Metlo Config

Using Metlo's Config on the settings page you can describe how your API handles authentication to make Metlo's detection more accurate and redact certain sensitive information.

Disabling Fields

There may be some data you never want stored in Metlo's database (like passwords and API Keys). You can do this by specifying the fields you wouldn't like stored in the Metlo Config editor in the Settings page.

For example, if you wanted to disable collection for the password in a POST request to /login you would make the following rule under the blockFields key:

blockFields:
  test-ecommerce.metlo.com:
    /login:
      POST:
        disable_paths:
          - req.body.password

The key at the top level is the host you want to select, the second is the endpoint and the third is the method. disable_paths is a list of the data that you don't want stored. In this case we don't want to store the password in the request body. The possible sections are: req.headers, req.query, req.body, res.headers, res.body.

If we wanted to disable this for all methods and not just POST we can specify the ALL key instead of the method.

blockFields:
  test-ecommerce.metlo.com:
    /login:
      ALL:
        disable_paths:
          - req.body.password

You can also use ALL for the endpoint if you want to disable certain fields for all endpoints as well:

blockFields:
  test-ecommerce.metlo.com:
    ALL:
      disable_paths:
        - req.headers.X-API-KEY
    /login:
      POST:
        disable_paths:
          - req.body.password

Denote path parameters in the endpoints with surrounding curly brackets, so for an endpoint with the user's username as a path parameter, it would be written as such in the metlo config: /info/{username} .

Authentication

You might want to know information related to authentication around your endpoints. To allow Metlo to collect information regarding authentication, please specify the following information in the Metlo Config editor.

Configurations for authentication should be specified under the root authentication field. The value of this field should be a list of objects that specify the authentication host, type, and necessary information from the headers for specific authentication types.

For example, if Basic access authentication was being used for the test-ecommerce.metlo.com host, you would make the following rule under the authentication key:

authentication:
  - host: ecommerce.metlo.com
    authType: basic

The possible authentication types are: basic, header, jwt, session_cookie. For all the authentication types, the host and authType fields are required.

For basic authentication, only the host and authType fields are necessary.

For hosts in which authentication is done through a specific header field, you can use the header type. For this authentication type, the config will also require the headerKey field to be set so Metlo knows which header in the request headers is responsible for authentication.

For hosts in which authentication is done through JWT, you can use the jwt type. For this authentication type, the config will also require the headerKey field to be set so Metlo knows which header contains the JWT. You may also optionally provide a jwtUserPath field so Metlo knows where in the payload the user is set.

For hosts in which authentication is done through a session cookie, you can use the session_cookie type. For this authentication type, the config will also require the cookieName field to be set so Metlo knows which header contains the session cookie.

Here is an example utilizing all the different types:

authentication:
  - host: ecommerce.metlo.com
    authType: basic
  - host: ecommerce3.metlo.com
    authType: jwt
    headerKey: Authorization
    jwtUserPath: user.username
  - host: ecommerce4.metlo.com
    authType: session_cookie
    cookieName: _session_key
  - host: test-ecommerce.metlo.com
    authType: header
    headerKey: X-API-KEY

Example Config

blockFields:
  test-ecommerce.metlo.com:
    ALL:
      disable_paths:
        - req.headers.X-API-KEY
    /login/{email}:
      POST:
        disable_paths:
          - req.body.password
  ecommerce.metlo.com:
    ALL:
      disable_paths:
        - req.headers.X-API-KEY
    /login:
      ALL:
        disable_paths:
          - req.body.password
authentication:
  - host: ecommerce.metlo.com
    authType: basic
  - host: ecommerce3.metlo.com
    authType: jwt
    headerKey: Authorization
    jwtUserPath: user.username
  - host: ecommerce4.metlo.com
    authType: session_cookie
    cookieName: _session_key
  - host: test-ecommerce.metlo.com
    authType: header
    headerKey: X-API-KEY