Rails 3 has a nice feature in config/application.rb that allows one to filter sensitive information, such as passwords, from appearing in logs, as shown below:
config.filter_parameters += [:password, :creditcardnum]
However, my question lies in how to filter that same information from logging elsewhere. For example, I am using DelayedJob, and even though my password is filtered from my development log, it still appears when DelayedJob logs (and I imagine something similar would happen with similarly working gems):
SQL (14.3ms) INSERT INTO "delayed_jobs" ("attempts", "created_at", "failed_at", "handler", "last_error", "locked_at", "locked_by", "priority", "queue", "run_at", "updated_at") VALUES (blah blah blah...) username: [email protected]\n password: MYPASSWORDHERE\n method_name: :destroy\nargs: []\n"], ["last_error", nil], ["locked_at", nil], ["locked_by", nil], ["priority", 0], ["queue", nil], ["run_at", Wed, 03 Jul 2013 03:07:02 UTC +00:00], ["updated_at", Wed, 03 Jul 2013 03:07:02 UTC +00:00]]
Would you have any thoughts on this?
I suggest sending only non-sensitive information to delayed job.
For example, the following code sends the full user object (including password or any other sensitive information) to delayed job:
user.delay.activate
To prevent that, first we can prepare a ActivateUserJob:
class ActivateUserJob < Struct.new(:user_id)
def perform
user = User.find(user_id)
user.activate
end
end
Then, enqueue the job when needed. This way, only the id of the user is revealed:
Delayed::Job.enqueue ActivateUserJob.new(user.id)