fix(server): make sure apollo logging works and it doesn't leak sensitive stuff (#1520)

packages/server/logging/apolloPlugin.js

@@ -20,7 +20,7 @@ module.exports = {
           return
         }
 
-        let logger = ctx.log || graphqlLogger
+        let logger = ctx.context.log || graphqlLogger
 
         const op = `GQL ${ctx.operation.operation} ${ctx.operation.selectionSet.selections[0].name.value}`
         const name = `GQL ${ctx.operation.selectionSet.selections[0].name.value}`
@@ -42,12 +42,12 @@ module.exports = {
 
         Sentry.configureScope((scope) => scope.setSpan(transaction))
         ctx.request.transaction = transaction
-        ctx.log = logger
+        ctx.context.log = logger
       },
       didEncounterErrors(ctx) {
         if (!ctx.operation) return
 
-        let logger = ctx.log || graphqlLogger
+        let logger = ctx.context.log || graphqlLogger
 
         for (const err of ctx.errors) {
           if (err instanceof ApolloError) {
@@ -85,7 +85,7 @@ module.exports = {
         }
       },
       willSendResponse(ctx) {
-        const logger = ctx.log || graphqlLogger
+        const logger = ctx.context.log || graphqlLogger
         logger.info('graphql response')
 
         if (ctx.request.transaction) {

packages/server/modules/shared/middleware/index.ts

@@ -89,14 +89,18 @@ export async function authContextMiddleware(
 ) {
   const token = getTokenFromRequest(req)
   const authContext = await createAuthContextFromToken(token)
-  req.log = req.log.child({ authContext })
+  const loggedContext = Object.fromEntries(
+    Object.entries(authContext).filter(
+      ([key]) => !['token'].includes(key.toLocaleLowerCase())
+    )
+  )
+  req.log = req.log.child({ authContext: loggedContext })
   if (!authContext.auth && authContext.err) {
     let message = 'Unknown Auth context error'
     let status = 500
     message = authContext.err?.message || message
     if (authContext.err instanceof UnauthorizedError) status = 401
     if (authContext.err instanceof ForbiddenError) status = 403
-    req.log.warn('Auth context creation failed.')
     return res.status(status).json({ error: message })
   }
   req.context = authContext