Rails 6 - password showing up in logs even though I added it to the "filter_parameters"

Question

I am having a simple method for logging users' activity, looks a bit like this:

def log_activity
  ...
  log_activity.params = params.inspect
  log_activity.save
  ...
end

When I look to the terminal console (and then to the DB), I can see there printed out the password:

LogActivity Create (2.0ms) INSERT INTO ... ("user_id", ..., "params") VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) RETURNING "id" [["user_id", 13], ["params", "#<ActionController::Parameters {"authenticity_token"=>"gIHGES_Y74nFAtJ1xoH5YD3e28uPJ-icdDAqkGufjhfjdjhgfjhf", "user"=>{"email"=>"my@email.com", "password"=>"my-secret-password", "remember_me"=>"0"}, "commit"=>"Log in", "controller"=>"devise/sessions", "action"=>"create"} permitted: false>"], ["msg", "successfully signed in."], ["created_at", "2021-04-24 08:50:16.262145"], ["updated_at", "2021-04-24 08:50:16.262145"]]

How do I hide it from here and prevent it from saving to the DB? I can probably check the params and manually remove it from the hash, however - is there a more elegant way doing it?

I've read that I can disable logging the password by adding it to the config/filter_parameter_logging.rb:

Rails.application.config.filter_parameters += [
  :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :password
]

or adding it to the model (LogActivity.rb):

class LogActivity < ApplicationRecord
  self.filter_attributes=[:password]
end

or adding it to the application.rb file:

config.filter_parameters += ["password"]

However, even after restarting the server, none of these actions worked for me and the password is always shown in the terminal window and then stored in the database.

How do I filter it out?

Answer 1

Use request.filtered_parameters to get the filtered parameters based on your Rails.application.config.filter_parameters configuration:

def log_activity
  ...
  log_activity.params = request.filtered_parameters.inspect
  log_activity.save
  ...
end