diff --git a/packages/server/.env.example b/packages/server/.env.example index 282e4cd33..219a17d1d 100644 --- a/packages/server/.env.example +++ b/packages/server/.env.example @@ -38,8 +38,6 @@ PORT=3000 # DEBUG=true # LOG_PATH=/your_log_path/.flowise/logs # LOG_LEVEL=info #(error | warn | info | verbose | debug) -# LOG_SANITIZE_BODY_FIELDS=password,pwd,pass,secret,token,apikey,api_key,accesstoken,access_token,refreshtoken,refresh_token,clientsecret,client_secret,privatekey,private_key,secretkey,secret_key,auth,authorization,credential,credentials -# LOG_SANITIZE_HEADER_FIELDS=authorization,x-api-key,x-auth-token,cookie # TOOL_FUNCTION_BUILTIN_DEP=crypto,fs # TOOL_FUNCTION_EXTERNAL_DEP=moment,lodash # ALLOW_BUILTIN_DEP=false diff --git a/packages/server/src/utils/logger.ts b/packages/server/src/utils/logger.ts index 161129ca8..da64ee68f 100644 --- a/packages/server/src/utils/logger.ts +++ b/packages/server/src/utils/logger.ts @@ -193,71 +193,28 @@ requestLogger = createLogger({ ] }) -function getSensitiveBodyFields(): string[] { - return (process.env.LOG_SANITIZE_BODY_FIELDS as string) - .toLowerCase() - .split(',') - .map((f) => f.trim()) -} - -function getSensitiveHeaderFields(): string[] { - return (process.env.LOG_SANITIZE_HEADER_FIELDS as string) - .toLowerCase() - .split(',') - .map((f) => f.trim()) -} - -function sanitizeObject(obj: any): any { - if (!obj || typeof obj !== 'object') return obj - - const sensitiveFields = getSensitiveBodyFields() - const sanitized = Array.isArray(obj) ? [...obj] : { ...obj } - Object.keys(sanitized).forEach((key) => { - const lowerKey = key.toLowerCase() - if (sensitiveFields.includes(lowerKey)) { - sanitized[key] = '********' - } else if (typeof sanitized[key] === 'string') { - if (sanitized[key].includes('@') && sanitized[key].includes('.')) { - sanitized[key] = sanitized[key].replace(/([^@\s]+)@([^@\s]+)/g, '**********') - } - } - }) - - return sanitized -} - export function expressRequestLogger(req: Request, res: Response, next: NextFunction): void { const unwantedLogURLs = ['/api/v1/node-icon/', '/api/v1/components-credentials-icon/', '/api/v1/ping'] if (/\/api\/v1\//i.test(req.url) && !unwantedLogURLs.some((url) => new RegExp(url, 'i').test(req.url))) { - const isDebugLevel = logger.level === 'debug' || process.env.DEBUG === 'true' + // Create a sanitized copy of the request body + const sanitizedBody = { ...req.body } + if (sanitizedBody.password) { + sanitizedBody.password = '********' + } - const requestMetadata: any = { + // Use the shared requestLogger with request-specific metadata + const requestMetadata = { request: { method: req.method, url: req.url, - params: req.params + body: sanitizedBody, // Use sanitized body instead of raw body + query: req.query, + params: req.params, + headers: req.headers } } - // Only include headers, body, and query if log level is debug - if (isDebugLevel) { - const sanitizedBody = sanitizeObject(req.body) - const sanitizedQuery = sanitizeObject(req.query) - const sanitizedHeaders = { ...req.headers } - - const sensitiveHeaders = getSensitiveHeaderFields() - sensitiveHeaders.forEach((header) => { - if (sanitizedHeaders[header]) { - sanitizedHeaders[header] = '********' - } - }) - - requestMetadata.request.body = sanitizedBody - requestMetadata.request.query = sanitizedQuery - requestMetadata.request.headers = sanitizedHeaders - } - const getRequestEmoji = (method: string) => { const requetsEmojis: Record = { GET: '⬇️',