Pino Redact does not work with Pino HTTP customAttributeKeys.

[sethtomy]

I currently am using pino-http to map to an ECS format. When doing so though my redactions are not taking place.

redact: {
    paths: ['http.request.headers.authorization'],
    censor: '***REDACTED***',
  },
  customAttributeKeys: {
    req: 'http.request',
  },

[mcollina]

Thanks for reporting!

Can you provide steps to reproduce? We often need a reproducible example, e.g. some code that allows someone else to recreate your problem by just copying and pasting it. If it involves more than a couple of different file, create a new repository on GitHub and add a link to that.

[sethtomy]

Hey @mcollina, glad to help! It's quite small to reproduce so I'll post here. If it's too much trouble I'm more than happy to put in a repo as well, just lmk.

const http = require('http');
const server = http.createServer(handle);

// "pino-http": "^8.2.0"
const logger = require('pino-http')({
    redact: {
        paths: ['http.request.headers.authorization'],
        censor: '***REDACTED***',
    },
    customAttributeKeys: {
        req: 'http.request',
    },
});

function handle(req, res) {
    logger(req, res)
    req.log.info('hello');
    res.end('world');
}

server.listen(3000)

curl localhost:3000 -v -H "Authorization: Basic foo.bar"

# results in server logs
{..."http.request":{..."headers":{..."authorization":"Basic foo.bar"...}

[sethtomy]

^ Not sure if it helps but using the pre "customAttributeKeys" path does not redact either.

Additionally if you think it's low hanging fruit for an open source newbie feel free to point me in the direction and I'll make an attempt at it.

[mcollina]

I'm not using this module.. if you'd like this fixed I'd love to review a PR.

[baterson]

@sethtomy Your example doesn't work because pino assumes that it should redact an object with the given structure:
{ http: { request: { headers: { authorization: "" }}}}
But in your case it's:
{ "http.request": { headers: { authorization: "" }}}

So to make it work, you just need to rewrite the path or use a key without dots in name:

redact: {
    paths: ['["http.request"].headers.authorization'],
    censor: '***REDACTED***',
},
customAttributeKeys: {
    req: 'http.request',
},

[RohitRox]

I had a same use case. I think you need to pass pino logger instance with redact options to pino-http

This is what I have thats working for me for an express based server

const logger = require('pino-http')({
  logger: pino({
     redact: ['req.headers.authorization'],
  }),
})

You can just update the path req.headers.authorization with your path http.request.headers.authorization

[sethtomy]

@RohitRox thank you for responding. Unfortunately that does not seem to work in combination with "customAttributeKeys".

@baterson that works perfectly! If you don't mind, for my curiosity, I'm interested in how that's working. A took ~ an hour to look into the issue myself but Streams unfortunately are not my strong suit (I need to learn :)) How is the dot notation for 'http.request.headers.authorization' structurally different from '["http.request"].headers.authorization'. Is there something special around that first "http.request" key?