Is there a way to avoid escaping the recipient email in the exception's messages?

[aemitos]

This is a question not an error report.
We want to de-identify information about the recipient on logged errors.
We are using celery with retries. After 10 retries (configured) it raises AnymailRequestsAPIError and in the log message it escapes the recipient email address.
Is there a way to avoid having the email added to the log message?

Thanks in advance!!
Awesome package!!

Andre

[medmunds]

What version of Anymail are you using? Anymail v8.5 (released a few months ago) stopped including the sender and recipient email addresses in every Anymail error message.

But even in v8.5, Anymail error messages still include any error response from the ESP. Depending on the ESP and the particular error, this can sometimes contain the recipient email address. If that's a problem, you could probably redact things that look like email addresses in your celery task. Something like (untested):

    try:
        message.send()
    except AnymailError as error:
        # Raise a redacted version of error, replacing any `*@*` in its text
        redacted = re.sub(r"\S+@\S+", "[EMAIL REDACTED]", str(error))
        raise error.__class__(redacted).with_traceback(error.__traceback__) from None

Another option is to redact error messages where they enter your log files—globally—rather than at each point where errors might be generated. Packages like Sentry's Raven data collector use that sort of approach. For example, you could implement a custom logging filter to apply the redaction above to every LogRecord.msg: see Django's logging docs and Python's logging.Filter docs.

[aemitos]

Thank you so much for replying.
We are using the version 7.1.0.
The issue happens after the celery task retries and don't succeed. I should have added that. Sorry!
Our code is similar to this (adapted over your snippet):

   try:
        message.send()
    except AnymailError as error:
        # Raise a redacted version of error, replacing any `*@*` in its text
        if error.response.status_code in [400, ~4XX]:
            # It's not going to progress so no retry
            redacted = re.sub(r"\S+@\S+", "[EMAIL REDACTED]", str(error))
            raise error.__class__(redacted).with_traceback(error.__traceback__) from None
        else:
            raise self.retry(max_retries=MAX_RETRIES)

Celery offers an option to not raise any specific exception on retries by omitting the argument exc in the self.retry() call. That raises the MaxRetriesExceededError after the retries, which also escapes the email address since it's an argument for the task.
We actually defined an exception (like above it would have raise self.retry(exc=error, max_retries=MAX_RETRIES) or even raise self.retry(exc=Exception('Error'), max_retries=MAX_RETRIES).
The exception raised after the retries (it was a Mailgun outage) was the AnymailRequestsAPIError that escapes the recipient address for the request to send the email.
The logging.Filter is great recommendation. Thank you.
The thing above with the retries, is that after the last call for the retry we don't get back to the try that wraps the send request, and we lose the option to catch the exception and change it.
Again, thank you so much for replying and for the suggestions.

[medmunds]

after the last call for the retry we don't get back to the try that wraps the send
request, and we lose the option to catch the exception and change it.

You should be able to unconditionally redact the error, and then just pass the redacted version to self.retry(exc=redacted_error...):

    try:
        message.send()
    except AnymailError as error:
        # Construct a redacted version of error, replacing any `*@*` in its text
        redacted_error = error.__class__(
            re.sub(r"\S+@\S+", "[EMAIL REDACTED]", str(error))
        ).with_traceback(error.__traceback__)

        if error.response.status_code in [400, ~4XX]:
            # It's not going to progress so no retry
            raise redacted_error from None
        else:
            raise self.retry(exc=redacted_error, max_retries=MAX_RETRIES) from None

(raise ... from None avoids Python also describing the original, non-redacted error, and may or may not be necessary depending on what your logfiles collect. with_traceback preserves stack trace of the original error, which may be helpful for debugging. Both of these are Python 3 syntax, but I think there are ways to achieve something similar in Python 2.7, if that's why you're using an older Anymail version.)

I'm starting to think maybe AnymailError.__str__ should do that redaction by default (in non-DEBUG mode). It wouldn't guarantee PII doesn't leak into logs—because the errors might include email subjects or recipient display names that contain PII (and I wouldn't know how to filter those). But if you assume anything containing "@" is probably an email address, keeping that out of production error messages is probably a safer default for most Anymail users.

[aemitos]

Thank you so much for the discussion and suggestions @medmunds
It was pleasant and helpful!!
Congratulations for the django-anymail package. We love it. It has my star!!

Kind regards,

Andre Toscano