From 134f8a28bfa792b4d15dc447cebe1a99aaec6302 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Fri, 22 Nov 2019 11:40:36 +0100
Subject: [PATCH] Hide access tokens from logs

---
 src/server.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/server.js b/src/server.js
index c2c864a6a..3f3a65107 100644
--- a/src/server.js
+++ b/src/server.js
@@ -49,7 +49,16 @@ function initializeExpressSync() {
     app.enable('trust proxy');
 
     if (process.env.BOX_ENV !== 'test') {
-        app.use(middleware.morgan('Box :method :url :status :response-time ms - :res[content-length]', {
+        app.use(middleware.morgan(function (tokens, req, res) {
+            return [
+                'Box',
+                tokens.method(req, res),
+                tokens.url(req, res).replace(/(access_token=)[^\&]+/, '$1' + '<redacted>'),
+                tokens.status(req, res),
+                tokens['response-time'](req, res), 'ms', '-',
+                tokens.res(req, res, 'content-length')
+            ].join(' ');
+        }, {
             immediate: false,
             // only log failed requests by default
             skip: function (req, res) { return res.statusCode < 400; }