kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

fix(audit): stop default read logging and dedupe dashboard timeline

Browse Source 
- skip read audit logging unless a path is explicitly allowlisted
- exclude audit-facing endpoints from backend audit collection
- remove duplicate auth timeline fetch logic from dashboard screen
- add regression tests for default GET skip and dashboard timeline dedup

Co-Authored-By: First Fluke <our.first.fluke@gmail.com>
This commit is contained in:
Lectom C Han
2026-04-17 18:04:09 +09:00
parent b72d04f184
commit 114f203ecd
5 changed files with 94 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
backend/internal/middleware/audit_middleware.go
View File

@@ -17,6 +17,7 @@ import (
type AuditConfig struct {
Repo domain.AuditRepository
ExcludePaths map[string]struct{}
ReadPaths map[string]struct{}
BodyDump bool
WorkerCount int
QueueSize int
@@ -30,9 +31,8 @@ func isNil(i any) bool {
return v.Kind() == reflect.Ptr && v.IsNil()
}
// AuditMiddleware provides comprehensive audit logging for all requests.
// It enforces strict logging for state-changing commands (POST, PUT, DELETE, PATCH)
// and best-effort logging for queries (GET, HEAD, OPTIONS).
// AuditMiddleware provides comprehensive audit logging for write requests by default.
// Read requests are skipped unless they are explicitly allowlisted in ReadPaths.
func AuditMiddleware(config AuditConfig) fiber.Handler {
// 0. Initialize Worker Pool for Async Logging
if config.WorkerCount <= 0 {
@@ -77,6 +77,9 @@ func AuditMiddleware(config AuditConfig) fiber.Handler {
if config.ExcludePaths == nil {
config.ExcludePaths = map[string]struct{}{}
}
if config.ReadPaths == nil {
config.ReadPaths = map[string]struct{}{}
}
return func(c *fiber.Ctx) error {
// 1. Check exclusions
@@ -186,6 +189,7 @@ func AuditMiddleware(config AuditConfig) fiber.Handler {
// 9. Store Log (Policy Enforcement)
_, isWrite := writeMethods[c.Method()]
_, allowRead := config.ReadPaths[c.Path()]
if isNil(config.Repo) {
if isWrite {
@@ -200,7 +204,7 @@ func AuditMiddleware(config AuditConfig) fiber.Handler {
slog.Error("Failed to write audit log (sync)", "error", createErr, "req_id", reqID)
return fiber.NewError(fiber.StatusServiceUnavailable, "Audit logging failed")
}
} else {
} else if allowRead {
// Best Effort: Load Shedding via Buffered Channel
select {
case auditQueue <- auditLog: