Don't log request tokens

Logging the http request object causes us to log all request tokens to our server logs. Best practice is to never log arbitrary objects, and to whitelist the specific headers we want to log. Once deployed, we need to create a new release that suggests all users rotate their user tokens.
gocardless · Jul 23, 2020 · 10b20fc · 10b20fc
1 parent 8eaca42
commit 10b20fc
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/pkg/server/api/middleware/logger.go b/pkg/server/api/middleware/logger.go
@@ -25,8 +25,16 @@ func NewRequestLogger(logger log.Logger) chain.Middleware {
 			// recorder.
 			recorder := httptest.NewRecorder()
 
+			// Add a collection of headers that might be useful to log
 			scopedLogger := logger.
-				With("http_request", r)
+				With("method", r.Method).
+				With("path", r.URL.String()).
+				With("headers__host", r.Header.Get("Host")).
+				With("headers__content_type", r.Header.Get("Content-Type")).
+				With("headers__x_forwarded_for", r.Header.Get("X-Forwarded-For")).
+				With("headers__x_cloud_trace_context", r.Header.Get("X-Cloud-Trace-Context")).
+				With("headers__draupnir_version", r.Header.Get("Draupnir-Version")).
+				With("headers__user_agent", r.Header.Get("User-Agent"))
 
 			// This coupling between middlewares isn't great, but it is valuable to
 			// get the IP address injected into the logger early in the chain.
@@ -47,16 +55,14 @@ func NewRequestLogger(logger log.Logger) chain.Middleware {
 			duration := time.Since(start)
 
 			requestLine := fmt.Sprintf(
-				"%s %s %d %f\n",
+				"%s %s %d %f",
 				r.Method,
 				r.URL.String(),
 				recorder.Code,
 				duration.Seconds(),
 			)
 
 			scopedLogger.
-				With("method", r.Method).
-				With("path", r.URL.String()).
 				With("status", recorder.Code).
 				With("duration", duration.Seconds()).
 				Info(requestLine)