merge feat/304-userfront-wasm-e2e into dev

2026-02-24 15:40:51 +09:00
parent bc07619452 aeb418fb9f
commit 8a074f16e7
55 changed files with 3425 additions and 431 deletions
--- a/userfront/lib/core/services/auth_proxy_service.dart
+++ b/userfront/lib/core/services/auth_proxy_service.dart
@@ -4,6 +4,7 @@ import 'package:flutter_dotenv/flutter_dotenv.dart';
 import 'package:userfront/i18n.dart';
 import 'http_client.dart';
 import 'auth_token_store.dart';
+import 'log_policy.dart';

 class AuthProxyService {
  static String _envOrDefault(String key, String fallback) {
@@ -793,12 +794,30 @@ class AuthProxyService {
    if (!_canSendClientLog()) {
      return;
    }
+    final appEnv = _envOrDefault('APP_ENV', 'dev');
+    final productionDebugFlag = _envOrDefault(
+      'CLIENT_LOG_DEBUG',
+      _envOrDefault('USERFRONT_DEBUG_LOG', ''),
+    );
+    if (!LogPolicy.shouldRelayClientLog(
+      level: level,
+      appEnv: appEnv,
+      productionDebugFlag: productionDebugFlag,
+    )) {
+      return;
+    }
    final url = Uri.parse('$_baseUrl/api/v1/client-log');
+    final sanitizedMessage = LogPolicy.sanitizeMessage(message);
+    final sanitizedData = data == null ? null : LogPolicy.sanitizeData(data);
    try {
      await http.post(
        url,
        headers: {'Content-Type': 'application/json'},
-        body: jsonEncode({'level': level, 'message': message, 'data': ?data}),
+        body: jsonEncode({
+          'level': level,
+          'message': sanitizedMessage,
+          if (sanitizedData != null) 'data': sanitizedData,
+        }),
      );
      _recordClientLogSuccess();
    } catch (_) {
--- a/userfront/lib/core/services/log_policy.dart
+++ b/userfront/lib/core/services/log_policy.dart
@@ -0,0 +1,123 @@
+class LogPolicy {
+  static const Set<String> _sensitiveKeys = {
+    'password',
+    'currentpassword',
+    'newpassword',
+    'oldpassword',
+    'token',
+    'accesstoken',
+    'refreshtoken',
+    'secret',
+    'clientsecret',
+    'authorization',
+    'cookie',
+    'setcookie',
+    'verificationcode',
+    'code',
+    'loginchallenge',
+    'loginverifier',
+    'sessionjwt',
+    'accessjwt',
+    'refreshjwt',
+  };
+
+  static bool isProductionEnv(String? appEnv) {
+    final env = (appEnv ?? '').trim().toLowerCase();
+    return env == 'prod' || env == 'production';
+  }
+
+  static bool parseBoolFlag(String? raw) {
+    final value = (raw ?? '').trim().toLowerCase();
+    return value == '1' ||
+        value == 'true' ||
+        value == 'yes' ||
+        value == 'y' ||
+        value == 'on';
+  }
+
+  static bool debugEnabled({
+    required String? appEnv,
+    required String? productionDebugFlag,
+  }) {
+    if (!isProductionEnv(appEnv)) {
+      return true;
+    }
+    return parseBoolFlag(productionDebugFlag);
+  }
+
+  static bool shouldRelayClientLog({
+    required String level,
+    required String? appEnv,
+    required String? productionDebugFlag,
+  }) {
+    if (debugEnabled(
+      appEnv: appEnv,
+      productionDebugFlag: productionDebugFlag,
+    )) {
+      return true;
+    }
+    final normalized = level.trim().toUpperCase();
+    return normalized == 'SEVERE' ||
+        normalized == 'ERROR' ||
+        normalized == 'WARNING' ||
+        normalized == 'WARN';
+  }
+
+  static String sanitizeMessage(String message) {
+    if (message.trim().isEmpty) {
+      return message;
+    }
+    var sanitized = message.replaceAllMapped(
+      RegExp(
+        r'"(password|currentpassword|newpassword|oldpassword|token|accesstoken|refreshtoken|secret|clientsecret|authorization|cookie|setcookie|verificationcode|code|loginchallenge|loginverifier|sessionjwt|accessjwt|refreshjwt)"\s*:\s*"[^"]*"',
+        caseSensitive: false,
+      ),
+      (match) {
+        final key = match.group(1) ?? 'sensitive';
+        return '"$key":"*****"';
+      },
+    );
+    sanitized = sanitized.replaceAllMapped(
+      RegExp(
+        r'\b(password|current_password|currentpassword|new_password|newpassword|old_password|oldpassword|token|access_token|accesstoken|refresh_token|refreshtoken|authorization|cookie|session_jwt|sessionjwt|access_jwt|accessjwt|refresh_jwt|refreshjwt)\b\s*[:=]\s*([^\s,;]+)',
+        caseSensitive: false,
+      ),
+      (match) {
+        final key = match.group(1) ?? 'sensitive';
+        return '$key=*****';
+      },
+    );
+    return sanitized;
+  }
+
+  static Map<String, dynamic> sanitizeData(Map<String, dynamic> input) {
+    final output = <String, dynamic>{};
+    for (final entry in input.entries) {
+      if (_isSensitiveKey(entry.key)) {
+        output[entry.key] = '*****';
+      } else {
+        output[entry.key] = _sanitizeValue(entry.value);
+      }
+    }
+    return output;
+  }
+
+  static dynamic _sanitizeValue(dynamic value) {
+    if (value is Map<String, dynamic>) {
+      return sanitizeData(value);
+    }
+    if (value is List) {
+      return value.map(_sanitizeValue).toList(growable: false);
+    }
+    if (value is String) {
+      return sanitizeMessage(value);
+    }
+    return value;
+  }
+
+  static bool _isSensitiveKey(String key) {
+    var normalized = key.trim().toLowerCase();
+    normalized = normalized.replaceAll(RegExp(r'[-_.\s]'), '');
+    return _sensitiveKeys.contains(normalized);
+  }
+}
--- a/userfront/lib/core/services/logger_service.dart
+++ b/userfront/lib/core/services/logger_service.dart
@@ -1,8 +1,10 @@
 import 'dart:convert';
 import 'package:flutter/foundation.dart';
+import 'package:flutter_dotenv/flutter_dotenv.dart';
 import 'package:logging/logging.dart' as std_log;
 import 'package:logger/logger.dart' as pretty_log;
 import 'auth_proxy_service.dart';
+import 'log_policy.dart';

 /// Global Logger Service for Baron SSO Frontend
 class LoggerService {
@@ -10,8 +12,20 @@ class LoggerService {
  factory LoggerService() => _instance;

  late final pretty_log.Logger _prettyLogger;
+  late final String _appEnv;
+  late final String _productionDebugFlag;

  LoggerService._internal() {
+    _appEnv = _envOrDefault('APP_ENV', 'dev');
+    _productionDebugFlag = _envOrDefault(
+      'CLIENT_LOG_DEBUG',
+      _envOrDefault('USERFRONT_DEBUG_LOG', ''),
+    );
+    final debugEnabled = LogPolicy.debugEnabled(
+      appEnv: _appEnv,
+      productionDebugFlag: _productionDebugFlag,
+    );
+
    // 1. Initialize Pretty Logger for Dev
    _prettyLogger = pretty_log.Logger(
      printer: pretty_log.PrettyPrinter(
@@ -25,9 +39,9 @@ class LoggerService {
    );

    // 2. Configure Standard Logger (logging package)
-    std_log.Logger.root.level = kReleaseMode
-        ? std_log.Level.WARNING
-        : std_log.Level.ALL;
+    std_log.Logger.root.level = debugEnabled
+        ? std_log.Level.ALL
+        : std_log.Level.WARNING;

    std_log.Logger.root.onRecord.listen((record) {
      if (kReleaseMode) {
@@ -40,6 +54,17 @@ class LoggerService {
    });
  }

+  static String _envOrDefault(String key, String fallback) {
+    if (!dotenv.isInitialized) {
+      return fallback;
+    }
+    final value = dotenv.env[key];
+    if (value == null || value.trim().isEmpty) {
+      return fallback;
+    }
+    return value;
+  }
+
  /// Initialize the logger. Call this in main.dart
  static void init() {
    // Accessing the instance triggers the constructor
@@ -64,10 +89,11 @@ class LoggerService {
  }

  void _logJson(std_log.LogRecord record) {
+    final sanitizedMessage = LogPolicy.sanitizeMessage(record.message);
    final logData = {
      'time': record.time.toUtc().toIso8601String(), // Use UTC for consistency
      'level': record.level.name,
-      'msg': record.message,
+      'msg': sanitizedMessage,
      'svc': 'baron-userfront',
      if (record.error != null) 'error': record.error.toString(),
      if (record.stackTrace != null) 'stack': record.stackTrace.toString(),
@@ -77,10 +103,14 @@ class LoggerService {
    debugPrint(jsonEncode(logData));

    // 2. Relay to Backend (Docker Terminal)
-    if (record.level >= std_log.Level.WARNING) {
+    if (LogPolicy.shouldRelayClientLog(
+      level: record.level.name,
+      appEnv: _appEnv,
+      productionDebugFlag: _productionDebugFlag,
+    )) {
      AuthProxyService.sendLog(
        record.level.name,
-        record.message,
+        sanitizedMessage,
        data: {
          'client_time': record.time.toUtc().toIso8601String(),
          'logger': record.loggerName,