search

ip2k / google-api-ruby-client

Automatically exported from code.google.com/p/google-api-ruby-client
Apache License 2.0
0 stars 0 forks source link

Request/response logging #17

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Please add support for optional logging of requests being sent to the APIs, 
including URL and payload (sanitized to remove auth data). Responses should 
also be logged, so that both inputs and outputs can easily be logged into the 
same location, simply by enabling a flag.

This is crucial when debugging user issues on Google's side, so that we can be 
absolutely certain of the inputs that the API is receiving, instead of having 
to analyse user code or attempt to reproduce the problem. Without this, it is 
very hard to identify whether an issue lies in user code, the API, or the 
client library.

Original issue reported on code.google.com by sergio.gomes%google.com@gtempaccount.com on 20 Sep 2011 at 3:34

GoogleCodeExporter commented 9 years ago 
Actually, I'm wondering if you really want to sanitize auth data or not here. 
OAuth refresh tokens are revocable, and the only thing actually sent for OAuth 
2 is the access token, which expires after an hour typically. 

OAuth 1 sends substantially more in the headers:

  Authorization: OAuth realm="Example",
        oauth_consumer_key="0685bd9184jfhq22",
        oauth_token="ad180jjd733klru7",
        oauth_signature_method="HMAC-SHA1",
        oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
        oauth_timestamp="137131200",
        oauth_nonce="4572616e48616d6d65724c61686176",
        oauth_version="1.0"

However, notably missing here is the OAuth secret.

But considering that auth is far-and-away the most commonly problematic area 
for applications built on top of an API client, it seems to me that we may want 
to allow auth information to be included in the logs. Maybe strip the 
Authorization header by default, but provide a flag to disable auth stripping 
with an appropriate warning not to turn it on for production deployments?

Original comment by bobaman@google.com on 20 Sep 2011 at 6:25

GoogleCodeExporter commented 9 years ago 
My concern is mostly with carelessly posting the full logs to public locations 
(such as this bug tracker), so your solution of stripping auth by default but 
having an optional flag would be fantastic; it would avoid unintentional 
sharing of auth data in public channels, while still allowing for debugging 
auth problems if going through more private ones.

Sounds good!

Thanks for looking into this, it will be invaluable for debugging.

Original comment by sergio.gomes%google.com@gtempaccount.com on 21 Sep 2011 at 11:43

GoogleCodeExporter commented 9 years ago 
This will get solved accidentally by the conversion to Faraday for the HTTP 
stack. :-)

Original comment by bobaman@google.com on 10 Jan 2012 at 7:09

GoogleCodeExporter commented 9 years ago

Original comment by bobaman@google.com on 10 Jan 2012 at 7:11

GoogleCodeExporter commented 9 years ago 
So, we're now using Faraday, but I think we need some example code in the 
documentation that shows how to do logging using a Faraday connection builder.

Original comment by bobaman@google.com on 12 Apr 2012 at 8:34

GoogleCodeExporter commented 9 years ago 
I can take care of that.

Original comment by sergio.gomes%google.com@gtempaccount.com on 17 Apr 2012 at 2:44

GoogleCodeExporter commented 9 years ago 
Awesome! Thank you!

Original comment by bobaman@google.com on 19 Apr 2012 at 10:08

GoogleCodeExporter commented 9 years ago 
Added to FAQ: http://code.google.com/p/google-api-ruby-client/wiki/FAQ

Thanks!

Original comment by sergio.gomes%google.com@gtempaccount.com on 26 Apr 2012 at 3:32

GoogleCodeExporter commented 9 years ago

Original comment by bobaman@google.com on 27 Apr 2012 at 7:50