Mask request and response logs from HTTP client

[sato9818]

We can use a decorator to output request and response logs from a HTTP client as shown below

.decorator(
    LoggingClient.builder()
        .logWriter(
            LogWriter.builder().logFormatter(
                LogFormatter
                    .builderForText()
                    .requestContentSanitizer(new LoggingSanitizer())
                    .responseContentSanitizer(new LoggingSanitizer())
                    .build()
            )
            .failureResponseLogLevel(LogLevel.ERROR)
            .build()
        )
        .newDecorator()
)

We sometimes want to mask some fields in the request content which include sensitive information.

We could use the builderForJson() method alongside Jackson to convert the request content into JsonNode , allowing us to mask specific fields. With this method, we need to manually list the fields that we want to mask in a setting file or elsewhere, which I think might lead to misspellings and inadvertently expose sensitive information in the logs.

I think we need a way to verify that the fields we specify in the settings file exist in the request content. I believe that other methods, such as attaching a custom annotation to sensitive fields, would be better.

@trustin suggested an idea: implementing a parser that specializes in sanitization, i.e. don't parse everything but just replace a value at certain location (e.g. foo.bar.baz)

[trustin]

Another idea: Introduce an annotation like @Mask and make Jackson (or the JSON serializer of choice) mask the annotated field during the serialization.