tchapi · tchapi · Nov 4, 2023 · Oct 29, 2023 · Oct 31, 2023 · Nov 1, 2023
diff --git a/.env b/.env
@@ -68,3 +68,8 @@ [email protected]
 # USE ABSOLUTE PATHS for better predictability
 WEBDAV_TMP_DIR='/tmp'
 WEBDAV_PUBLIC_DIR='/webdav'
+
+# Logging path
+# By default, it will log in the standard Symfony directory: var/log/prod.log (for production)
+# You can use /dev/null here if you want to discard logs entirely
+LOG_FILE_PATH="%kernel.logs_dir%/%kernel.environment%.log"
diff --git a/README.md b/README.md
@@ -117,6 +117,14 @@ WEBDAV_TMP_DIR='/tmp'
 WEBDAV_PUBLIC_DIR='/webdav'
 ```
 
+g. The log file path
+
+You can use an absolute file path here, and you can use Symfony's `%kernel.logs_dir%` and `%kernel.environment%` placeholders if needed (as in the default value). Setting it to `/dev/null` will disable logging altogether.
+
+```
+LOG_FILE_PATH="%kernel.logs_dir%/%kernel.environment%.log"
+```
+
 ### Specific environment variables for IMAP and LDAP authentication methods
 
 In case you use the `IMAP` auth type, you must specify the auth url (_the "mailbox" url_) in `IMAP_AUTH_URL`. See https://www.php.net/manual/en/function.imap-open.php for more details.

diff --git a/config/packages/dev/easy_log_handler.yaml b/config/packages/dev/easy_log_handler.yaml
diff --git a/config/packages/prod/monolog.yaml b/config/packages/prod/monolog.yaml
@@ -8,7 +8,7 @@ monolog:
             buffer_size: 50 # How many messages should be saved? Prevent memory leaks
         nested:
             type: stream
-            path: "%kernel.logs_dir%/%kernel.environment%.log"
+            path: "%env(resolve:LOG_FILE_PATH)%"
             level: debug
         console:
             type: console

diff --git a/config/services.yaml b/config/services.yaml
@@ -55,4 +55,8 @@ services:
     App\Security\LoginFormAuthenticator:
         arguments:
             $adminLogin: "%env(ADMIN_LOGIN)%"
-            $adminPassword: "%env(ADMIN_PASSWORD)%"
+            $adminPassword: "%env(ADMIN_PASSWORD)%"
+
+    App\Logging\Monolog\PasswordFilterProcessor:
+        tags:
+            - { name: monolog.processor }
diff --git a/src/Logging/Monolog/PasswordFilterProcessor.php b/src/Logging/Monolog/PasswordFilterProcessor.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace App\Logging\Monolog;
+
+use Monolog\Processor\ProcessorInterface;
+
+final class PasswordFilterProcessor implements ProcessorInterface
+{
+    private const REDACTED = '****';
+    private const PASSWORD_KEY = 'password';
+    private const SENSITIVE_ARGS_FUNCTIONS = ['validateUserPass', 'ldapOpen', 'password_verify', 'imapOpen', 'ldap_bind', 'hashPassword', 'dav'];
+
+    public function __invoke(array $record): array
+    {
+        // Remove potentially sensitive data from function arguments
+        $shouldRedactArgs = array_key_exists('function', $record) && in_array($record['function'], self::SENSITIVE_ARGS_FUNCTIONS);
+
+        foreach ($record as $key => $item) {
+            if (self::PASSWORD_KEY === strtolower($key) || ('args' === $key && $shouldRedactArgs)) {
+                $record[$key] = self::REDACTED;
+            } elseif (is_array($item)) {
+                $record[$key] = $this($item);
+            }
+        }
+
+        return $record;
+    }
+}
diff --git a/src/Services/IMAPAuth.php b/src/Services/IMAPAuth.php
@@ -62,7 +62,12 @@ protected function imapOpen($username, $password)
                 $this->utils->createPasswordlessUserWithDefaultObjects($username, $username, $username);
 
                 $em = $this->doctrine->getManager();
-                $em->flush();
+
+                try {
+                    $em->flush();
+                } catch (\Exception $e) {
+                    error_log('IMAP Error (flush): '.$e->getMessage());
+                }
             }
         }
 

diff --git a/src/Services/LDAPAuth.php b/src/Services/LDAPAuth.php
@@ -91,7 +91,7 @@ protected function ldapOpen($username, $password)
         try {
             $ldap = ldap_connect($this->LDAPAuthUrl);
         } catch (\ErrorException $e) {
-            error_log($e->getMessage());
+            error_log('LDAP Error (ldap_connect): '.ldap_error($ldap).' ('.ldap_errno($ldap).')');
         }
 
         if (!$ldap || !ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3)) {
@@ -124,8 +124,7 @@ protected function ldapOpen($username, $password)
                 $success = true;
             }
         } catch (\ErrorException $e) {
-            error_log($e->getMessage());
-            error_log('LDAP Error: '.ldap_error($ldap).' ('.ldap_errno($ldap).')');
+            error_log('LDAP Error (ldap_bind): '.ldap_error($ldap).' ('.ldap_errno($ldap).')');
         }
 
         if ($success && $this->autoCreate) {
@@ -161,7 +160,12 @@ protected function ldapOpen($username, $password)
                 $this->utils->createPasswordlessUserWithDefaultObjects($username, $displayName, $email);
 
                 $em = $this->doctrine->getManager();
-                $em->flush();
+
+                try {
+                    $em->flush();
+                } catch (\Exception $e) {
+                    error_log('LDAP Error (flush): '.$e->getMessage());
+                }
             }
         }