Redact Authorization from logs (#59)

Headers are often represented with this capitalisation.

At some point we may have to bite the bullet and ratify aggressive
redaction in a package that wraps Pino (e.g. `logger-js`).

.changeset/cold-ghosts-poke.md

@@ -0,0 +1,5 @@
+---
+'skuba': patch
+---
+
+**template:** Redact `Authorization` headers in logs

template/koa-rest-api/src/framework/logging.ts

@@ -20,9 +20,12 @@ export const rootLogger = pino({
   redact: {
     censor: '🤿 REDACTED 🚩',
     paths: [
+      'err.config.headers.Authorization',
       'err.config.headers.authorization',
       'err.request.headers.authorization',
+      'err.request.config.headers.Authorization',
       'err.request.config.headers.authorization',
+      'err.response.config.headers.Authorization',
       'err.response.config.headers.authorization',
       'err.response.headers.authorization',
       'err.response.request.headers.authorization',

template/lambda-sqs-worker/src/app.test.ts

@@ -63,45 +63,53 @@ describe('handler', () => {
   it('throws on invalid input', () => {
     const event = createSqsEvent(['}']);
 
-    return expect(app.handler(event, ctx)).rejects.toThrow('');
+    return expect(app.handler(event, ctx)).rejects.toThrow('invoke error');
   });
 
-  it('bubbles up scoring service error', () => {
+  it('bubbles up scoring service error', async () => {
     const err = Error(chance.sentence());
 
     scoringService.request.mockRejectedValue(err);
 
     const event = createSqsEvent([JSON.stringify(jobPublished)]);
 
-    return expect(app.handler(event, ctx)).rejects.toThrow(err);
+    await expect(app.handler(event, ctx)).rejects.toThrow('invoke error');
+
+    expect(contextLogger.error).toBeCalledWith({ err }, 'request');
   });
 
-  it('bubbles up SNS error', () => {
+  it('bubbles up SNS error', async () => {
     const err = Error(chance.sentence());
 
     sns.publish.mockPromise(Promise.reject(err));
 
     const event = createSqsEvent([JSON.stringify(jobPublished)]);
 
-    return expect(app.handler(event, ctx)).rejects.toThrow(err);
+    await expect(app.handler(event, ctx)).rejects.toThrow('invoke error');
+
+    expect(contextLogger.error).toBeCalledWith({ err }, 'request');
   });
 
-  it('throws on zero records', () => {
+  it('throws on zero records', async () => {
+    const err = new Error('received 0 records');
+
     const event = createSqsEvent([]);
 
-    return expect(app.handler(event, ctx)).rejects.toThrow(
-      'received 0 records',
-    );
+    await expect(app.handler(event, ctx)).rejects.toThrow('invoke error');
+
+    expect(contextLogger.error).toBeCalledWith({ err }, 'request');
   });
 
-  it('throws on multiple records', () => {
+  it('throws on multiple records', async () => {
+    const err = new Error('received 2 records');
+
     const event = createSqsEvent([
       JSON.stringify(jobPublished),
       JSON.stringify(jobPublished),
     ]);
 
-    return expect(app.handler(event, ctx)).rejects.toThrow(
-      'received 2 records',
-    );
+    await expect(app.handler(event, ctx)).rejects.toThrow('invoke error');
+
+    expect(contextLogger.error).toBeCalledWith({ err }, 'request');
   });
 });

template/lambda-sqs-worker/src/framework/handler.test.ts

@@ -38,7 +38,7 @@ describe('createHandler', () => {
 
     const handler = createHandler(() => Promise.reject(err));
 
-    await expect(handler(input, ctx)).rejects.toThrow(err);
+    await expect(handler(input, ctx)).rejects.toThrow('invoke error');
 
     expect(contextLogger.error.mock.calls).toEqual([[{ err }, 'request']]);
 
@@ -52,7 +52,7 @@ describe('createHandler', () => {
       throw err;
     });
 
-    await expect(handler(input, ctx)).rejects.toThrow(err);
+    await expect(handler(input, ctx)).rejects.toThrow('invoke error');
 
     expect(contextLogger.error.mock.calls).toEqual([[{ err }, 'request']]);
 

template/lambda-sqs-worker/src/framework/handler.ts

@@ -20,6 +20,6 @@ export const createHandler = <Event, Output = unknown>(
 
       logger.error({ err }, 'request');
 
-      throw err;
+      throw new Error('invoke error');
     }
   };

template/lambda-sqs-worker/src/framework/logging.ts

@@ -21,9 +21,12 @@ export const rootLogger = pino({
   redact: {
     censor: '🤿 REDACTED 🚩',
     paths: [
+      'err.config.headers.Authorization',
       'err.config.headers.authorization',
       'err.request.headers.authorization',
+      'err.request.config.headers.Authorization',
       'err.request.config.headers.authorization',
+      'err.response.config.headers.Authorization',
       'err.response.config.headers.authorization',
       'err.response.headers.authorization',
       'err.response.request.headers.authorization',