feat: respect logLevel when registering plugin (#186)

* feat: respect logLevel option

When registering the plugin, you could specify the logLevel as an
option, but this was ignored by the plugin.

* fix: ensure logLevel is a string

I don't know why someone would pass in undefined, but it should fail
early.

* docs: mention logLevel option

Author: ojeytonwilliams

README.md

@@ -159,6 +159,7 @@ Apart from these safeguards, it is extremely important to [use HTTPS for your we
 | `getUserInfo` |  A sync function to get a string of user-specific information to prevent cookie tossing.     |
 | `sessionPlugin` |  The session plugin that you are using (if applicable).     |
 | `csrfOpts` |  The csrf options. See [@fastify/csrf](https://github.com/fastify/csrf).     |
+| `logLevel` | The log level for `fastify.csrfProtection` errors.     |
 
 ### `reply.generateCsrf([opts])`
 

index.js

@@ -14,7 +14,8 @@ const defaultOptions = {
   sessionKey: '_csrf',
   getToken: getTokenDefault,
   getUserInfo: getUserInfoDefault,
-  sessionPlugin: '@fastify/cookie'
+  sessionPlugin: '@fastify/cookie',
+  logLevel: 'warn'
 }
 
 async function fastifyCsrfProtection (fastify, opts) {
@@ -24,7 +25,8 @@ async function fastifyCsrfProtection (fastify, opts) {
     sessionKey,
     getToken,
     getUserInfo,
-    sessionPlugin
+    sessionPlugin,
+    logLevel
   } = Object.assign({}, defaultOptions, opts)
 
   const csrfOpts = opts?.csrfOpts ? opts.csrfOpts : {}
@@ -34,6 +36,7 @@ async function fastifyCsrfProtection (fastify, opts) {
   assert(typeof getToken === 'function', 'getToken should be a function')
   assert(typeof getUserInfo === 'function', 'getUserInfo should be a function')
   assert(typeof cookieOpts === 'object', 'cookieOpts should be a object')
+  assert(typeof logLevel === 'string', 'logLevel should be a string')
   assert(
     ['@fastify/cookie', '@fastify/session', '@fastify/secure-session'].includes(sessionPlugin),
     "sessionPlugin should be one of the following: '@fastify/cookie', '@fastify/session', '@fastify/secure-session'"
@@ -113,11 +116,11 @@ async function fastifyCsrfProtection (fastify, opts) {
   function csrfProtection (req, reply, next) {
     const secret = getSecret(req, reply)
     if (!secret) {
-      req.log.warn('Missing csrf secret')
+      req.log[logLevel]('Missing csrf secret')
       return reply.send(new MissingCSRFSecretError())
     }
     if (!tokens.verify(secret, getToken(req), getUserInfo(req))) {
-      req.log.warn('Invalid csrf token')
+      req.log[logLevel]('Invalid csrf token')
       return reply.send(new InvalidCSRFTokenError())
     }
     next()

test/basic.test.js

@@ -157,6 +157,18 @@ test('Validation', async t => {
       t.assert.strictEqual(err.message, "sessionPlugin should be one of the following: '@fastify/cookie', '@fastify/session', '@fastify/secure-session'")
     }
   })
+
+  await t.test('logLevel', async t => {
+    t.plan(1)
+    try {
+      const fastify = Fastify()
+      await fastify.register(fastifyCookie)
+      await fastify.register(fastifyCsrf, { logLevel: undefined })
+      await fastify.ready()
+    } catch (err) {
+      t.assert.strictEqual(err.message, 'logLevel should be a string')
+    }
+  })
 })
 
 test('csrf options', async () => {
@@ -177,6 +189,93 @@ test('csrf options', async () => {
   sinon.assert.calledWith(csrf, csrfOpts)
 })
 
+const spyLogger = {
+  warn: sinon.spy(),
+  error: sinon.spy(),
+  info: sinon.spy(),
+  debug: sinon.spy(),
+  fatal: sinon.spy(),
+  trace: sinon.spy(),
+  child: () => spyLogger
+}
+
+test('logLevel options', async t => {
+  async function load (logLevel) {
+    const opts = logLevel ? { logLevel } : {}
+    const fastify = Fastify({ loggerInstance: spyLogger })
+    await fastify.register(fastifyCookie)
+    await fastify.register(fastifyCsrf, opts)
+    fastify.get('/', async (_req, reply) => {
+      reply.generateCsrf()
+      return {}
+    })
+
+    fastify.post('/', {
+      onRequest: fastify.csrfProtection
+    }, async () => {
+      return {}
+    })
+    await fastify.ready()
+    return fastify
+  }
+
+  async function makeRequests (fastify) {
+    const response = await fastify.inject({
+      method: 'GET',
+      path: '/'
+    })
+
+    const cookie = response.cookies[0]
+
+    // missing csrf secret
+    await fastify.inject({
+      method: 'POST',
+      payload: { hello: 'world' },
+      path: '/',
+    })
+
+    // invalid csrf token
+    await fastify.inject({
+      method: 'POST',
+      payload: { hello: 'world' },
+      path: '/',
+      cookies: {
+        [cookie.name]: cookie.value
+      }
+    })
+  }
+
+  t.afterEach(() => {
+    spyLogger.warn.resetHistory()
+    spyLogger.error.resetHistory()
+  })
+
+  await t.test('default log level', async t => {
+    t.plan(1)
+    const fastify = await load()
+    await makeRequests(fastify)
+
+    t.assert.strictEqual(spyLogger.warn.callCount, 2)
+  })
+
+  await t.test('custom log level', async t => {
+    t.plan(2)
+    const fastify = await load('error')
+    await makeRequests(fastify)
+
+    t.assert.strictEqual(spyLogger.error.callCount, 2)
+    t.assert.ok(spyLogger.warn.notCalled)
+  })
+
+  await t.test('silent log level', async t => {
+    t.plan(1)
+    const fastify = await load('silent')
+    await makeRequests(fastify)
+
+    t.assert.ok(spyLogger.warn.notCalled)
+  })
+})
+
 async function runtTest (t, load, tkn, hook = 'onRequest') {
   await t.test(`Token in ${tkn.place}`, async t => {
     const fastify = await load()

types/index.test-d.ts

@@ -69,5 +69,6 @@ fastify.register(FastifyCsrfProtection, { csrfOpts: { }, sessionPlugin: '@fastif
 fastify.register(FastifyCsrfProtection, { csrfOpts: { }, sessionPlugin: '@fastify/secure-session' })
 fastify.register(FastifyCsrfProtection, { sessionPlugin: '@fastify/session' })
 fastify.register(FastifyCsrfProtection, { sessionPlugin: '@fastify/secure-session' })
+fastify.register(FastifyCsrfProtection, { logLevel: 'info' })
 
 expectDeprecated({} as FastifyCsrfOptions)