Scrub passwords from logs

[ayoung]

Is there a way to scrub/sanitize the passwords when logging?

The TokenRequestValidator logs the entire validated request which includes the password. This is seen as security issue for us.

Thanks.

[brockallen]

That's why logging is only designed for development time.

[ayoung]

Not all the time though. We may want to turn logging on when debugging a production issue.

[brockallen]

If you want to send a PR, then we can log a filtered version of that data structure. Make sure to make a copy of the validated request when logging (as opposed to just nulling out the sensitive properties).

[ayoung]

Ok. Thanks. Will do. You can close this for now.
On Sun, Oct 18, 2015 at 7:54 AM Brock Allen [email protected]
wrote:

If you want to send a PR, then we can log a filtered version of that data
structure. Make sure to make a copy of the validated request when logging
(as opposed to just nulling out the sensitive properties).

—
Reply to this email directly or view it on GitHub
#2038 (comment)
.

[leastprivilege]

I will split it up into several checkins (your PR included multiple concerns). thanks!