Reputation: 4792
Filter Parameter Logging in Rails - Database Queries
I'm have a method that calls User.find_by_remember_me_token(token) to authenticate a user by a token.
In config/application.rb, I added config.filter_parameters += [:password, :remember_me_token]
User Load (0.2ms) SELECT "users".* FROM "users" WHERE "users"."remember_me_token" = 'LktXTXH2YqHqztFgKNedfsdfRa
How do I get [FILTERED] for the remember_me_token in database queries?
This :remember_me_token is sent in HTTP headers.
Upvotes: 1
Views: 1614
Answers (3)
Reputation: 185
In Rails 6 I use the following techniques to hide a token from various logs and outputs.
def authenticate_user
Rails.logger.info "Authenticating user..."
Rails.logger.silence do
@current_user ||= User.find_by(token: token)
end
end
config/initializers/filter_parameter_logging.rb helps you filter the logs for parameters sent as get/posts but does not assist with headers ( if you log those)
filter_attributes helps you filter from the console put when you inspect and object. This includes any automatically displayed return result or to_s. Curiously doesn't support custom printers like awesome-print.
I make sure if I serialize a user to exclude the fields:
render json: @users, except: User::EXCLUDED_JSON_FIELDS
and finally I just set the method name to return nil
def remember_me_token; end
which makes any call to @user.remember_me_token return nil
I don't use them for anything except a login event, so I never need to see what a user's token is from ruby. If I really care I can just look in the database.
Upvotes: 0
Reputation: 821
Add this config.log_level = :info in config/environments/development.rb
Upvotes: 2
Reputation: 821
You can add config.filter_parameters += [:password, :remember_me_token]
Below is the example as am getting [FILTERED] in database Queries
Started GET "/user/abcdef" for 127.0.0.1 at Sat Feb 18 15:21:00 +0530 2012 Processing by UserController#user_profile as HTML
Parameters: {"remember_me_token"=>"[FILTERED]"}
User Load (17.1ms) SELECT `users`.* FROM `users` WHERE `users`.`remeber_me_toker` = 'abcdef' LIMIT 1
Rendered user/user_profile.erb within layouts/application (17.2ms)
Completed 200 OK in 4624ms (Views: 457.5ms | ActiveRecord: 17.1ms)
Upvotes: 3
Related Questions
- How can I filter sensitive parameters from the SQL portion of Rails 5 logs?
- How to tell Rails to bypass a parameter filter logging in a particular log
- Rails: Filter entire form parameters from log
- Disable certain parameters from being logged in Ruby on Rails
- Filtering route parameters
- Filtering parameters by pattern
- How to filter out all params of a POST request?
- Manually filter parameters in Rails
- How to filter nested parameters from Rails logs
- (config.filter_parameters) equivalent for Rails 2.3.5