API tokens should be anonymized/removed in error context

[jaimeiniesta]

For errors in API requests where authorization is done with a bearer token, this token should be removed or filtered out before saving to DB. For example, in this context:

{
  "request.headers": {
    "accept": "application/json, text/plain, */*",
    "authorization": "Bearer 12341234"
  },
  "request.host": "example.com",
  "request.path": "/api/v1/reports"
}

I should not be able to see Bearer 12341234 and instead I'd expect something like Bearer REMOVED or no authorization details at all.

[jaimeiniesta]

Something that would work in my case is some behaviour that I can implement, similar to the Pruner, that would let me review the context before being saved to DB and let me automate modifying it. In my case it would look for request.headers.authorization and replace its value with "REMOVED", or maybe do a search and replace it with "READ-ONLY TOKEN FOR USER 1234"

[crbelaus]

This makes a lot of sense and is definitely on the roadmap. Thanks for reporting this issue @jaimeiniesta