Merged PR 164: BUG916:ユーザーのパスワードをログに出さないようにする

BUG916:ユーザーのパスワードをログに出さないようにする

Related work items: #916

backend/.deployment

@@ -0,0 +1,2 @@
+[config]
+SCM_DO_BUILD_DURING_DEPLOYMENT=true

backend/app/core/operation.py

@@ -1,4 +1,5 @@
 
+from urllib.parse import parse_qs, urlencode
 from fastapi import Request
 from fastapi.responses import JSONResponse
 from starlette.middleware.base import BaseHTTPMiddleware
@@ -34,6 +35,48 @@ class LoggingMiddleware(BaseHTTPMiddleware):
 
         return response
     
+    def sanitize_password(self,data):
+        """
+        データ内の password パラメータをフィルタリングする機能。
+        dict、JSON 文字列、URL エンコード文字列、QueryDict をサポート。
+        """
+        if data is None:
+            return data
+        elif isinstance(data, dict):
+            data.pop('password', None)
+            return data
+        elif isinstance(data, list):
+            return [self.sanitize_password(item) for item in data]
+        elif isinstance(data, (str, bytes)):
+            if isinstance(data, bytes):
+                data = data.decode('utf-8')  # bytes to str
+            # JSON解析
+            try:
+                parsed_json = json.loads(data)
+                sanitized_json = self.sanitize_password(parsed_json)
+                return json.dumps(sanitized_json, separators=(',', ':'))
+            except json.JSONDecodeError:
+                # URL 解析
+                try:
+                    parsed_dict = parse_qs(data)
+                    parsed_dict.pop('password', None)
+                    return urlencode(parsed_dict, doseq=True)
+                except:
+                    parts = data.split('&')
+                    filtered_parts = []
+                    for part in parts:
+                        if '=' in part:
+                            key, _ = part.split('=', 1)
+                            if key == 'password':
+                                continue
+                        filtered_parts.append(part)
+                    return '&'.join(filtered_parts)
+        #  QueryDict 例えば FastAPI の request.query_params）
+        elif hasattr(data, 'items'): 
+            return {k: v for k, v in data.items() if k != 'password'}
+        return data
+
+
     async def log_request(self, request: Request, response,state):
         try:
             headers = dict(request.headers)
@@ -43,14 +86,25 @@ class LoggingMiddleware(BaseHTTPMiddleware):
             else:
                 path_template = request.url.path
           
-            db_operation = OperationLog(tenantid =request.state.tenant,
+            # passwordのパラメータを除外する
-                                            clientip = request.client.host if request.client else None,
+            safe_query = self.sanitize_password(request.query_params.items())
-                                            useragent =headers.get("user-agent", ""),
+               
-                                            userid = request.state.user,
+            # passwordのパラメータを除外する
-                                            operation = request.method,
+            safe_body = self.sanitize_password(request.state.body)
-                                            function = path_template,
+           
-                                            parameters = str({"path": request.path_params,"query": dict(request.query_params),"body": request.state.body}),
+            db_operation = OperationLog(
-                                            response = f"status_code:{response.status_code }"  )
+                tenantid =request.state.tenant,
+                clientip = request.client.host if request.client else None,
+                useragent =headers.get("user-agent", ""),
+                userid = request.state.user,
+                operation = request.method,
+                function = path_template,
+                parameters = str({
+                    "path": request.path_params,
+                    "query": safe_query,
+                    "body": safe_body
+                }),
+                response = f"status_code:{response.status_code }"  )
             
             db = request.state.db
             if db:
@@ -71,5 +125,3 @@ class LoggingMiddleware(BaseHTTPMiddleware):
     async def write_log_to_db(self, db_operation,db):
         db.add(db_operation)
         db.commit()
-
-    

frontend/.env

@@ -1,6 +1,6 @@
 #開発環境
-#KAB_BACKEND_URL="https://kab-backend.azurewebsites.net/"
+KAB_BACKEND_URL="https://ktune-backend-dev-eba8fkeyffegc3cz.japanwest-01.azurewebsites.net/"
 #単体テスト環境
 #KAB_BACKEND_URL="https://kab-backend-unittest.azurewebsites.net/"
 #ローカル開発環境
-KAB_BACKEND_URL="http://127.0.0.1:8000/"
+#KAB_BACKEND_URL="http://127.0.0.1:8000/"