Custom object properties are not redacted. This is especially critical for the pino-http package. There the req object can't be redacted, so things like req.headers.authorization are always exposed to logs.
Example code:
const pino = require('pino')
const express = require('express')
const expressPino = require('express-pino-logger')
const logger = pino({
redact: {
paths: ['*.headers.authorization'],
},
})
const app = express()
app.use(
expressPino({
logger,
})
)
app.listen(8000)
Start the app and do a http request:
curl -H "authorization: Bearer test" http://localhost:8000.
You will see that req.headers.authorization is not redacted.
What happens is that the req object is never passed to log redaction, because it is not passed to the logger functions, but during child logger instantiation:
https://github.com/pinojs/pino-http/blob/d593aa6084f1fe70a506ad8f202fc7f339b87fb5/logger.js#L94
Would be great if pino would redact custom log properties.
Would you have time to send a PR? We are a bit strained in time for the coming weeks and I would love to get this solved sooner than that.
I _think_ the problem happens because we are not passing through redaction when calling child().
@mcollina I would like to take this issue
go for it!
@baterson Thank you very much for fixing this!