Graphql-ruby: Hide password (or other fields) from Rails log.

Something in this file?

config/initializers/filter_parameter_logging.rb

@johnunclesam in most setups the query variables are sent through a POST request. By default, Rails doesn't store POST params in logs. Do you think this will be a problem or do the passwords actually show up? If the latter, I'm curious what your setup looks like and (especially) how you sent data to the GraphQL queries.

I'm using POST request on localhost:3000/graphql and my question was about the "live log", for example the one in console if I run rails s.

In the .log file maybe you're right: POST params are not stored. But the log is a problem.

Interesting use case, but Rails' filter_parameters should just work if you sent the password using the query variables field. When I query something with password as the key, Rails will remove it. Check:

Parameters: {"query"=>"{}", "variables"=>{"password"=>"[FILTERED]"}, "operationName"=>nil, "graphql"=>{"query"=>"{}", "variables"=>{"password"=>"[FILTERED]"}, "operationName"=>nil}}

So? How can I do?

@Willianvdv is right, you should use variables to get fine-grained filtering. Otherwise, perhaps you could filter the _whole_ query parameter with

config.filter_parameters += [:query]

In the meantime, we're building a better printer in #1118 which can be used for fine-grained re-printing. Hope that helps!