Hartmut
534945f6e3
#36 CRITICAL: add .max(128) to all password Zod schemas to prevent Argon2-based DoS from unbounded password strings. #46 HIGH: configure pino redact paths so passwords/tokens/cookies/TOTP secrets are never serialized in logs. #58 MEDIUM: upgrade dompurify to ^3.4.0 and add pnpm overrides for brace-expansion (>=5.0.5) and esbuild (>=0.25.0) to patch known CVEs. Vite moderate (path traversal, dev-only) remains — requires vitest 3.x major upgrade, deferred. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
65 lines
1.3 KiB
TypeScript
65 lines
1.3 KiB
TypeScript
import pino from "pino";
|
|
|
|
const isProduction = process.env["NODE_ENV"] === "production";
|
|
|
|
const LOG_LEVEL = process.env["LOG_LEVEL"] ?? "info";
|
|
const devDestination = pino.destination({ dest: 1, sync: true });
|
|
|
|
const REDACT_PATHS = [
|
|
"password",
|
|
"*.password",
|
|
"*.*.password",
|
|
"newPassword",
|
|
"*.newPassword",
|
|
"currentPassword",
|
|
"*.currentPassword",
|
|
"passwordHash",
|
|
"*.passwordHash",
|
|
"token",
|
|
"*.token",
|
|
"*.*.token",
|
|
"accessToken",
|
|
"*.accessToken",
|
|
"refreshToken",
|
|
"*.refreshToken",
|
|
"apiKey",
|
|
"*.apiKey",
|
|
"authorization",
|
|
"*.authorization",
|
|
"cookie",
|
|
"*.cookie",
|
|
"totp",
|
|
"*.totp",
|
|
"totpSecret",
|
|
"*.totpSecret",
|
|
"secret",
|
|
"*.secret",
|
|
"req.headers.authorization",
|
|
"req.headers.cookie",
|
|
'res.headers["set-cookie"]',
|
|
];
|
|
|
|
const redactConfig = { paths: REDACT_PATHS, censor: "[REDACTED]" };
|
|
|
|
export const logger = isProduction
|
|
? pino({
|
|
level: LOG_LEVEL,
|
|
base: { service: "capakraken-api" },
|
|
redact: redactConfig,
|
|
})
|
|
: pino(
|
|
{
|
|
level: LOG_LEVEL,
|
|
base: { service: "capakraken-api" },
|
|
redact: redactConfig,
|
|
formatters: {
|
|
level(label: string) {
|
|
return { level: label };
|
|
},
|
|
},
|
|
},
|
|
devDestination,
|
|
);
|
|
|
|
export type Logger = typeof logger;
|