" -d '{"secret": "request", "other": 1}'

I can see that "secret" is stripped from the request logs, but not from the response logs.

responseWhitelist

I also tried to only allow certain keys by using the responseWhitelist like that:

expressWinston.responseWhitelist.push('body.foo')

but even though my route is returning a key/value pair with the key "foo", no response body gets logged.

I prepared a reproduction example for you to try it out quickly.
@mi-mazouz
Copy link

mi-mazouz commented May 7, 2021
edited
Loading

+1 it would be very nice to have this feature.

@nicolaspearson
Copy link

This can be achieved by using a responseFilter, e.g.

import * as expressWinston from 'express-winston';

function bodySanitizer(
  body: Record<string, unknown> | undefined,
  bodyBlacklist: string[] | undefined,
): Record<string, unknown> | undefined {
  if (body && bodyBlacklist) {
    for (const key of bodyBlacklist) {
      if (body[key]) {
        body[key] = 'REDACTED';
      }
    }
  }
  return body;
}

const bodyBlacklist = ['secret'];

expressWinston.logger({
  bodyBlacklist,
  responseFilter: (res: expressWinston.FilterResponse, propName: string) => {
    if (propName === 'body') {
      res['body'] = bodySanitizer({ ...res['body'] }, bodyBlacklist);
    }
    return (res as any)[propName];
  },
});

@cbeardsmore
Copy link

+1 to this. The bodyBlacklist feature doesn't indicate that its only for requests so you would assume both req/res are covered. Having to use one list for req and a more in-depth approach for res sucks for consistency 😢

@prakashchokalingam
Copy link

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hpurmann @prakashchokalingam @nicolaspearson @cbeardsmore @mi-mazouz