From 84ea2b1043a917de0b26be8a7d76b15cb4fb7edc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Jedlicska?=
 <57442769+gjedlicska@users.noreply.github.com>
Date: Wed, 12 Apr 2023 14:39:03 +0200
Subject: [PATCH] fix(server): make sure apollo logging works and it doesn't
 leak sensitive stuff (#1520)

---
 packages/server/logging/apolloPlugin.js            | 8 ++++----
 packages/server/modules/shared/middleware/index.ts | 8 ++++++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/packages/server/logging/apolloPlugin.js b/packages/server/logging/apolloPlugin.js
index 81d83e2f3..721215072 100644
--- a/packages/server/logging/apolloPlugin.js
+++ b/packages/server/logging/apolloPlugin.js
@@ -20,7 +20,7 @@ module.exports = {
           return
         }
 
-        let logger = ctx.log || graphqlLogger
+        let logger = ctx.context.log || graphqlLogger
 
         const op = `GQL ${ctx.operation.operation} ${ctx.operation.selectionSet.selections[0].name.value}`
         const name = `GQL ${ctx.operation.selectionSet.selections[0].name.value}`
@@ -42,12 +42,12 @@ module.exports = {
 
         Sentry.configureScope((scope) => scope.setSpan(transaction))
         ctx.request.transaction = transaction
-        ctx.log = logger
+        ctx.context.log = logger
       },
       didEncounterErrors(ctx) {
         if (!ctx.operation) return
 
-        let logger = ctx.log || graphqlLogger
+        let logger = ctx.context.log || graphqlLogger
 
         for (const err of ctx.errors) {
           if (err instanceof ApolloError) {
@@ -85,7 +85,7 @@ module.exports = {
         }
       },
       willSendResponse(ctx) {
-        const logger = ctx.log || graphqlLogger
+        const logger = ctx.context.log || graphqlLogger
         logger.info('graphql response')
 
         if (ctx.request.transaction) {
diff --git a/packages/server/modules/shared/middleware/index.ts b/packages/server/modules/shared/middleware/index.ts
index 6d2e53ad2..f3d595461 100644
--- a/packages/server/modules/shared/middleware/index.ts
+++ b/packages/server/modules/shared/middleware/index.ts
@@ -89,14 +89,18 @@ export async function authContextMiddleware(
 ) {
   const token = getTokenFromRequest(req)
   const authContext = await createAuthContextFromToken(token)
-  req.log = req.log.child({ authContext })
+  const loggedContext = Object.fromEntries(
+    Object.entries(authContext).filter(
+      ([key]) => !['token'].includes(key.toLocaleLowerCase())
+    )
+  )
+  req.log = req.log.child({ authContext: loggedContext })
   if (!authContext.auth && authContext.err) {
     let message = 'Unknown Auth context error'
     let status = 500
     message = authContext.err?.message || message
     if (authContext.err instanceof UnauthorizedError) status = 401
     if (authContext.err instanceof ForbiddenError) status = 403
-    req.log.warn('Auth context creation failed.')
     return res.status(status).json({ error: message })
   }
   req.context = authContext