Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Only log basic response information
Browse files Browse the repository at this point in the history
When logging a gateway error response there is a params field,
which provides extra information about the request. That information
can include useful information like the payment amount, but it can
also include PII such as a full billing address.

By logging the full error response in yaml that PII can end up in your
logs, which is not desirable and potentially against the law. Therefore
we should only log the minimal information needed from the response.
JDutil committed Feb 6, 2020

Verified

This commit was signed with the committer’s verified signature. The key has expired.
JDutil Jeff Dutil
1 parent 958f29e commit 85a3823
Showing 1 changed file with 27 additions and 9 deletions.
36 changes: 27 additions & 9 deletions core/app/models/spree/payment/processing.rb
Original file line number Diff line number Diff line change
@@ -204,22 +204,40 @@ def protect_from_connection_error
end

def gateway_error(error)
if error.is_a? ActiveMerchant::Billing::Response
text = error.params['message'] || error.params['response_reason_text'] || error.message
elsif error.is_a? ActiveMerchant::ConnectionError
text = I18n.t('spree.unable_to_connect_to_gateway')
else
text = error.to_s
end
logger.error(I18n.t('spree.gateway_error'))
logger.error(" #{error.to_yaml}")
text = if error.is_a? ActiveMerchant::Billing::Response
logger.error("#{I18n.t('spree.gateway_error')}: #{basic_response_info(error)}")
error.params['message'] || error.params['response_reason_text'] || error.message
elsif error.is_a? ActiveMerchant::ConnectionError
logger.error("#{I18n.t('spree.gateway_error')}: #{I18n.t('spree.unable_to_connect_to_gateway')}")
I18n.t('spree.unable_to_connect_to_gateway')
else
logger.error("#{I18n.t('spree.gateway_error')}: #{error}")
error.to_s
end

raise Core::GatewayError.new(text)
end

# The unique identifier to be passed in to the payment gateway
def gateway_order_id
"#{order.number}-#{number}"
end

# The gateway response information without the params since the params
# can contain PII.
def basic_response_info(response)
{
message: response.message,
test: response.test,
authorization: response.authorization,
avs_result: response.avs_result,
cvv_result: response.cvv_result,
error_code: response.error_code,
emv_authorization: response.emv_authorization,
gateway_order_id: gateway_order_id,
order_number: order.number
}
end
end
end
end

0 comments on commit 85a3823

Please sign in to comment.