Search code examples

Masking logs in delegating handler using Serilog and Destructurama.Attributed

I am trying to log all of the requests hitting my endpoints using a delegating handler. As there are sensitive information in the request and response body, I would like to mask them in my logs. I have tried using Destructurama.Attributed and it works when I log the object of the request.

    public class LoginRequest
        [LogMasked(ShowFirst = 3)]
        public string LoginName { get; set; }

        public string Password { get; set; }

    public class UserController : BaseApiController
        private readonly ILogger _logger;
        public UserController (ILogger logger)
            _logger = logger;

        [HttpPost, Route("login")]
        public async Task<IHttpActionResult> Login(LoginRequest request)
            // masking works
            _logger.Information("Request: {@request}", request)

           // some logic

However, it does not work in the delegating handler as I only have the JSON string of the requests and responses.

In my delegating handler, I am retrieving the request body using:

    var stream = await request.Content.ReadAsStreamAsync();
    var reader = new StreamReader(stream);
    reader.BaseStream.Seek(0, SeekOrigin.Begin);
    var requestJsonString = reader.ReadToEnd();

Is there a way to deserialize these JSON strings into their respective objects based on the endpoint?

    public class GlobalLoggingHandler : DelegatingHandler
        private readonly ILogger _logger;
        public GlobalLoggingHandler(ILogger logger)
            _logger = logger;

        protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
            var endpoint = string.Join(string.Empty, request.RequestUri.Segments);
            var operation = _logger.BeginOperation("HTTP {method} {endpoint}", request.Method.Method, endpoint);

                var response = await base.SendAsync(request, cancellationToken);
                Log(request, response);
                return response;
            catch (Exception)
                //to-do: log error

                return new HttpResponseMessage(HttpStatusCode.InternalServerError);

        private async void Log(HttpRequestMessage request, HttpResponseMessage response)
            var requestObject = await GetHttpRequestContentAsync(request);

            //this is not masking as it is JSON string
            _logger.Information("Request: {@request}", requestObject);

            var responseObject = await response.Content.ReadAsStringAsync();

            //this is not masking as it is JSON string
            _logger.Information("Response: {@response}", responseObject);

        private async Task<string> GetHttpRequestContentAsync(HttpRequestMessage request)
            var stream = await request.Content.ReadAsStreamAsync();
            var reader = new StreamReader(stream);
            reader.BaseStream.Seek(0, SeekOrigin.Begin);
            return reader.ReadToEnd();

Is there any way to make it work for my case? Or, should I look into masking my JSON string manually using JObject? I would greatly appreciate any feedback :)


  • Edited Answer: The request is not logged when exception is thrown for my original implementation.

    Instead, I switched to action filters to log all of my requests. The request object is accessible via HttpActionContext.ActionArguments which will work with Destructurama.Attributed.

        public class LoggingFilter : ActionFilterAttribute
            public override Task OnActionExecutingAsync(HttpActionContext context, CancellationToken cancellationToken)
                var actionArgs = context.ActionArguments;
                if (actionArgs != null && actionArgs.Count > 0)
                    foreach (var kvp in actionArgs)
                        Log.Logger.Information("{@key}: {@value}", kvp.Key, kvp.Value);
                return base.OnActionExecutingAsync(context, cancellationToken);

    Original Answer:

    What I ended up doing instead was to log the request and response in my base api controller, not the most elegant way but it is simple and prevents the need of two lines of log in every controller method.

    However, I would still greatly appreciate anyone could share an elegant approach to this.

    Here is my implementation:


        public abstract class BaseApiController : ApiController
            private readonly ILogger _logger;
            protected BaseApiController(ILogger logger)
                _logger = logger;
            protected IHttpActionResult LogAndCreateResponseFromResult<T1, T2, T3>(Result<T1> result, T2 requestObject, T3 responseObject)
                _logger.Information("Request: {@request}", requestObject);
                _logger.Information("Response: {@response}", responseObject);
                if (result.IsFailure)
                    ModelState.AddModelError(result.Error.Code, result.Error.Message);
                    return BadRequest(ModelState);
                return Ok(responseObject);


        public class UserController : BaseApiController
            public UserController (ILogger logger) : base(logger)
            [HttpPost, Route("login")]
            public async Task<IHttpActionResult> Login(LoginRequest request)
               // some logic
               var result = await someLogicAsync();
               var response = (result.IsSuccess) ? result.Value.ToResponse() : null;
               return LogAndCreateResponseFromResult(result, request, response);