diff --git a/packages/bsky/package.json b/packages/bsky/package.json index ea478efb3ae..7187e17f1bd 100644 --- a/packages/bsky/package.json +++ b/packages/bsky/package.json @@ -53,6 +53,7 @@ "http-errors": "^2.0.0", "http-terminator": "^3.2.0", "ioredis": "^5.3.2", + "jose": "^5.0.1", "kysely": "^0.22.0", "multiformats": "^9.9.0", "murmurhash": "^2.0.1", diff --git a/packages/bsky/src/logger.ts b/packages/bsky/src/logger.ts index d6fad590eef..935b929d6f3 100644 --- a/packages/bsky/src/logger.ts +++ b/packages/bsky/src/logger.ts @@ -1,5 +1,8 @@ +import pino from 'pino' import pinoHttp from 'pino-http' +import * as jose from 'jose' import { subsystemLogger } from '@atproto/common' +import { parseBasicAuth } from './auth-verifier' export const dbLogger: ReturnType = subsystemLogger('bsky:db') @@ -21,5 +24,34 @@ export const loggerMiddleware = pinoHttp({ message: err?.message, } }, + req: (req) => { + const serialized = pino.stdSerializers.req(req) + const authHeader = serialized.headers.authorization || '' + let auth: string | undefined = undefined + if (authHeader.startsWith('Bearer ')) { + const token = authHeader.slice('Bearer '.length) + const { iss } = jose.decodeJwt(token) + if (iss) { + auth = 'Bearer ' + iss + } else { + auth = 'Bearer Invalid' + } + } + if (authHeader.startsWith('Basic ')) { + const parsed = parseBasicAuth(authHeader) + if (!parsed) { + auth = 'Basic Invalid' + } else { + auth = 'Basic ' + parsed.username + } + } + return { + ...serialized, + headers: { + ...serialized.headers, + authorization: auth, + }, + } + }, }, }) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index d96fa71b5ef..c8d6db85650 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -228,6 +228,9 @@ importers: ioredis: specifier: ^5.3.2 version: 5.3.2 + jose: + specifier: ^5.0.1 + version: 5.1.3 kysely: specifier: ^0.22.0 version: 0.22.0