Server should not log to console.debug

[faulpeltz]

verifySignature() logs various things to console.debug() but there is no setting to turn this off other than overriding console.debug

Some kind of setting would be helpful here because debug info isn't required most of the time.

Thanks for the awesome library 😃

[dagnelies]

I'm not familiar with all the frameworks out there, but can't you simply filter the logging levels you are interested in?

It seems kind of weird to me that any lib should support customizing logging verbosity, instead of filtering the logging levels for the whole application.

I'd be interested in hearing about how others are doing it.

[faulpeltz]

Its very uncommon for a npm library to use console log without any conditions/switches.

Using "debug" (https://www.npmjs.com/package/debug) is very common where you can control logging via an environment variable:
DEBUG=mypackage node app.js

import Debug from 'debug';
const debugLog = Debug('mypackage');
debugLog('Debug information...');

(it also works in the browser but its more common in NodeJS)

Also IMHO for anything related to security (like webauthn) just logging everthing to console (which logs to stdout in node) is not a good idea, even though in this case its probably not an issue

Thanks

[dagnelies]

Regarding the logging lib, it seems like the ecosystem is very fragmented currently, so I simply won't pick any.
There are also many solutions piping the "console" logs somewhere and filtering them.

However, as you said, it would be bad having sensitive information accidentally appearing in logs. Therefore I'll disable all debug logs by default and activate them only if the existing debug option flag is set too. I think that should work out for you too, to have less verbose logs.

[faulpeltz]

Great, that should work for us - And yes the ecosystem is very fragmented which is more or less the default state for npm/JS

[dagnelies]

Disabled by default in latest release and added verbose flag to enable them on-demand.