Also apply body keys obfuscation to response body

onlime · onlime · commit c7b5e2edd868 · 2025-06-16T21:37:11.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # CHANGELOG
 
-## [v1.2.x (Unreleased)](https://github.com/onlime/laravel-http-client-global-logger/compare/v1.2.2...main)
+## [v1.2.x (Unreleased)](https://github.com/onlime/laravel-http-client-global-logger/compare/v1.2.3...main)
+
+## [v1.2.3 (2025-06-16)](https://github.com/onlime/laravel-http-client-global-logger/compare/v1.2.2...v1.2.3)
+
+- [Security] Body key obfuscation (`obfuscate.body_keys` config) is now also applied to response body, both for JSON or form-styled content.
 
 ## [v1.2.2 (2025-06-16)](https://github.com/onlime/laravel-http-client-global-logger/compare/v1.2.1...v1.2.2)
 
diff --git a/config/http-client-global-logger.php b/config/http-client-global-logger.php
@@ -10,7 +10,7 @@
     | Whether or not logging should be enabled/disabled.
     |
     */
-    'enabled' => env('HTTP_CLIENT_GLOBAL_LOGGER_ENABLED', true),
+    'enabled' => (bool) env('HTTP_CLIENT_GLOBAL_LOGGER_ENABLED', true),
 
     /*
     |--------------------------------------------------------------------------
@@ -24,7 +24,7 @@
     | channel name.
     |
     */
-    'mixin' => env('HTTP_CLIENT_GLOBAL_LOGGER_MIXIN', false),
+    'mixin' => (bool) env('HTTP_CLIENT_GLOBAL_LOGGER_MIXIN', false),
 
     /*
     |--------------------------------------------------------------------------
@@ -96,7 +96,7 @@
     | Obfuscation only works if you have disabled 'mixin' above, which is the default.
     */
     'obfuscate' => [
-        'enabled' => env('HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_ENABLED', true),
+        'enabled' => (bool) env('HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_ENABLED', true),
         'replacement' => env('HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_REPLACEMENT', '**********'),
         'headers' => explode(',', env(
             'HTTP_CLIENT_GLOBAL_LOGGER_OBFUSCATE_HEADERS',
@@ -123,8 +123,8 @@
     | request: X-Global-Logger-Trim-Always (set it to any value, e.g. 'true').
     */
     'trim_response_body' => [
-        'enabled' => env('HTTP_CLIENT_GLOBAL_LOGGER_TRIM_RESPONSE_BODY_ENABLED', false),
-        'limit' => env('HTTP_CLIENT_GLOBAL_LOGGER_TRIM_RESPONSE_BODY_LIMIT', 200),
+        'enabled' => (bool) env('HTTP_CLIENT_GLOBAL_LOGGER_TRIM_RESPONSE_BODY_ENABLED', false),
+        'limit' => (int) env('HTTP_CLIENT_GLOBAL_LOGGER_TRIM_RESPONSE_BODY_LIMIT', 200),
         'content_type_whitelist' => explode(',', env(
             'HTTP_CLIENT_GLOBAL_LOGGER_TRIM_RESPONSE_BODY_CONTENT_TYPE_WHITELIST',
             ',application/json'
diff --git a/src/Listeners/LogRequestSending.php b/src/Listeners/LogRequestSending.php
@@ -1,17 +1,22 @@
 <?php
 
+declare(strict_types=1);
+
 namespace Onlime\LaravelHttpClientGlobalLogger\Listeners;
 
 use GuzzleHttp\MessageFormatter;
 use Illuminate\Http\Client\Events\RequestSending;
 use Illuminate\Support\Facades\Log;
 use Onlime\LaravelHttpClientGlobalLogger\EventHelper;
 use Onlime\LaravelHttpClientGlobalLogger\HttpClientLogger;
+use Onlime\LaravelHttpClientGlobalLogger\Traits\ObfuscatesBody;
 use Psr\Http\Message\RequestInterface;
 use Saloon\Laravel\Events\SendingSaloonRequest;
 
 class LogRequestSending
 {
+    use ObfuscatesBody;
+
     /**
      * Handle the event if the HTTP Client global request middleware was not added manually
      * with HttpClientLogger::addRequestMiddleware(). Always handle it for Saloon requests.
@@ -46,25 +51,11 @@ public function handleEvent(RequestSending|SendingSaloonRequest $event): void
         $message = $formatter->format($psrRequest);
 
         if ($obfuscate) {
-            $replacement = config('http-client-global-logger.obfuscate.replacement');
-            foreach (config('http-client-global-logger.obfuscate.body_keys') as $key) {
-                $quoted = preg_quote($key, '/');
-                // JSON-style: "key":"value"
-                $message = preg_replace(
-                    '/(?<="'.$quoted.'":")[^"]*(?=")/mU',
-                    $replacement,
-                    $message
-                );
-                // form-style: key=value (until & or end)
-                $message = preg_replace(
-                    '/(?<=\b'. $quoted .'=)[^&]*(?=&|$)/',
-                    $replacement,
-                    $message
-                );
-            }
+            $message = $this->obfuscateBody($message);
         }
 
-        Log::channel(config('http-client-global-logger.channel'))->info($message);
+        Log::channel(config('http-client-global-logger.channel'))
+            ->info($message);
     }
 
     /**
diff --git a/src/Listeners/LogResponseReceived.php b/src/Listeners/LogResponseReceived.php
@@ -1,5 +1,7 @@
 <?php
 
+declare(strict_types=1);
+
 namespace Onlime\LaravelHttpClientGlobalLogger\Listeners;
 
 use GuzzleHttp\MessageFormatter;
@@ -9,11 +11,14 @@
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Str;
 use Onlime\LaravelHttpClientGlobalLogger\EventHelper;
+use Onlime\LaravelHttpClientGlobalLogger\Traits\ObfuscatesBody;
 use Psr\Http\Message\MessageInterface;
 use Saloon\Laravel\Events\SentSaloonRequest;
 
 class LogResponseReceived
 {
+    use ObfuscatesBody;
+
     /**
      * Handle the event.
      */
@@ -25,13 +30,21 @@ public function handle(ResponseReceived|SentSaloonRequest $event): void
 
         $formatter = new MessageFormatter(config('http-client-global-logger.format.response'));
         $psrRequest = EventHelper::getPsrRequest($event);
-        Log::channel(config('http-client-global-logger.channel'))->info($formatter->format(
+
+        $message = $formatter->format(
             $psrRequest,
             $this->trimBody(
                 EventHelper::getPsrResponse($event),
                 $psrRequest->hasHeader('X-Global-Logger-Trim-Always')
             )
-        ));
+        );
+
+        if (config('http-client-global-logger.obfuscate.enabled')) {
+            $message = $this->obfuscateBody($message);
+        }
+
+        Log::channel(config('http-client-global-logger.channel'))
+            ->info($message);
     }
 
     /**
diff --git a/src/Traits/ObfuscatesBody.php b/src/Traits/ObfuscatesBody.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Onlime\LaravelHttpClientGlobalLogger\Traits;
+
+use GuzzleHttp\MessageFormatter;
+use GuzzleHttp\Middleware;
+use Illuminate\Http\Client\PendingRequest;
+use Illuminate\Support\Facades\Log;
+use Monolog\Logger;
+
+trait ObfuscatesBody
+{
+    protected function obfuscateBody(string $message): string
+    {
+        $replacement = config('http-client-global-logger.obfuscate.replacement');
+
+        foreach (config('http-client-global-logger.obfuscate.body_keys') as $key) {
+            $quoted = preg_quote($key, '/');
+            // JSON-style: "key":"value"
+            $message = preg_replace(
+                '/(?<="'.$quoted.'":")[^"]*(?=")/mU',
+                $replacement,
+                $message
+            );
+            // form-style: key=value (until & or end)
+            $message = preg_replace(
+                '/(?<=\b'. $quoted .'=)[^&]*(?=&|$)/',
+                $replacement,
+                $message
+            );
+        }
+
+        return $message;
+    }
+}
diff --git a/tests/HttpClientLoggerTest.php b/tests/HttpClientLoggerTest.php
@@ -154,11 +154,11 @@ function setupLogger(): MockInterface
         ->get('https://example.com');
 })->with([true, false]);
 
-it('obfuscates header and body keys', function (string $body, string $expected) {
+it('obfuscates request header and body', function (string $body, string $expected) {
     $logger = setupLogger();
 
     $logger->shouldReceive('info')->withArgs(function ($message) use ($expected) {
-        expect($message)->toContain('REQUEST: GET https://example.com')
+        expect($message)->toContain('REQUEST: POST https://example.com')
             ->and($message)->toContain('Authorization: **********')
             ->and($message)->toContain($expected);
         return true;
@@ -175,15 +175,47 @@ function setupLogger(): MockInterface
         ]),
     ])->withHeader('Authorization', 'Bearer 123')
         ->withBody($body)
-        ->get('https://example.com');
+        ->post('https://example.com');
 })->with([
     'json-style' => [
         '{"key":"value","apikey":"s3cr3tK3y","token":"s0meT0k3n"}',
         '{"key":"value","apikey":"**********","token":"**********"}',
     ],
     // OpenID Connect example for POST /token endpoint
     // see https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
-    'openid-connect' => [
+    'form-style-openid' => [
+        'grant_type=refresh_token&refresh_token=r3fr3shT0k3n&client_id=1234&client_secret=53cr3t',
+        'grant_type=refresh_token&refresh_token=**********&client_id=1234&client_secret=**********',
+    ],
+]);
+
+it('obfuscates response body', function (string $body, string $expected) {
+    $logger = setupLogger();
+
+    $logger->shouldReceive('info')->withArgs(function ($message) use ($expected) {
+        expect($message)->toContain('REQUEST: POST https://example.com')
+            ->and($message)->toContain($expected);
+        return true;
+    })->once();
+
+    $logger->shouldReceive('info')->withArgs(function ($message) use ($expected) {
+        expect($message)->toContain('RESPONSE: HTTP/1.1 200 OK')
+            ->and($message)->toContain($expected);
+        return true;
+    })->once();
+
+    Http::fake([
+        '*' => Http::response($body, 200, [
+            'Content-Type' => 'application/json',
+        ]),
+    ])->withBody($body)
+        ->post('https://example.com');
+})->with([
+    'json-style-openid' => [
+        '{"access_token":"s0meT0k3n-1","expires_in":300,"refresh_token":"s0meT0k3n-2","token_type":"Bearer","id_token":"s0meT0k3n-3","session_state":"1234-56","scope":"foo bar"}',
+        '{"access_token":"**********","expires_in":300,"refresh_token":"**********","token_type":"Bearer","id_token":"**********","session_state":"1234-56","scope":"foo bar"}',
+    ],
+    'form-style' => [
         'grant_type=refresh_token&refresh_token=r3fr3shT0k3n&client_id=1234&client_secret=53cr3t',
         'grant_type=refresh_token&refresh_token=**********&client_id=1234&client_secret=**********',
     ],
