chore: adding a logger masking filter

[staaldraad]

What kind of change does this PR introduce?

Bug fix / feature

What is the current behavior?

INFO log lines may contain the access_token jwt

What is the new behavior?

Use a logging.Filter to redact JWT tokens that may be in log messages.
JWT's will be displayed as eyJh.REDACTED.2j7_78f where eyJh would be the full header and 2j7_78f would be the full signature.

$ python3 app.py                                                                                                                                                                                                                                                                                                                
2024-10-01 12:44:53,590:INFO - Connection was successful
2024-10-01 12:44:53,777:INFO - Connection was successful
2024-10-01 12:44:53,778:INFO - send: {"topic": "realtime:test-broadcast", "event": "phx_join", "payload": {"config": {"broadcast": {"self": true}, "presence": {"key": ""}, "private": false, "postgres_changes": []}, "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.REDACTED.2j7_78fvwrR3Ok3zTWOrPmS4HgvAY8xWpMdTM7MX-bg"}, "ref": "1", "join_ref": "1"}
2024-10-01 12:44:54,780:INFO - send: {"topic": "realtime:test-broadcast", "event": "broadcast", "payload": {"type": "broadcast", "event": "test-event", "payload": {"message": "Event 1"}}, "ref": "2", "join_ref": "1"}
2024-10-01 12:44:54,781:INFO - send: {"topic": "realtime:test-broadcast", "event": "broadcast", "payload": {"type": "broadcast", "event": "test-event", "payload": {"message": "Event 2"}}, "ref": "3", "join_ref": "1"}

Additional context

Doesn't address the fact that logging set to DEBUG will have the JWT in the connection log line created by websockets.
Websocket DEBUG logs are also redacted after adding 053221b

[etzelc]

Hi @staaldraad,
I suggest modifying the regex to match all characters allowed in a JWT according to their Base64url-Encoding specification (see RFC7515 - 2. Terminology: Base64url-Encoding https://datatracker.ietf.org/doc/html/rfc7515#section-2 ). This adds _ and -.

redact = r"(eyJ[A-Za-z0-9_-]*\.)([A-Za-z0-9_-]*)\."

Since the pattern is static, it might also be beneficial to precompile it.

[etzelc]

For the DEBUG logs from websockets, it might be possible to apply the filter to the websocket logger as well. (untested)

websockets_logger = logging.getLogger('websockets')
websockets_logger.addFilter(TokenMaskingFilter())

[staaldraad]

For the DEBUG logs from websockets, it might be possible to apply the filter to the websocket logger as well. (untested)

websockets_logger = logging.getLogger('websockets')
websockets_logger.addFilter(TokenMaskingFilter())

Unfortunately it doesn't work in the current form because the websockets logging is coming in as logging.debug("%s : %s", args). So the filtering needs to be on record.args and not record.msg (msg is the "%s : %s"). However, when trying to filter records.args it ended up changing the values in the tuple, breaking websockets. I was probably doing something wrong, but I should also really be handing this to better devs than myself 😅