0

I have a ruby on rails web service that is consumed by another rails application. I have a form on the client application to post a user to an API endpoint on the service. The method on the client that posts a user to the webservice looks like this:

def create_user
  hydra = Typhoeus::Hydra.hydra

  post_user = Typhoeus::Request.new(
    "localhost:3006/api/v1/users",
    method: :post,
    headers: { Accept: "application/json" },
    body: params.except(:authenticity_token, :commit, :controller, :action ).to_json
  )

  post_user.on_complete do |response|
    if response.success?
      single_user = SingleUser.from_json(response.body)
      @user = single_user.user

      respond_to do |format|
        format.html {redirect_to controller: :orders, action: :account_created, user_id: @user.id}
      end

    elsif response.timed_out?
      # aw hell no
      logger.debug "got a time out"

    elsif response.code == 0
      # Could not get an http response, something's wrong.
      logger.debug(response.return_message)

    else
      # Received a non-successful http response.
      logger.debug("HTTP request failed: " + response.code.to_s)

    end
  end
  hydra.queue post_user
  hydra.run
end

This method receives data from a user registration form. When i check the server log the password sent from the form to this method is filtered. The server log looks like this:

 I, [2014-05-13T22:45:36.359671 #18433]  INFO -- : Processing by   
 OrdersController#create_user as HTML I, [2014-05-13T22:45:36.359785 #18433]  INFO -- :    
 Parameters: {"utf8"=>"✓",    
 "authenticity_token"=>"9CI8YcsNxKHDXrMQmzfbhn/GeVv21W16k+ZTM6ENOs0=",    
 "first_name"=>"foo", "last_name"=>"bar", "email"=>"foobar@mail.com",   
 "username"=>"foo.bar", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]",    
 "commit"=>"Create"}

But when this method makes a request to the API endpoint, the password is not filtered and can be obtained from the server log. The log for this request looks like this:

Started POST "/api/v1/users" for 127.0.0.1 at 2014-05-13 22:55:53 +0300
Processing by Api::V1::UsersController#create as JSON
Parameters: {"{\"utf8\":\" \",\"first_name\":\"foo\",\"last_name\":\"bar\",\"email\":\"foobar@mail.com\",\"username\":\"foo.bar\",\"password\":\"unfiltered_password\",\"password_confirmation\":\"unfiltered_password\"}"=>"[FILTERED]"}

How can i ensure that the password and password confirmation sent to the API endpoint is filtered and cannot be directly extracted from the server log.

4

0 回答 0