Merge branch 'v1.3-dev' as v1.3.1

diff --git a/README.md b/README.md
index 20f61e0127860b27f6a99b71b8085366474efd9c..31e921e734302a5bc3a2d5f00600c42e7a672e49 100644 (file)
--- a/README.md
+++ b/README.md
@@ -38,6 +38,7 @@ One way of deploying this server is behind nginx, with the pm2 package to manage
   > 'use strict';
   > // Minimum required configuration settings
   > module.exports = {
+  >   encryptionSecret: 'this is a secret passphrase, it is pretty important to be unguessable',
   >   dingus: {
   >     selfBaseUrl: 'https://hub.squeep.com/',
   >   },

diff --git a/package-lock.json b/package-lock.json
index 36a1d58a2953887ec836defb0d7fca7ed1765ed9..b7b05289dda500c089f404148c61c85bcb8b9901 100644 (file)
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "@squeep/websub-hub",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -509,9 +509,9 @@
       }
     },
     "@sinonjs/fake-timers": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-7.1.2.tgz",
-      "integrity": "sha512-iQADsW4LBMISqZ6Ci1dupJL9pprqwcVFTcOsEmQOEhW+KLCVn/Y4Jrvg2k19fIHCp+iFprriYPTdRcQR8NbUPg==",
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-8.1.0.tgz",
+      "integrity": "sha512-OAPJUAtgeINhh/TAlUID4QTs53Njm7xzddaVlEs/SXwgtiD1tW22zAB/W1wdqfrpmikgaWQ9Fw6Ws+hsiRm5Vg==",
       "dev": true,
       "requires": {
         "@sinonjs/commons": "^1.7.0"
@@ -535,8 +535,8 @@
       "dev": true
     },
     "@squeep/api-dingus": {
-      "version": "git+https://git.squeep.com/squeep-api-dingus/#3cf325b9e87b66e16f05c9bcae769eea72b207ed",
-      "from": "git+https://git.squeep.com/squeep-api-dingus/#v1.2.1",
+      "version": "git+https://git.squeep.com/squeep-api-dingus/#47f38ca4c67e902ccef0b7114a0d144f476258bd",
+      "from": "git+https://git.squeep.com/squeep-api-dingus/#v1.2.2",
       "requires": {
         "mime-db": "^1.50.0",
         "uuid": "^8.3.2"
@@ -735,9 +735,9 @@
       "optional": true
     },
     "axios": {
-      "version": "0.23.0",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-0.23.0.tgz",
-      "integrity": "sha512-NmvAE4i0YAv5cKq8zlDoPd1VLKAqX5oLuZKs8xkJa4qi6RGn0uhCYFjWtHHC9EM/MwOwYWOs53W+V0aqEXq1sg==",
+      "version": "0.24.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-0.24.0.tgz",
+      "integrity": "sha512-Q6cWsys88HoPgAaFAVUb0WpPk0O8iTeisR9IMqy9G8AbO4NlpVknrnQS03zzF9PGAWgO3cgletO3VjV/P7VztA==",
       "requires": {
         "follow-redirects": "^1.14.4"
       }
@@ -754,14 +754,14 @@
       "optional": true
     },
     "better-sqlite3": {
-      "version": "7.4.3",
-      "resolved": "https://registry.npmjs.org/better-sqlite3/-/better-sqlite3-7.4.3.tgz",
-      "integrity": "sha512-07bKjClZg/f4KMVRkzWtoIvazVPcF1gsvVKVIXlxwleC2DxuIhnra3KCMlUT1rFeRYXXckot2a46UciF2d9KLw==",
+      "version": "7.4.4",
+      "resolved": "https://registry.npmjs.org/better-sqlite3/-/better-sqlite3-7.4.4.tgz",
+      "integrity": "sha512-CnK1JjchxbEumd2J6lqfzSG5nT4B/v+J9P0AKSm3NHSfcPsEGE4rHUp9lDlslJ1TL701RM7GWlTp3Pbacpn1/Q==",
       "optional": true,
       "requires": {
         "bindings": "^1.5.0",
-        "prebuild-install": "^6.0.1",
-        "tar": "^6.1.0"
+        "prebuild-install": "^6.1.4",
+        "tar": "^6.1.11"
       }
     },
     "binary-extensions": {
@@ -2390,12 +2390,23 @@
         "@sinonjs/text-encoding": "^0.7.1",
         "just-extend": "^4.0.2",
         "path-to-regexp": "^1.7.0"
+      },
+      "dependencies": {
+        "@sinonjs/fake-timers": {
+          "version": "7.1.2",
+          "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-7.1.2.tgz",
+          "integrity": "sha512-iQADsW4LBMISqZ6Ci1dupJL9pprqwcVFTcOsEmQOEhW+KLCVn/Y4Jrvg2k19fIHCp+iFprriYPTdRcQR8NbUPg==",
+          "dev": true,
+          "requires": {
+            "@sinonjs/commons": "^1.7.0"
+          }
+        }
       }
     },
     "node-abi": {
-      "version": "2.30.0",
-      "resolved": "https://registry.npmjs.org/node-abi/-/node-abi-2.30.0.tgz",
-      "integrity": "sha512-g6bZh3YCKQRdwuO/tSZZYJAw622SjsRfJ2X0Iy4sSOHZ34/sPPdVBn8fev2tj7njzLwuqPw9uMtGsGkO5kIQvg==",
+      "version": "2.30.1",
+      "resolved": "https://registry.npmjs.org/node-abi/-/node-abi-2.30.1.tgz",
+      "integrity": "sha512-/2D0wOQPgaUWzVSVgRMx+trKJRC2UG4SUc4oCJoXx9Uxjtp0Vy3/kt7zcbxHF8+Z/pK3UloLWzBISg72brfy1w==",
       "optional": true,
       "requires": {
         "semver": "^5.4.1"
@@ -3161,9 +3172,9 @@
       }
     },
     "prebuild-install": {
-      "version": "6.1.3",
-      "resolved": "https://registry.npmjs.org/prebuild-install/-/prebuild-install-6.1.3.tgz",
-      "integrity": "sha512-iqqSR84tNYQUQHRXalSKdIaM8Ov1QxOVuBNWI7+BzZWv6Ih9k75wOnH1rGQ9WWTaaLkTpxWKIciOF0KyfM74+Q==",
+      "version": "6.1.4",
+      "resolved": "https://registry.npmjs.org/prebuild-install/-/prebuild-install-6.1.4.tgz",
+      "integrity": "sha512-Z4vpywnK1lBg+zdPCVCsKq0xO66eEV9rWo2zrROGGiRS4JtueBOdlB1FnY8lcy7JsUud/Q3ijUxyWN26Ika0vQ==",
       "optional": true,
       "requires": {
         "detect-libc": "^1.0.3",
@@ -3430,13 +3441,13 @@
       }
     },
     "sinon": {
-      "version": "11.1.2",
-      "resolved": "https://registry.npmjs.org/sinon/-/sinon-11.1.2.tgz",
-      "integrity": "sha512-59237HChms4kg7/sXhiRcUzdSkKuydDeTiamT/jesUVHshBgL8XAmhgFo0GfK6RruMDM/iRSij1EybmMog9cJw==",
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/sinon/-/sinon-12.0.1.tgz",
+      "integrity": "sha512-iGu29Xhym33ydkAT+aNQFBINakjq69kKO6ByPvTsm3yyIACfyQttRTP03aBP/I8GfhFmLzrnKwNNkr0ORb1udg==",
       "dev": true,
       "requires": {
         "@sinonjs/commons": "^1.8.3",
-        "@sinonjs/fake-timers": "^7.1.2",
+        "@sinonjs/fake-timers": "^8.1.0",
         "@sinonjs/samsam": "^6.0.2",
         "diff": "^5.0.0",
         "nise": "^5.1.0",

diff --git a/package.json b/package.json
index 8f38d851ec3bbf2d2f2de8df2deff73d49d20544..8d71ea79bff7b530a3327a5dfc628ff1c99f15b7 100644 (file)
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@squeep/websub-hub",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "A WebSub Hub server implementation.",
   "main": "server.js",
   "scripts": {
@@ -32,18 +32,18 @@
     "coverage-check"
   ],
   "dependencies": {
-    "@squeep/api-dingus": "git+https://git.squeep.com/squeep-api-dingus/#v1.2.1",
+    "@squeep/api-dingus": "git+https://git.squeep.com/squeep-api-dingus/#v1.2.2",
     "@squeep/indieauth-helper": "git+https://git.squeep.com/squeep-indieauth-helper/#v1.0.0",
     "@squeep/mystery-box": "git+https://git.squeep.com/squeep-mystery-box/#v1.0.1",
     "@squeep/web-linking": "git+https://git.squeep.com/squeep-web-linking/#v1.0.1",
-    "axios": "^0.23.0",
+    "axios": "^0.24.0",
     "feedparser": "^2.2.10",
     "htmlparser2": "^7.1.2",
     "iconv": "^3.0.1"
   },
   "optionalDependencies": {
     "argon2": "^0.28.2",
-    "better-sqlite3": "^7.4.3",
+    "better-sqlite3": "^7.4.4",
     "node-linux-pam": "^0.2.1",
     "pg-promise": "^10.11.1"
   },
@@ -56,6 +56,6 @@
     "mocha-steps": "^1.3.0",
     "nyc": "^15.1.0",
     "pre-commit": "^1.2.2",
-    "sinon": "^11.1.2"
+    "sinon": "^12.0.1"
   }
 }

diff --git a/src/logger.js b/src/logger.js
index 934c7dadd24868bd52ebd3826c022ea715a89365..00edfb8bcc0ceae419bd5e54a47bc0bb9b8684c9 100644 (file)
--- a/src/logger.js
+++ b/src/logger.js
@@ -66,6 +66,14 @@ class Logger {
   }
 
   payload(level, scope, message, data, ...other) {
+    // Try to keep credentials out of logs.
+    // This approach feels sort of jank, but it's better than nothing, for now.
+    if (data && data.ctx && data.ctx.parsedBody && data.ctx.parsedBody.credential) {
+      // Create copy of data
+      data = JSON.parse(JSON.stringify(data));
+      data.ctx.parsedBody.credential = '*'.repeat(data.ctx.parsedBody.credential.length);
+    }
+
     const now = new Date();
     return JSON.stringify({
       nodeId: this.nodeId,

diff --git a/src/service.js b/src/service.js
index 1d9b8a0922af1b8699e7232fd078b5f244a66f8e..a0043f7d24caa49a71c85341dc4fadca6ea563d2 100644 (file)
--- a/src/service.js
+++ b/src/service.js
@@ -181,8 +181,9 @@ class Service extends Dingus {
 
 
   /**
-   * Same as super.ingestBody, but if no body was sent, do not parse (and
+   * Similar to super.ingestBody, but if no body was sent, do not parse (and
    * thus avoid possible unsupported media type error).
+   * Also removes raw body from context, to simplify scrubbing sensitive data from logs.
    * @param {http.ClientRequest} req
    * @param {http.ServerResponse} res
    * @param {Object} ctx
@@ -192,6 +193,7 @@ class Service extends Dingus {
     const contentType = Dingus.getRequestContentType(req);
     if (ctx.rawBody) {
       this.parseBody(contentType, ctx);
+      delete ctx.rawBody;
     }
   }
 

diff --git a/test/src/logger.js b/test/src/logger.js
index 2a205042f9b017df28980f206698e39817dca9fe..fc602aaec85eb086a4ac446b4f97fd5b7b16ef48 100644 (file)
--- a/test/src/logger.js
+++ b/test/src/logger.js
@@ -48,4 +48,17 @@ describe('Logger', function () {
     logger = new Logger(config);
     logger.info();
   });
+
+  it('masks credentials', function () {
+    logger = new Logger(config);
+    logger.info('testScope', 'message', {
+      ctx: {
+        parsedBody: {
+          identity: 'username',
+          credential: 'password',
+        },
+      },
+    });
+  });
+
 }); // Logger