From b5f4adfe5814ee8eff9b933cd1e100b71540979b Mon Sep 17 00:00:00 2001
From: Abe Voelker <_@abevoelker.com>
Date: Tue, 12 Sep 2023 18:20:07 -0500
Subject: [PATCH] Add warning if :token parameters aren't filtered out of Rails
 logs

---
 CHANGELOG.md                     |  1 +
 README.md                        |  9 +++++++--
 lib/devise/passwordless/rails.rb | 11 +++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 65ca7cf..5ff0819 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@
 * `magic_link_(path|url)` view helpers are now implemented for all resources (cleans up mailer view template)
 * Tokenizer encoding now supports `:expires_at` option (#19, #21 - thanks @JoeyLeadJig and @bvsatyaram!)
 * Users will be redirected after magic link is sent (customized using `after_magic_link_sent_path_for`)
+* A warning will be logged if Rails's `filter_parameters` doesn't filter `:token`s from request logs
 
 ### Bugfixes
 
diff --git a/README.md b/README.md
index 1c18abf..afbe351 100644
--- a/README.md
+++ b/README.md
@@ -445,7 +445,12 @@ end
 
 ## Rails logs security
 
-Default logging behavior in Rails can cause plaintext magic link tokens to leak into log files:
+Rails's default configuration filters `:token` parameters out of request logs (and
+`Devise::Passwordless` will issue a warning if it detects the configuration doesn't). So request
+logs shouldn't link magic link tokens.
+
+However, there are some other default Rails logging behaviors that may cause plaintext magic
+link tokens to leak into log files:
 
 1. Action Mailer logs the entire contents of all outgoing emails to the DEBUG level. Magic link tokens delivered to users in email will be leaked.
 2. Active Job logs all arguments to every enqueued job at the INFO level. If you configure Devise to use `deliver_later` to send passwordless emails, magic link tokens will be leaked.
@@ -456,7 +461,7 @@ Rails sets the production logger level to INFO by default. Consider changing you
 config.log_level = :warn
 ```
 
-(Adapted from the [Devise guide on password reset tokens][], which this section also applies to)
+(Partially adapted from the [Devise guide on password reset tokens][], which this section also applies to)
 
 [Devise guide on password reset tokens]: https://github.com/heartcombo/devise/blob/main/README.md#password-reset-tokens-and-rails-logs
 
diff --git a/lib/devise/passwordless/rails.rb b/lib/devise/passwordless/rails.rb
index 9d21a0b..911fd19 100644
--- a/lib/devise/passwordless/rails.rb
+++ b/lib/devise/passwordless/rails.rb
@@ -10,5 +10,16 @@ class Engine < Rails::Engine
         controller: :sessions,
       })
     end
+
+    initializer "devise_passwordless.log_filter_check" do
+      params = Rails.try(:application).try(:config).try(:filter_parameters) || []
+
+      unless params.map(&:to_sym).include?(:token)
+        warn "[DEVISE-PASSWORDLESS] We have detected that your Rails configuration does not " \
+              "filter :token parameters out of your logs. You should append :token to your " \
+              "config.filter_parameters Rails setting so that magic link tokens don't " \
+              "leak out of your logs."
+      end
+    end
   end
 end