Phase 1-2 of server consolidation + security hardening

inventory-server/shared/logging/index.js

@@ -0,0 +1,2 @@
+export { logger, createLogger } from './logger.js';
+export { requestLog } from './request-log.js';

inventory-server/shared/logging/logger.js

@@ -0,0 +1,27 @@
+import { pino } from 'pino';
+
+const REDACTED_PATHS = [
+  'req.headers.authorization',
+  'req.headers.cookie',
+  'headers.authorization',
+  'headers.cookie',
+  '*.password',
+  '*.token',
+  '*.jwt',
+];
+
+export function createLogger(options = {}) {
+  return pino({
+    level: process.env.LOG_LEVEL ?? 'info',
+    redact: {
+      paths: REDACTED_PATHS,
+      censor: '[REDACTED]',
+    },
+    base: {
+      service: options.service ?? process.env.SERVICE_NAME ?? 'inventory',
+    },
+    ...options,
+  });
+}
+
+export const logger = createLogger();

inventory-server/shared/logging/request-log.js

@@ -0,0 +1,32 @@
+import { pinoHttp } from 'pino-http';
+import { logger } from './logger.js';
+
+export function requestLog(options = {}) {
+  return pinoHttp({
+    logger,
+    customLogLevel(req, res, err) {
+      if (err || res.statusCode >= 500) return 'error';
+      if (res.statusCode >= 400) return 'warn';
+      return 'info';
+    },
+    customSuccessMessage(req, res) {
+      return `${req.method} ${req.url} ${res.statusCode}`;
+    },
+    customErrorMessage(req, res, err) {
+      return `${req.method} ${req.url} ${res.statusCode} ${err?.message ?? ''}`;
+    },
+    serializers: {
+      req(req) {
+        return {
+          method: req.method,
+          url: req.url,
+          userId: req.raw?.user?.id,
+        };
+      },
+      res(res) {
+        return { statusCode: res.statusCode };
+      },
+    },
+    ...options,
+  });
+}