Secure your SMTP logs in Rails application
We all know benefits of logging. It enable developers to quickly troubleshoot issues even before reproducing it.
In distributed systems, computing logs are stored in shared drive or sometimes on distributed servers itself. Later these logs are aggregated in tools like Splunk, LogDNA, Logstash to make them accessible at single place and enable users to search/read logs.
Since these tool are not managed by your organisation should you be pushing sensitive information likes personal details of your customers, authentication details, payment information on these tools? Obvious answer is NO! So these details are masked in most of the application before application logs are generated. In short we are good here😇.
But now I have one more question. What about the logs generated by your application while sending emails to application users? Do you need to secure those as well🤔?
Your emails might have reset password links, authentication OTP’s or payment receipts which might get compromised if you don’t secure your email generation logs.
Lets have look at below example.
Here in my Rails application I am sending payment confirmation email to customer when subscription is renewed by customer. Let’s have look at Mailer and html template file.
app/mailers/application_mailer.rb file looks like below:
class ApplicationMailer < ActionMailer::Base
default from: 'mehtacables@gmail.com'
layout 'mailer'
def notify_payment_success(user_id)
@user = User.find(user_id)
@subscription = @user.subscription
mail(to: @user.email, subject: 'We acknowledge your payment')
end
end
notify_payment_success.html.erb file looks like below:
<p> Dear <%= @user.username %>,
<p> Your payment of INR 1000.00 is successful for account_id: <%= @user.account_id %>
<p> Your revised payment date is <%= @subscription.end_date %>
<p> Warm regards,
<p> Mehta Cable TV
Now lets generate email from rails console with below command:
ApplicationMailer.notify_payment_success(1).deliver
Woah we have a new email now!
Now lets have a look at the application logs as well.
Wait! Account_id is sensitive information of customer. What it’s doing in logs😳? Its also pushed to Splunk. Now what🤨?
Don’t Panic. This can be fixed! What all do you need to check if email was sent to user? Do you need email body as well? Well we dont need it in most of the cases. So let’s stop adding it in logs.
By default ActiveSupport::LogSubscriber print entire email content in debug mode. We need to overwrite this behaviour. For now let’s log only date, subject, sender and receiver.
Create a file log_subscriber.rb in config/initializers directory and add below code in that.
module ActionMailer
class LogSubscriber < ActiveSupport::LogSubscriber
def deliver(event)
info {"Email date : #{DateTime.now}"}
info {"Email subject : #{event.payload[:subject]}"}
info {"Email from : #{event.payload[:from]}"}
info {"Email to : #{event.payload[:to]}"}
end
end
end
Now restart your rails console and generate a new email. Lets look at the logs.
We see only required details in logs🤗…
I hope this will help you next time when you add a new email in your Rails application.
Happy coding!!!😇