Skip to content

feat: log all audit events separately to prevent missing events #2086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 30, 2025
Merged

feat: log all audit events separately to prevent missing events #2086

merged 1 commit into from
Jul 30, 2025

Conversation

cemalkilic
Copy link
Contributor

@cemalkilic cemalkilic commented Jul 23, 2025
edited
Loading

Problem

The observability.LogEntrySetFields() adds to request context, causing multiple audit events in the same request to overwrite each other. For example, refresh token requests call NewAuditLogEntry() twice (token_refreshed, then
token_revoked) but only the last event (token_revoked) was logged.

Solution

Create immediate separate log entries with "auth_audit_event" key. This ensures all audit events are captured without overwriting.

Example log output:

{"auth_audit_event":{"action":"token_refreshed","actor_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a","actor_username":"","actor_via_sso":false,"audit_log_id":"3e07849b-1784-451b-af99-1fbd455681e7","created_at":"2025-07-23T13:34:29.88400603Z","ip_address":"","log_type":"token","request_id":"3bd2f2fd-8b2a-434f-93da-656c9083762b","user_agent":"insomnia/11.1.0"},"level":"info","msg":"audit_event","time":"2025-07-23T13:34:29Z"}
{"auth_audit_event":{"action":"token_revoked","actor_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a","actor_username":"","actor_via_sso":false,"audit_log_id":"9dd3621b-9fd2-4e1d-a3a6-2236a16653c8","created_at":"2025-07-23T13:34:29.886232214Z","ip_address":"","log_type":"token","request_id":"3bd2f2fd-8b2a-434f-93da-656c9083762b","user_agent":"insomnia/11.1.0"},"level":"info","msg":"audit_event","time":"2025-07-23T13:34:29Z"}
{"action":"login","instance_id":"00000000-0000-0000-0000-000000000000","level":"info","login_method":"token","metering":true,"msg":"Login","time":"2025-07-23T13:34:29Z","user_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a"}
{"auth_event":{"action":"token_revoked","actor_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a","actor_username":"","actor_via_sso":false,"log_type":"token"},"component":"api","duration":21772353,"grant_type":"refresh_token","level":"info","method":"POST","msg":"request completed","path":"/token","referer":"http://localhost:3000","remote_addr":"192.168.117.1","request_id":"3bd2f2fd-8b2a-434f-93da-656c9083762b","status":200,"time":"2025-07-23T13:34:29Z"}

The first two are the new audit events(added with this PR), the third is the login metric and the last one was the request logging (containing the only last audit event). Eventually, we're going to remove the audit event from the request log (the last one)

@cemalkilic cemalkilic requested a review from a team as a code owner July 23, 2025 13:50
@coveralls
Copy link

Pull Request Test Coverage Report for Build 16472575471

Details

  • 31 of 31 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.06%) to 70.237%
Totals Coverage Status
Change from base Build 16421253762: 0.06%
Covered Lines: 11599
Relevant Lines: 16514
💛 - Coveralls

cstockton
cstockton approved these changes Jul 23, 2025
View reviewed changes
Copy link
Contributor

@cstockton cstockton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@cemalkilic cemalkilic merged commit 3b666f5 into master Jul 30, 2025
8 checks passed
@cemalkilic cemalkilic deleted the cemal/audit-log-stdout branch July 30, 2025 08:55
@github-actions github-actions bot mentioned this pull request Jul 24, 2025
Merged
cemalkilic pushed a commit that referenced this pull request Aug 6, 2025
@github-actions
chore(master): release 2.178.0 (#2083)
dbaccd4 
🤖 I have created a release *beep* *boop*
---


##
[2.178.0](v2.177.0...v2.178.0)
(2025-08-05)


### Features

* add sign in with ethereum
([#2069](#2069))
([079b242](079b242))
* add support for managing SSO providers by resource_id
([#2081](#2081))
([5ca4489](5ca4489))
* log all audit events separately to prevent missing events
([#2086](#2086))
([3b666f5](3b666f5))
* skip nonce check for Facebook Limited Login auth
([#2082](#2082))
([f1b15ff](f1b15ff))
* support ledger solana offchain message signing
([#2093](#2093))
([4c94443](4c94443))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
cemalkilic added a commit that referenced this pull request Aug 7, 2025
@cemalkilic
feat: log all audit events separately to prevent missing events (#2086)
070f06a 
## Problem
The `observability.LogEntrySetFields()` adds to request context, causing
multiple audit events in the same request to overwrite each other. For
example, refresh token requests call `NewAuditLogEntry()` twice
(`token_refreshed`, then
`token_revoked`) but only the last event (`token_revoked`) was logged.

## Solution
Create immediate separate log entries with "auth_audit_event" key. This
ensures all audit events are captured without overwriting.

## Example log output:

```sh
{"auth_audit_event":{"action":"token_refreshed","actor_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a","actor_username":"","actor_via_sso":false,"audit_log_id":"3e07849b-1784-451b-af99-1fbd455681e7","created_at":"2025-07-23T13:34:29.88400603Z","ip_address":"","log_type":"token","request_id":"3bd2f2fd-8b2a-434f-93da-656c9083762b","user_agent":"insomnia/11.1.0"},"level":"info","msg":"audit_event","time":"2025-07-23T13:34:29Z"}
{"auth_audit_event":{"action":"token_revoked","actor_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a","actor_username":"","actor_via_sso":false,"audit_log_id":"9dd3621b-9fd2-4e1d-a3a6-2236a16653c8","created_at":"2025-07-23T13:34:29.886232214Z","ip_address":"","log_type":"token","request_id":"3bd2f2fd-8b2a-434f-93da-656c9083762b","user_agent":"insomnia/11.1.0"},"level":"info","msg":"audit_event","time":"2025-07-23T13:34:29Z"}
{"action":"login","instance_id":"00000000-0000-0000-0000-000000000000","level":"info","login_method":"token","metering":true,"msg":"Login","time":"2025-07-23T13:34:29Z","user_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a"}
{"auth_event":{"action":"token_revoked","actor_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a","actor_username":"","actor_via_sso":false,"log_type":"token"},"component":"api","duration":21772353,"grant_type":"refresh_token","level":"info","method":"POST","msg":"request completed","path":"/token","referer":"http://localhost:3000","remote_addr":"192.168.117.1","request_id":"3bd2f2fd-8b2a-434f-93da-656c9083762b","status":200,"time":"2025-07-23T13:34:29Z"}
```

The first two are the _new_ audit events(added with this PR), the third
is the login metric and the last one was the request logging (containing
the only last audit event). Eventually, we're going to remove the audit
event from the request log (the last one)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cstockton cstockton cstockton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cemalkilic @coveralls @cstockton