Added recursive support for protected props

README.md

@@ -51,13 +51,23 @@ module.exports = {
      * (e.g. "password")
      *
      * > WARNING:
-     * > This is a SHALLOW check of request body, querystring, and route path parameters.
+     * > If recursive is set to false (default) This is a SHALLOW check of request body, querystring, and route path parameters.
      * > Deeply nested properties with these names are not redacted.
+     * > If recursive is set to true, a one level check and reduction is done.
+     * > For example on put request:
+     * > { '0': 'api/v1/users/2',
+     * >  user: 
+     * >  { username: 'fauser',
+     * >    password: '*REDACTED*',
+     * >    token: '*REDACTED*',
+     * >   } 
+     * > }
      */
     dontLogParams: [
       'password',
       'token'
     ],
+    recursive: false,
 
     /**
      * When request starts...

private/log-request.middleware.js

@@ -21,7 +21,7 @@ module.exports = function logRequest_middleware(req, res, next) {
     path: req.path,
     method: req.method,
 
-    allParams: redactProtectedKeys(req.allParams(), sails.config.apianalytics.dontLogParams),
+    allParams: redactProtectedKeys(req.allParams(), sails.config.apianalytics.dontLogParams, sails.config.apianalytics.recursive),
 
     protocol: req.protocol,
 
@@ -39,9 +39,9 @@ module.exports = function logRequest_middleware(req, res, next) {
       url: req.url,
       transport: req.transport,
       options: req.options,
-      queryParams: redactProtectedKeys(req.query, sails.config.apianalytics.dontLogParams),
-      routeParams: redactProtectedKeys(req.params, sails.config.apianalytics.dontLogParams),
-      bodyParams: redactProtectedKeys(req.body, sails.config.apianalytics.dontLogParams)
+      queryParams: redactProtectedKeys(req.query, sails.config.apianalytics.dontLogParams, sails.config.apianalytics.recursive),
+      routeParams: redactProtectedKeys(req.params, sails.config.apianalytics.dontLogParams, sails.config.apianalytics.recursive),
+      bodyParams: redactProtectedKeys(req.body, sails.config.apianalytics.dontLogParams, sails.config.apianalytics.recursive)
     }
 
   };//</build initial report>
@@ -95,7 +95,7 @@ module.exports = function logRequest_middleware(req, res, next) {
     report.responseHeaders = res._headers;
 
     // Save user session as embedded JSON to keep a permanent record
-    report.userSession = _.cloneDeep(req.session);
+    report.userSession = redactProtectedKeys(_.cloneDeep(req.session), sails.config.apianalytics.dontLogParams, sails.config.apianalytics.recursive);
 
     // Call log function
     if (_.isFunction(sails.config.apianalytics.onResponse)) {

private/redact-protected-keys.js

@@ -31,7 +31,7 @@ var _ = require('lodash');
  * @returns {Dictionary}
  */
 
-module.exports = function redactProtectedKeys(dictionary, blacklist) {
+module.exports = function redactProtectedKeys(dictionary, blacklist, recursive) {
 
   if (!_.isObject(dictionary)) {
     return dictionary;
@@ -44,6 +44,9 @@ module.exports = function redactProtectedKeys(dictionary, blacklist) {
     throw new Error('Consistency violation: Unexpected bad usage in cleanseDictionary.  Expected blacklist to be an array of strings, but got: '+util.inspect(blacklist,{depth:null}));
   }//>-•
 
+  if(_.isUndefined(recursive)){
+    recursive = false;
+  }
 
   // Get deep clone of dictionary.
   var cleansedCopy = _.cloneDeep(dictionary);
@@ -57,5 +60,18 @@ module.exports = function redactProtectedKeys(dictionary, blacklist) {
 
   });//</_.each>
 
+  if(recursive){
+    // Loop over each top-level property and check if it is an object
+    _.each(cleansedCopy, function(value, key){
+      if(_.isObject(cleansedCopy[key])){
+        // Loop over each object inner property and redact any that are protected.
+        _.each(cleansedCopy[key], function(value, PropName){
+          if(blacklist.indexOf(PropName) >= 0){
+            cleansedCopy[key][PropName] = '*REDACTED*';
+          }
+        });
+      }
+    });//</_.each>
+  }
   return cleansedCopy;
 };