Obfuscating request headers directly on PSR compliant request instance

make it easier to configure request header/body obfuscation

Author: onlime

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## [v0.9.1 (Unreleased)](https://github.com/onlime/laravel-http-client-global-logger/compare/v0.9...main)
 
+- Introducing `HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_HEADERS` and `HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_BODY_KEYS` env vars for easier configuration of request header/body obfuscation.
+- Obfuscating request headers directly on PSR compliant request instance instead of applying regex replacements on formatted log message.
+
 ## [v0.9 (2021-07-12)](https://github.com/onlime/laravel-http-client-global-logger/releases/tag/v0.9)
 
 - Initial release

config/http-client-global-logger.php

@@ -98,9 +98,13 @@
     'obfuscate' => [
         'enabled' => env('HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_ENABLED', true),
         'replacement' => env('HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_REPLACEMENT', '**********'),
-        'patterns' => [
-            '/(?<="pass":").*(?=")/mU',
-            '/(?<=Authorization:\sBearer ).*/m',
-        ],
+        'headers' => explode(',', env(
+            'HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_HEADERS',
+            'Authorization'
+        )),
+        'body_keys' => explode(',', env(
+            'HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_BODY_KEYS',
+            'pass,password,token,apikey'
+        )),
     ]
 ];

src/Listeners/LogRequestSending.php

@@ -4,8 +4,8 @@
 
 use GuzzleHttp\MessageFormatter;
 use Illuminate\Http\Client\Events\RequestSending;
-use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\Log;
+use Psr\Http\Message\RequestInterface;
 
 class LogRequestSending
 {
@@ -17,19 +17,52 @@ class LogRequestSending
      */
     public function handle(RequestSending $event)
     {
+        $obfuscate  = config('http-client-global-logger.obfuscate.enabled');
+        $psrRequest = $event->request->toPsrRequest();
+
+        if ($obfuscate) {
+            $psrRequest = $this->obfuscateHeaders($psrRequest);
+        }
+
         $formatter = new MessageFormatter(config('http-client-global-logger.format.request'));
-        $message = $formatter->format(
-            $event->request->toPsrRequest()
-        );
-
-        if (config('http-client-global-logger.obfuscate.enabled')) {
-            $message = preg_replace(
-                config('http-client-global-logger.obfuscate.patterns'),
-                config('http-client-global-logger.obfuscate.replacement'),
-                $message
-            );
+        $message = $formatter->format($psrRequest);
+
+        if ($obfuscate) {
+            foreach (config('http-client-global-logger.obfuscate.body_keys') as $key) {
+                $message = preg_replace(
+                    '/(?<="' . $key . '":").*(?=")/mU',
+                    config('http-client-global-logger.obfuscate.replacement'),
+                    $message
+                );
+            }
         }
 
         Log::channel(config('http-client-global-logger.channel'))->info($message);
     }
+
+    /**
+     * Obfuscate headers, e.g. Authorization header.
+     *
+     * @param RequestInterface $request
+     * @return RequestInterface
+     */
+    protected function obfuscateHeaders(RequestInterface $request): RequestInterface
+    {
+        $replacement = config('http-client-global-logger.obfuscate.replacement');
+
+        // TODO: Currently, there is no clean way of modifying the PendingRequest body, e.g. via Macros
+        // see https://stackoverflow.com/q/60603066/5982842
+        // Tried to modify data directly on HTTP Client Request object, but PsrRequest is already set
+        // $data = $request->data();
+        // data_set($data, 'params.pass', $replacement);
+        // $request = $request->withData($data);
+
+        foreach (config('http-client-global-logger.obfuscate.headers') as $name) {
+            if ($request->hasHeader($name)) {
+                $request = $request->withHeader($name, $replacement);
+            }
+        }
+
+        return $request;
+    }
 }