Store plugin events in database, remove PII information from log files

[gbakeman]

Greetings,

I've just started using this plugin from working with Nuvei, thank you for your work on it so far.

We need to have logging on to troubleshoot some issues with payments, and I noticed that log files go to a directory in the uploads folder with default other-readable permissions set. I think with the kind of information that is being logged (with log level set to 0), this poses quite a security risk and I'd like to suggest a few ideas for mitigating this:

1. Change functionality to remove sensitive customer information from log files by default, with a default-off option to enable full information in limited and controlled circumstances.
2. Move all event recording into database storage, viewable and exportable from the administrative back-end, perhaps with direct cross-linking to the Nuvei Gateway Dashboard.

[miroslav-sc]

Into the logs folder are included: .htaccess file and index.html to prevent access to the folder. The name of the log files contain hash string so it is hard to be guessed the name of the file and open directly. Since v3.0.0 of the plugin an option for masking the user details in the log was added. If you use nginx you have to block the access to the logs folder.

[gbakeman]

Many thanks!