Unable to use `no_logging` on admin login view

[wesleyjellis]

I'm trying to avoid logging the login request for the default django admin site, since it contains a password in the request body. Is there a way to apply the no_logging decorator to an arbitrary view?

I tried manually setting the NO_LOGGING_ATTR on django.contrib.admin.sites.login (source) which is passed as the view/func to _should_log_route like so:

from django.contrib.admin.sites import site

from request_logging.middleware import NO_LOGGING_ATTR, NO_LOGGING_MSG_ATTR

def no_log_admin_login():
    setattr(site.login, NO_LOGGING_ATTR, True)
    setattr(site.login, NO_LOGGING_MSG_ATTR, "Admin login view contains password")

but this fails with AttributeError: 'method' object has no attribute 'no_logging'

Given how invasive this kind of patch is in general, I'm not sure I'd be happy even if I could get it to work...

So, I was wondering if you would be open to a new setting like REQUEST_LOGGING_SKIP_ROUTES which would contain a list of routes like ['/admin/login/', '/api/sensitive/'], which could be checked in _should_log_route in addition to the NO_LOGGING_ATTR. I feel this would be useful in general for controlling how logging is done for third party views/apps

[mindflayer]

Good point, I was wondering how to manage this scenario. Another idea would be to filter out not only some headers but specific fields from the body.

[wesleyjellis]

body level filtering would be amazing as well, although I don't know how easy that is to implement when you have only the raw request body

[Wissperwind]

Hi,
I have a similar problem: I have a custom login view and in case of a failed login the passwort is logged. But @no_logging() does not have an effect:

@no_logging()
def login(request):

It still loggs: b'{"username":"user","password":"123"}'

[jakubkrysl]

Hi,

We've encountered logging credentials in plaintext in case POST request failed on /login/. The way we handle it for now is using custom filter that masks the password. This is than applied through logging configuration.

def mask_password(record):
    record.msg = re.sub(r"password=(.*?)($|&|\n)", r"password=*****\g<2>", record.msg)
    return True

This way the actual password is replaced with *****. Though this has a downside that if the filter fails for any reason, it does not get applied and password will get logged in plaintext.

I like the skipping routes option as this would allow any admin to skip sensitive routes completely instead of relying on the devs of the app to apply patch on those routes in code. They might be very reluctant to do that since it would introduce this middleware as new dependency. This is our case - this middleware is deployed through config on our side, not by the devs of the app.