Merge pull request #60 from stfndamjanovic/header-sanitizer

Add option to sanitize sensitive headers

Author: freekmurze

README.md

@@ -68,6 +68,11 @@ return [
         'password',
         'password_confirmation',
     ],
+    
+    /*
+     * List of headers that will be sanitized. For example Authorization, Cookie, Set-Cookie...
+     */
+    'sanitize_headers' => [],
 ];
 ```
 
@@ -138,6 +143,25 @@ public function logRequest(Request $request): void
 }
 ```
 
+#### Hide sensitive headers
+
+You can define headers that you want to sanitize before sending them to the log. 
+The most common example would be Authorization header. If you don't want to log jwt token, you can add that header to `http-logger.php` config file:
+
+```php
+// in config/http-logger.php
+
+return [
+    // ...
+    
+    'sanitize_headers' => [
+        'Authorization'
+    ],
+];
+```
+
+Output would be `Authorization: "****"` instead of `Authorization: "Bearer {token}"`
+
 ### Testing
 
 ``` bash

config/http-logger.php

@@ -32,4 +32,8 @@
         'password_confirmation',
     ],
 
+    /*
+     * List of headers that will be sanitized. For example Authorization, Cookie, Set-Cookie...
+     */
+    'sanitize_headers' => [],
 ];

src/DefaultLogWriter.php

@@ -9,6 +9,8 @@
 
 class DefaultLogWriter implements LogWriter
 {
+    protected $sanitizer;
+
     public function logRequest(Request $request)
     {
         $message = $this->formatMessage($this->getMessage($request));
@@ -26,7 +28,7 @@ public function getMessage(Request $request)
             'method' => strtoupper($request->getMethod()),
             'uri' => $request->getPathInfo(),
             'body' => $request->except(config('http-logger.except')),
-            'headers' => $request->headers->all(),
+            'headers' => $this->getSanitizer()->clean($request->headers->all(), config('http-logger.sanitize_headers')),
             'files' => $files,
         ];
     }
@@ -51,4 +53,13 @@ public function flatFiles($file)
 
         return (string) $file;
     }
+
+    protected function getSanitizer()
+    {
+        if (!$this->sanitizer instanceof Sanitizer) {
+            $this->sanitizer = new Sanitizer();
+        }
+
+        return $this->sanitizer;
+    }
 }

src/Sanitizer.php

@@ -0,0 +1,50 @@
+<?php
+
+namespace Spatie\HttpLogger;
+
+class Sanitizer
+{
+    protected string $mask;
+
+    public function __construct(string $mask = "****")
+    {
+        $this->mask = $mask;
+    }
+
+    public function clean(array $input, $keys)
+    {
+        $keys = (array) $keys;
+
+        if (count($keys) === 0) {
+            return $input;
+        }
+
+        $keys = array_map([$this, 'normalize'], $keys);
+
+        foreach ($input as $key => $value) {
+            $normalizedKey = $this->normalize($key);
+
+            if (in_array($normalizedKey, $keys)) {
+                $input[$key] = is_array($value) ? [$this->mask] : $this->mask;
+
+                continue;
+            }
+
+            if (is_array($value)) {
+                $input[$key] = $this->clean($value, $keys);
+            }
+        }
+
+        return $input;
+    }
+
+    public function normalize(string $string)
+    {
+        return strtolower($string);
+    }
+
+    public function setMask(string $mask)
+    {
+        $this->mask = $mask;
+    }
+}

tests/DefaultLogWriterTest.php

@@ -127,3 +127,16 @@
     assertStringContainsString('testing.DEBUG', $log);
     assertStringContainsString('"name":"Name', $log);
 });
+
+it('will sanitize sensitive headers', function () {
+    config(['http-logger.sanitize_headers' => ['Authorization']]);
+
+    $request = $this->makeRequest('post', $this->uri, [], [], [], ['HTTP_Authorization' => 'Bearer {token}', 'HTTP_Api-Version' => '2.4.12']);
+
+    $this->logger->logRequest($request);
+
+    $log = $this->readLogFile();
+
+    assertStringContainsString('"authorization":["****"]', $log);
+    assertStringContainsString('"api-version":["2.4.12"]', $log);
+});