feat: implement sensitive data redaction and sanitization in BunGateLogger

jkyberneees · jkyberneees · commit 02bdeb25761e · 2025-11-09T16:28:25.000+01:00
diff --git a/src/logger/pino-logger.ts b/src/logger/pino-logger.ts
@@ -61,6 +61,49 @@ export class BunGateLogger implements Logger {
     const pinoConfig: any = {
       level: this.config.level,
       ...config,
+      // Redact sensitive information from logs
+      redact: {
+        paths: [
+          // API Keys
+          'apiKey',
+          'api_key',
+          '*.apiKey',
+          '*.api_key',
+          'headers.apiKey',
+          'headers.api_key',
+          'headers["x-api-key"]',
+          'headers["X-API-Key"]',
+          'headers["X-Api-Key"]',
+          'headers.authorization',
+          'headers.Authorization',
+          // JWT tokens
+          'token',
+          'accessToken',
+          'access_token',
+          'refreshToken',
+          'refresh_token',
+          'jwt',
+          '*.token',
+          '*.jwt',
+          // Passwords and secrets
+          'password',
+          'passwd',
+          'secret',
+          'privateKey',
+          'private_key',
+          '*.password',
+          '*.secret',
+          // Credit card data
+          'creditCard',
+          'cardNumber',
+          'cvv',
+          'ccv',
+          // Other sensitive fields
+          'ssn',
+          'social_security',
+        ],
+        censor: '[REDACTED]',
+      },
     }
 
     // Configure pretty printing for development
@@ -88,6 +131,64 @@ export class BunGateLogger implements Logger {
     this.pino = pino(pinoConfig)
   }
 
+  /**
+   * Sanitizes sensitive data from objects before logging
+   * Provides an additional layer of protection beyond Pino's redaction
+   */
+  private sanitizeData(data: any): any {
+    if (!data || typeof data !== 'object') {
+      return data
+    }
+
+    // Create a shallow copy to avoid mutating the original
+    const sanitized = Array.isArray(data) ? [...data] : { ...data }
+
+    // List of sensitive field names (case-insensitive patterns)
+    const sensitiveKeys = [
+      'apikey',
+      'api_key',
+      'x-api-key',
+      'authorization',
+      'token',
+      'accesstoken',
+      'access_token',
+      'refreshtoken',
+      'refresh_token',
+      'jwt',
+      'password',
+      'passwd',
+      'secret',
+      'privatekey',
+      'private_key',
+      'creditcard',
+      'cardnumber',
+      'cvv',
+      'ccv',
+      'ssn',
+      'social_security',
+    ]
+
+    for (const key in sanitized) {
+      if (Object.prototype.hasOwnProperty.call(sanitized, key)) {
+        const lowerKey = key.toLowerCase()
+
+        // Check if key matches sensitive patterns
+        if (sensitiveKeys.some((pattern) => lowerKey.includes(pattern))) {
+          sanitized[key] = '[REDACTED]'
+        }
+        // Recursively sanitize nested objects
+        else if (
+          typeof sanitized[key] === 'object' &&
+          sanitized[key] !== null
+        ) {
+          sanitized[key] = this.sanitizeData(sanitized[key])
+        }
+      }
+    }
+
+    return sanitized
+  }
+
   getSerializers(): LoggerOptions['serializers'] | undefined {
     return this.config.serializers
   }
@@ -99,9 +200,11 @@ export class BunGateLogger implements Logger {
     dataOrMsg?: Record<string, any> | string,
   ): void {
     if (typeof msgOrObj === 'string') {
-      this.pino.info(dataOrMsg || {}, msgOrObj)
+      const sanitizedData = this.sanitizeData(dataOrMsg || {})
+      this.pino.info(sanitizedData, msgOrObj)
     } else {
-      this.pino.info(msgOrObj, dataOrMsg as string)
+      const sanitizedObj = this.sanitizeData(msgOrObj)
+      this.pino.info(sanitizedObj, dataOrMsg as string)
     }
   }
 
@@ -112,9 +215,11 @@ export class BunGateLogger implements Logger {
     dataOrMsg?: Record<string, any> | string,
   ): void {
     if (typeof msgOrObj === 'string') {
-      this.pino.debug(dataOrMsg || {}, msgOrObj)
+      const sanitizedData = this.sanitizeData(dataOrMsg || {})
+      this.pino.debug(sanitizedData, msgOrObj)
     } else {
-      this.pino.debug(msgOrObj, dataOrMsg as string)
+      const sanitizedObj = this.sanitizeData(msgOrObj)
+      this.pino.debug(sanitizedObj, dataOrMsg as string)
     }
   }
 
@@ -125,9 +230,11 @@ export class BunGateLogger implements Logger {
     dataOrMsg?: Record<string, any> | string,
   ): void {
     if (typeof msgOrObj === 'string') {
-      this.pino.warn(dataOrMsg || {}, msgOrObj)
+      const sanitizedData = this.sanitizeData(dataOrMsg || {})
+      this.pino.warn(sanitizedData, msgOrObj)
     } else {
-      this.pino.warn(msgOrObj, dataOrMsg as string)
+      const sanitizedObj = this.sanitizeData(msgOrObj)
+      this.pino.warn(sanitizedObj, dataOrMsg as string)
     }
   }
 
@@ -151,9 +258,11 @@ export class BunGateLogger implements Logger {
             }
           : {}),
       }
-      this.pino.error(errorData, msgOrObj)
+      const sanitizedData = this.sanitizeData(errorData)
+      this.pino.error(sanitizedData, msgOrObj)
     } else {
-      this.pino.error(msgOrObj, errorOrMsg as string)
+      const sanitizedObj = this.sanitizeData(msgOrObj)
+      this.pino.error(sanitizedObj, errorOrMsg as string)
     }
   }
 
diff --git a/test/logger/pino-logger.test.ts b/test/logger/pino-logger.test.ts
@@ -78,4 +78,69 @@ describe('BunGateLogger', () => {
     const noMetricsLogger = createLogger({ enableMetrics: false })
     expect(() => noMetricsLogger.logMetrics('cache', 'get', 1)).not.toThrow() // should not log
   })
+
+  test('should sanitize sensitive data from logs', () => {
+    const logger = new BunGateLogger({
+      level: 'debug',
+    })
+
+    // Test that the logger doesn't throw when logging sensitive data
+    // The sanitization is tested by verifying the method exists and executes
+    expect(() => {
+      logger.info('User login', {
+        username: 'testuser',
+        password: 'secret123',
+        apiKey: 'api-key-12345',
+        token: 'jwt-token-abc',
+      })
+    }).not.toThrow()
+
+    expect(() => {
+      logger.debug('Request with sensitive headers', {
+        headers: {
+          'x-api-key': 'sensitive-key',
+          authorization: 'Bearer secret-token',
+        },
+      })
+    }).not.toThrow()
+  })
+
+  test('should sanitize nested sensitive data', () => {
+    const logger = new BunGateLogger({
+      level: 'debug',
+    })
+
+    // Test with nested sensitive data
+    expect(() => {
+      logger.debug('Request details', {
+        user: {
+          id: 123,
+          name: 'John',
+          apiKey: 'nested-api-key',
+          password: 'password123',
+        },
+        headers: {
+          'content-type': 'application/json',
+          'x-api-key': 'header-api-key',
+          authorization: 'Bearer token123',
+        },
+      })
+    }).not.toThrow()
+  })
+
+  test('should sanitize sensitive data in error logs', () => {
+    const logger = new BunGateLogger({
+      level: 'error',
+    })
+
+    const error = new Error('Authentication failed')
+    expect(() => {
+      logger.error('Login error', error, {
+        username: 'user',
+        password: 'pass123',
+        secret: 'my-secret',
+        apiKey: 'test-key',
+      })
+    }).not.toThrow()
+  })
 })
