Add more log fields in 401 Unauthorized requests (!157277) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-log-token-failure-data into master Jun 25, 2024

What does this MR do and why?

When a user fails to authenticate with a personal access token, previously the log message only showed a 401 status with no details. This commit adds the meta.auth_fail_reason and meta.auth_fail_token_id log fields via the ApplicationContext.

Sample entry:

  "meta.auth_fail_reason": "token_expired",
  "meta.auth_fail_token_id": "PersonalAccessToken/12",

Relates to #464652 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Check out this branch.
Go to /-/user_settings/personal_access_tokens and create a new token with read_api.
In the Rails console (bin/rails c), change the expiration date to yesterday:

token = PersonalAccessToken.last
token.update!(expires_at: Date.yesterday)

Attempt to use this token in the API: curl -H "PRIVATE-TOKEN: <pat>" https://gdk.example.com/api/v4/user
Check log/api_json.log. You should see the meta.auth_fail_reason and meta.auth_fail_token_id fields:

  "meta.caller_id": "GET /api/:version/user",
  "meta.remote_ip": "127.0.0.1",
  "meta.feature_category": "user_profile",
  "meta.client_id": "ip/127.0.0.1",
  "meta.auth_fail_reason": "token_expired",
  "meta.auth_fail_token_id": "PersonalAccessToken/12",
  "request_urgency": "low",
  "target_duration_s": 5

Edited Jun 26, 2024 by Stan Hu

Add more log fields in 401 Unauthorized requests

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports