Ability to filter request input from being sent to Sentry

[dwightwatson]

Problem Statement

I would like an easy way to configure this integration from sending certain request input to Sentry. Right now the documentation suggests we use the before_send configuration option, but this has two issues.

1. It's a painful amount of code for something very simple. Plus, I couldn't find any ready to go documentation on how to implement it.

'before_send' => function (Event $event, ?EventHint $hint): ?Event {
    $request = $event->getRequest();

    if ($data = Arr::get($request, 'data')) {
        foreach (['password', 'password_confirmation'] as $field) {
            if (Arr::has($data, $field)) {
                $data[$field] = '[FILTERED]';
            }
        }

        $request['data'] = $data;

        $event->setRequest($request);
    }

    return $event;
},

2. It isn't supported when using config:cache. The docs suggest that I can use the callable array syntax but that doesn't seem to work for `before_send.

Symfony\Component\OptionsResolver\Exception\InvalidOptionsException 

The option "before_send" with value array is expected to be of type "callable", but is of type "array".

Solution Brainstorm

Simplest solution would be config option that accepts an array of field names that would be removed or filtered before being sent to Sentry.

'filter_fields' => ['password', 'password_confirmation'],

I note that Flare has more advanced options, including middleware that makes it easy to filter input and headers.

CensorRequestBodyFields::class => [
    'censor_fields' => [
        'password',
        'password_confirmation',
    ],
],
CensorRequestHeaders::class => [
    'headers' => [
        'API-KEY',
        'Authorization',
        'Cookie',
        'Set-Cookie',
        'X-CSRF-TOKEN',
        'X-XSRF-TOKEN',
    ]
]

[stayallive]

Hey @dwightwatson, you mention 1 issue here and a feature request.

The docs suggest that I can use the callable array syntax but that doesn't seem to work for `before_send.

Are you sure you followed the example to the letter? This works in all my testing so far, maybe you can share what you tried? A common thing is that it's overlooked that it needs to be a static function.

Simplest solution would be config option that accepts an array of field names that would be removed or filtered before being sent to Sentry.

I agree that that would be more elegant, happy to explore that path a bit further to see what we can cook up to make this a little simpler in the future!

[dwightwatson]

Hey @stayallive thanks for that.

You're right - I missed that it was a static method required. I had a regular public method and after fixing that it now works fine. That's my bad.

Would love to see this simplified further to remove the additional boilerplate. Plus, it seems like it would be beneficial for password and password_confirmation to be filtered by default on a fresh Laravel app.

[stayallive]

I'm at least glad that the static fixes the before_send! One solved.

I'm going to see if we can figure something out for not sending data to Sentry. I'm guessing you do know that these fields are filtered away server side (or on Relay) but that you don't even want to sent it?

I know we had some filtering option in past SDK versions so unsure if we would want to bring a version of that back.

[dwightwatson]

Yes - I have already added these as filtered on Sentry's side. In one app I'm dealing with some sensitive personal information and it seems better to me that this doesn't leave my server at all.