Secure Logging

Frontend używa secureLogger do zapobiegania przypadkowemu logowaniu wrażliwych danych (PII).

Key Features

Feature	Description
Automatic PII Masking	Email, phone, PESEL, NIP, passwords, tokens
Structured Logging	Special methods for auth, database, and API operations
Development-Only Debug	`debug()` only works in development mode
Semgrep Enforcement	Direct `console.*` usage triggers warnings

Quick Start

Import

import { secureLogger } from '@/utils/secureLogger';
// or use named imports:
import {
  log,
  info,
  warn,
  error,
  logAuth,
  logDb,
  logApi,
} from '@/utils/secureLogger';

Basic Usage

// Simple logging
secureLogger.log('Application started');
secureLogger.info('User action completed');
secureLogger.warn('Unusual activity detected');
secureLogger.error('API call failed', error);

// Debug (only in development)
secureLogger.debug('Debug information', data);

Structured Logging

// Authentication events
secureLogger.logAuth('success', userId); // Masks user ID
secureLogger.logAuth('failure', userId);
secureLogger.logAuth('logout');

// Database operations
secureLogger.logDb('INSERT', 'users', recordId); // Masks record ID
secureLogger.logDb('UPDATE', 'patients', patientId);

// API calls
secureLogger.logApi('POST', '/api/users', 201); // Masks UUIDs in paths
secureLogger.logApi('GET', '/api/visits/uuid-here', 200);

Automatic PII Masking

Logger automatycznie sanityzuje:

Sensitive field names: password, token, sessionId, email, phone, address, etc.
Pattern matching: PESEL (11 digits), NIP (10 digits), email addresses, credit cards

Przykład:

const user = {
  name: 'Jan Kowalski',
  email: 'jan@example.com',
  password: 'secret123',
  phone: '123-456-789',
};

secureLogger.log('User data:', user);
// Logs: User data: { name: 'Jan Kowalski', email: '[REDACTED]',
//        password: '[REDACTED]', phone: '[REDACTED]' }

Backend vs Frontend Comparison

Feature	Backend (Rust)	Frontend (TS)
PII Masking	Email, Token	Email, Phone, PESEL, NIP
Structured Logs	JSON with context	Special methods
Log Levels	debug/info/warn/error	debug/info/warn/error
Enforcement	Manual	Semgrep rules
Output	Terminal/Console.app	Browser DevTools

Migration Guide

Before (Insecure)

console.log('User:', user.email);
console.error('Failed to save:', error);

After (Secure)

import { secureLogger } from '@/utils/secureLogger';

secureLogger.log('User:', user); // Email automatically masked
secureLogger.error('Failed to save:', error);

Semgrep Rules

Direct console.* usage is blocked by Semgrep:

- id: no-direct-console-usage
  message: Use secureLogger instead
  severity: WARNING

Exceptions:

Test files (.test.ts, .spec.ts)
secureLogger.ts itself
scripts/ directory

Best Practices

DO

// Use secureLogger
import { secureLogger } from '@/utils/secureLogger';
secureLogger.info('Action completed');

// Let automatic masking work
secureLogger.log('User data:', userData); // PII masked automatically

// Use structured logging
secureLogger.logAuth('success', userId);

DON’T

// Don't use console directly
console.log('User email:', email); // Semgrep warning

// Don't log raw sensitive data
secureLogger.log(password); // Still insecure if not in object

// Don't bypass sanitization
const rawEmail = user.email;
console.log(rawEmail); // Blocked by Semgrep

Implementation Status

Item	Status
Secure logger module (`secureLogger.ts`)	Done
PII masking functions	Done
Structured logging methods	Done
Semgrep enforcement rules	Done
Documentation	Done

Testing

Test the logger in your browser console:

import { secureLogger } from '@/utils/secureLogger';

// Test PII masking
secureLogger.log('Email test:', { email: 'user@example.com' });
// Expected: { email: '[REDACTED]' }

// Test phone masking
secureLogger.log('Phone test:', '123-456-789');
// Expected: '[REDACTED]'

Powiązane dokumenty

Security Overview - Główny security overview
Backend Logging - Rust secure_logger