Logger not filtering password with custom log message

trisager · May 25, 2022, 10:09am

This is a new Phoenix 1.6.9 application. I’ve run phx.gen.auth and done the migrations.

I have added an info level log message to create/2 in user_session_controller.ex:

  require Logger

  ...

  def create(conn, %{"user" => user_params}) do
    Logger.info([
      "Processing with #{__MODULE__}.create/2\n",
      "  Parameters: #{inspect(user_params)}\n"
    ])
    ...
    end
  end

When I log in, I get the usual debug log message in the console:

[debug] Processing with TestWeb.UserSessionController.create/2
  Parameters: %{
    "_csrf_token" => "DkEAcycQfDEFQicnN1AoXlZXBBYaGSJxj5MG_DOI2ssnO8fgfaUurOHB",
    "user" => %{
      "email" => "tom@test.dk", 
      "password" => "[FILTERED]", 
      "remember_me" => "false"}}
  Pipelines: [:browser, :redirect_if_user_is_authenticated]

I also get my custom log message:

[info] Processing with Elixir.TestWeb.UserSessionController.create/2
  Parameters: %{
    "email" => "tom@test.dk",
    "password" => "Asdffasd1234", 
    "remember_me" => "false"}

However, in the first message the password is shown as [FILTERED], but in my own message the actual password is displayed.

Why is the filtering not being applied to my custom message?

LostKobrakai · May 25, 2022, 10:15am

https://hexdocs.pm/phoenix/Phoenix.Logger.html#module-parameter-filtering

This is not a general filtering logic for the inspect logic / logs.

dprez8 · July 12, 2023, 3:20pm

It looks like it only filters Phoenix logs. Is there any way of filtering in my own logs?