From 7b540309d8f787cba412dd4775a64b543b35981f Mon Sep 17 00:00:00 2001 From: Christoph Benjamin Weber Date: Sat, 30 Sep 2017 13:20:22 +0200 Subject: [PATCH 1/3] hide secrets from log output add log and sanitze function and used that over console.log closes #34 --- server.js | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/server.js b/server.js index a340294..082aa3b 100644 --- a/server.js +++ b/server.js @@ -10,11 +10,15 @@ var url = require('url'), // Environment variables override defaults. function loadConfig() { var config = JSON.parse(fs.readFileSync(__dirname+ '/config.json', 'utf-8')); + log('Configuration'); for (var i in config) { config[i] = process.env[i.toUpperCase()] || config[i]; + if (i === 'oauth_client_id' || i === 'oauth_client_secret') { + log(i + ':', config[i], true); + } else { + log(i + ':', config[i]); + } } - console.log('Configuration'); - console.log(config); return config; } @@ -49,6 +53,19 @@ function authenticate(code, cb) { req.on('error', function(e) { cb(e.message); }); } +function log(label, value, sanitized) { + value = value || ''; + if (sanitized){ + if (typeof(value) === 'string' && value.length > 10){ + console.log(label, value.substring(3,0) + '...'); + } else { + console.log(label, '...'); + } + } else { + console.log(label, value); + } +} + // Convenience for allowing CORS on routes - GET only app.all('*', function (req, res, next) { @@ -60,10 +77,15 @@ app.all('*', function (req, res, next) { app.get('/authenticate/:code', function(req, res) { - console.log('authenticating code:' + req.params.code); + log('authenticating code:', req.params.code, true); authenticate(req.params.code, function(err, token) { - var result = err || !token ? {"error": "bad_code"} : { "token": token }; - console.log(result); + if ( err || !token ) { + result = {"error": "bad_code"}; + log(result.error); + } else { + result = {"token": token}; + log("token", result.token, true); + } res.json(result); }); }); @@ -71,5 +93,5 @@ app.get('/authenticate/:code', function(req, res) { var port = process.env.PORT || config.port || 9999; app.listen(port, null, function (err) { - console.log('Gatekeeper, at your service: http://localhost:' + port); + log('Gatekeeper, at your service: http://localhost:' + port); }); From 52ba3f46cc2bbb6fa39ad011fba210b49d42ff2c Mon Sep 17 00:00:00 2001 From: Christoph Benjamin Weber Date: Thu, 5 Oct 2017 21:10:39 +0200 Subject: [PATCH 2/3] replace introduced strings and document log fn --- server.js | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/server.js b/server.js index 082aa3b..fd74605 100644 --- a/server.js +++ b/server.js @@ -6,6 +6,10 @@ var url = require('url'), express = require('express'), app = express(); +var TRUNCATE_THRESHOLD = 10, + REVEALED_CHARS = 3, + REPLACEMENT = '***'; + // Load config defaults from JSON file. // Environment variables override defaults. function loadConfig() { @@ -53,13 +57,21 @@ function authenticate(code, cb) { req.on('error', function(e) { cb(e.message); }); } +/** + * Handles logging to the console. + * Logged values can be sanitized before they are logged + * + * @param {string} label - label for the log message + * @param {Object||string} value - the actual log message, can be a string or a plain object + * @param {boolean} sanitized - should the value be sanitized before logging? + */ function log(label, value, sanitized) { value = value || ''; if (sanitized){ - if (typeof(value) === 'string' && value.length > 10){ - console.log(label, value.substring(3,0) + '...'); + if (typeof(value) === 'string' && value.length > TRUNCATE_THRESHOLD){ + console.log(label, value.substring(REVEALED_CHARS,0) + REPLACEMENT); } else { - console.log(label, '...'); + console.log(label, REPLACEMENT); } } else { console.log(label, value); From fc61ca483c4f865c0b686d89833ba3fec4bda563 Mon Sep 17 00:00:00 2001 From: Christoph Benjamin Weber Date: Sun, 15 Oct 2017 20:37:35 +0200 Subject: [PATCH 3/3] allow server err msg to be logged --- server.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server.js b/server.js index fd74605..66739b5 100644 --- a/server.js +++ b/server.js @@ -92,7 +92,7 @@ app.get('/authenticate/:code', function(req, res) { log('authenticating code:', req.params.code, true); authenticate(req.params.code, function(err, token) { if ( err || !token ) { - result = {"error": "bad_code"}; + result = {"error": err || "bad_code"}; log(result.error); } else { result = {"token": token};