bajtos
commented
9 years ago @raymondfeng What is the purpose of server/middleware/metrics.js? AFAICT, the middleware is not included in the server, can we remove it?
ATM, strong-express-metrics reports url values including query string, for example:
/api/notes?access_token=eodfHYn0mp8anxEUSDUpKdMeUEgzvx5T
/oauth/authorize?client_id=123&redirect_uri=https%3A%2F%2Flocalhost%3A3001%2Fclient-side-app.html&response_type=token&scope=demo&state=123This has two consequences:
- The URLs displayed in the API metrics UI will most likely include query string too, which is most likely not what we want.
- The metrics are leaking potentially sensitive data like access tokens.
Regarding 1), I see two points of view:
- The data reported by strong-express-metrics & strong-agent should be as small as possible, it's up to the consumer (strong-pm?) to transform it to whatever format needed (path + query in this case).
- Becase this will be pretty common scenario, and so far the only consumer of metrics data is our UI, we can modify the record format reported by strong-express-metrics and provide path + query instead of url.
Regarding 2), I don't think there is much we can do, strong-express-metris is not the only component logging URLs. Other proxies or e.g. Common Log include this information too (AFAIK). Clients should send the access token in a header, not as a query parameter.
@altsang @kraman @sam-github thoughts?
raymondfeng
Close #30
/to @raymondfeng please review