Logger not filtering password with custom log message

This is a new Phoenix 1.6.9 application. I’ve run phx.gen.auth and done the migrations.

I have added an info level log message to create/2 in user_session_controller.ex:

  require Logger

  ...

  def create(conn, %{"user" => user_params}) do
    Logger.info([
      "Processing with #{__MODULE__}.create/2\n",
      "  Parameters: #{inspect(user_params)}\n"
    ])
    ...
    end
  end

When I log in, I get the usual debug log message in the console:

[debug] Processing with TestWeb.UserSessionController.create/2
  Parameters: %{
    "_csrf_token" => "DkEAcycQfDEFQicnN1AoXlZXBBYaGSJxj5MG_DOI2ssnO8fgfaUurOHB",
    "user" => %{
      "email" => "tom@test.dk", 
      "password" => "[FILTERED]", 
      "remember_me" => "false"}}
  Pipelines: [:browser, :redirect_if_user_is_authenticated]

I also get my custom log message:

[info] Processing with Elixir.TestWeb.UserSessionController.create/2
  Parameters: %{
    "email" => "tom@test.dk",
    "password" => "Asdffasd1234", 
    "remember_me" => "false"}

However, in the first message the password is shown as [FILTERED], but in my own message the actual password is displayed.

Why is the filtering not being applied to my custom message?

https://hexdocs.pm/phoenix/Phoenix.Logger.html#module-parameter-filtering

This is not a general filtering logic for the inspect logic / logs.

1 Like