Websocket token in logs - if using wss/TLS do I need to be concerned about the token leaking?

I’m implementing a websocket endpoint and planning to use a token-based authentication to allow connections to the socket.

If I am using wss and thus a TLS tunnel, do I need to be concerned about the token leaking if the token used for authentication is in the params and thus in the logs as follows:

[info] CONNECTED TO MyAppWeb.UserSocket in 10ms
  Transport: :websocket
  Serializer: Phoenix.Socket.V1.JSONSerializer
  Parameters: %{"token" => "123", "vsn" => "1.0.0"}

As an alternative, I considered putting it in the query param since proxies do not have access to the URL when there is a TLS tunnel, but I am using a token generated by Keycloak that may be too long as a query param.

Thanks in advance!

That depends on your threat model, are you expecting that your server logs will be leaked somehow? Or that your server will be broken into? If that happens, do you have bigger problems than the logs?

Of course, it’s better not to log them (one less thing to worry about). Since that logging is on level info, then by default in production it won’t be logged – Phoenix defaults to only logging error level messages. Though those might contain sensitive data as well, so it’s not a good idea to leave your logs unprotected.

I think there is a way to change the logging to filter things out of error logs, but I don’t know it offhand. Maybe a custom Logger backend?

You can use the :phoenix setting filter_parameters to scrub the auth token (or other sensitive params) from your log:

config :phoenix,
  filter_parameters: ["token"]

The connection log entry shows as:

CONNECTED TO Socket ... Parameters: %{"token" => "[FILTERED]", "vsn" => "2.0.0"}