Filtering sensitive information from DelayedJob logging

Question

Rails 3 has a nice feature in config/application.rb that allows one to filter sensitive information, such as passwords, from appearing in logs, as shown below:

config.filter_parameters += [:password, :creditcardnum]

However, my question lies in how to filter that same information from logging elsewhere. For example, I am using DelayedJob, and even though my password is filtered from my development log, it still appears when DelayedJob logs (and I imagine something similar would happen with similarly working gems):

SQL (14.3ms) INSERT INTO "delayed_jobs" ("attempts", "created_at", "failed_at", "handler", "last_error", "locked_at", "locked_by", "priority", "queue", "run_at", "updated_at") VALUES (blah blah blah...) username: MYUSERNAME@EMAIL.COM\n password: MYPASSWORDHERE\n method_name: :destroy\nargs: []\n"], ["last_error", nil], ["locked_at", nil], ["locked_by", nil], ["priority", 0], ["queue", nil], ["run_at", Wed, 03 Jul 2013 03:07:02 UTC +00:00], ["updated_at", Wed, 03 Jul 2013 03:07:02 UTC +00:00]]

Would you have any thoughts on this?

Answer 1

I suggest sending only non-sensitive information to delayed job.

For example, the following code sends the full user object (including password or any other sensitive information) to delayed job:

user.delay.activate

To prevent that, first we can prepare a ActivateUserJob:

class ActivateUserJob < Struct.new(:user_id)
  def perform
    user = User.find(user_id)
    user.activate
  end
end

Then, enqueue the job when needed. This way, only the id of the user is revealed:

Delayed::Job.enqueue ActivateUserJob.new(user.id)