Secure mail SMTP logs in rails app

Tram Ho


We all know the benefits of logging. It allows developers to quickly fix the problem even before recreating it.


Problem

  • In distributed systems, logs are stored in shared memory or sometimes on the distributed servers themselves. Then these logs are aggregated in tools like Splunk , LogDNA , Logstash to make them accessible in one place and allow users to search / read logs.
  • Since these tools are not managed by your organization, are you pushing sensitive information such as customer personal information, authentication details, and billing information onto these tools? The answer is obviously not! Therefore, these details are masked in most applications before the application log is generated. In short, it’s fine here.

But now I have one more question. What about records created by your app while emailing app users? Do you need to keep that information confidential?

Your email may have password link reset, OTP authentication, or payment receipts may be compromised if you do not secure your email creation log.

See the example below.

Here in my Rails app, I will email a payment confirmation email to the customer when he renews his subscription. Let’s take a look at the Mailer and the html template file.

The file app/mailers/application_mailer.rb as follows:

And here is the file:

Now let’s create the email from the rails c table rails c with the command: ApplicationMailer.notify_payment_success(1).deliver

Whoa! We have an instant new mail!

Now let’s also look at the log.

Application logs

Wait! Account_id is sensitive client information. What is it doing in log? It was also pushed onto the splunk. Now what?

Do not panic. This can be corrected! All you need to check if email has been sent to a user? Do you need email content? We don’t need it in most cases. So let’s stop adding it to the log.

By default ActiveSupport::LogSubscriber prints all email contents in debug mode. We need to override this behavior. For now, just write down the date, subject, sender, and receiver.

Create the log_subscriber.rb file in the config/initializers directory and add the below code in it.

Now restart your rails console and create a new email. See logs.

We see only the required details in log …

I hope this helps the next time you add a new email to your Rails app.

Share the news now

Source : Viblo