Add warning if :token parameters aren't filtered out of Rails logs

abevoelker · Sep 12, 2023 · b5f4adf · b5f4adf
1 parent 91cebed
commit b5f4adf
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@
 * `magic_link_(path|url)` view helpers are now implemented for all resources (cleans up mailer view template)
 * Tokenizer encoding now supports `:expires_at` option (#19, #21 - thanks @JoeyLeadJig and @bvsatyaram!)
 * Users will be redirected after magic link is sent (customized using `after_magic_link_sent_path_for`)
+* A warning will be logged if Rails's `filter_parameters` doesn't filter `:token`s from request logs
 
 ### Bugfixes
 

diff --git a/README.md b/README.md
@@ -445,7 +445,12 @@ end
 
 ## Rails logs security
 
-Default logging behavior in Rails can cause plaintext magic link tokens to leak into log files:
+Rails's default configuration filters `:token` parameters out of request logs (and
+`Devise::Passwordless` will issue a warning if it detects the configuration doesn't). So request
+logs shouldn't link magic link tokens.
+
+However, there are some other default Rails logging behaviors that may cause plaintext magic
+link tokens to leak into log files:
 
 1. Action Mailer logs the entire contents of all outgoing emails to the DEBUG level. Magic link tokens delivered to users in email will be leaked.
 2. Active Job logs all arguments to every enqueued job at the INFO level. If you configure Devise to use `deliver_later` to send passwordless emails, magic link tokens will be leaked.
@@ -456,7 +461,7 @@ Rails sets the production logger level to INFO by default. Consider changing you
 config.log_level = :warn
 ```
 
-(Adapted from the [Devise guide on password reset tokens][], which this section also applies to)
+(Partially adapted from the [Devise guide on password reset tokens][], which this section also applies to)
 
 [Devise guide on password reset tokens]: https://github.com/heartcombo/devise/blob/main/README.md#password-reset-tokens-and-rails-logs
 

diff --git a/lib/devise/passwordless/rails.rb b/lib/devise/passwordless/rails.rb
@@ -10,5 +10,16 @@ class Engine < Rails::Engine
         controller: :sessions,
       })
     end
+
+    initializer "devise_passwordless.log_filter_check" do
+      params = Rails.try(:application).try(:config).try(:filter_parameters) || []
+
+      unless params.map(&:to_sym).include?(:token)
+        warn "[DEVISE-PASSWORDLESS] We have detected that your Rails configuration does not " \
+              "filter :token parameters out of your logs. You should append :token to your " \
+              "config.filter_parameters Rails setting so that magic link tokens don't " \
+              "leak out of your logs."
+      end
+    end
   end
 end