Merge pull request #18 from Kelvin4664/hide-sensitive-data

vishalanandl177 · web-flow · commit a84100640b02 · 2021-06-04T14:26:22.000+05:30
Filter sensitive keys from logs
diff --git a/README.md b/README.md
@@ -155,6 +155,12 @@ DRF_API_LOGGER_SKIP_URL_NAME = ['url_name1', 'url_name2']
 
 Note: It does not log Django Admin Panel API calls.
 
+### Hide Sensitive Data From Logs
+You may wish to hide sensitive information from being exposed in the logs. You do this by setting `DRF_API_LOGGER_EXCLUDE_KEYS` in settings.py to a list of your desired sensitive keys. The default is
+```python
+DRF_API_LOGGER_EXCLUDE_KEYS = ['password', 'token', 'access', 'refresh']
+```
+
 ### API with or without Host
 You can specify an endpoint of API should have absolute URI or not by setting this variable in DRF settings.py file.
 ```python
diff --git a/drf_api_logger/middleware/api_logger_middleware.py b/drf_api_logger/middleware/api_logger_middleware.py
@@ -7,7 +7,7 @@
 
 from drf_api_logger import API_LOGGER_SIGNAL
 from drf_api_logger.start_logger_when_server_starts import LOGGER_THREAD
-from drf_api_logger.utils import get_headers, get_client_ip
+from drf_api_logger.utils import get_headers, get_client_ip, mask_sensitive_data
 
 """
 File: api_logger_middleware.py
@@ -100,11 +100,11 @@ def __call__(self, request):
 
                 data = dict(
                     api=api,
-                    headers=headers,
-                    body=request_data,
+                    headers=mask_sensitive_data(headers),
+                    body=mask_sensitive_data(request_data),
                     method=method,
                     client_ip_address=get_client_ip(request),
-                    response=response_body,
+                    response=mask_sensitive_data(response_body),
                     status_code=response.status_code,
                     execution_time=time.time() - start_time,
                     added_on=timezone.now()
diff --git a/drf_api_logger/utils.py b/drf_api_logger/utils.py
@@ -1,6 +1,10 @@
 import re
 from django.conf import settings
 
+SENSITIVE_KEYS = ['password', 'token', 'access', 'refresh']
+if hasattr(settings, 'DRF_API_LOGGER_EXCLUDE_KEYS'):
+    if type(settings.DRF_API_LOGGER_EXCLUDE_KEYS) in (list, tuple):
+        SENSITIVE_KEYS.extend(settings.DRF_API_LOGGER_EXCLUDE_KEYS)
 
 def get_headers(request=None):
     """
@@ -40,3 +44,22 @@ def database_log_enabled():
     if hasattr(settings, 'DRF_API_LOGGER_DATABASE'):
         drf_api_logger_database = settings.DRF_API_LOGGER_DATABASE
     return drf_api_logger_database
+
+
+def mask_sensitive_data(data):
+    """
+    Hides sensitive keys specified in sensitive_keys settings.
+    Loops recursively over nested dictionaries.
+    """
+
+    if type(data) != dict:
+      return data
+
+    for key, value in data.items():
+      if key in SENSITIVE_KEYS:
+        data[key] = "***FILTERED***"
+
+      if type(value) == dict:
+        data[key] = mask_sensitive_data(data[key])
+
+    return data
