Closed hedleysmith closed 7 years ago
I'm surprised that this is an issue, remember we had dealt with it at some point. But that was probably the pre-bunyan logger. Waiting for the travis build to complete and will review/merge. Thanks!
Yeah, could be worth including a conservative 'default' config somewhere so if people just 'turn on' logging it hides things like body.password for all requests. I'm not if/where the password field from successful login attempts are being blocked from being logged but if this is happening somewhere could be added alongside there. Or perhaps there could be default options just straight in boot/logger.js
@hedleysmith, sorry for the delay in responding to this. Been busy collaborating w/MIT CSAIL on some next gen oidc code and have unintentionally neglected this repo.
I will gladly accept a PR that defauls logging to hide the password if anyone has time.
cc: @tomkersten
Hello, I just created this PR : #354 ! Regards, Camille
The latest version of express-bunyan-logger includes the option to obfuscate specific fields based on patterns.
This is really useful if you want to hide the body.password field which is currently logged by for failed signin attempts. Often users type their email in incorrectly but their password correctly so their valid password will be left hanging around in log files.
Will update docs with example of obfuscating as well.