kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

feat: add env-aware client log policy and const lint fixes

Browse Source
This commit is contained in:
Lectom C Han
2026-02-24 15:38:55 +09:00
parent 4ffe5110dd
commit aeb418fb9f
14 changed files with 701 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
userfront/lib/core/services/auth_proxy_service.dart
View File

@@ -4,6 +4,7 @@ import 'package:flutter_dotenv/flutter_dotenv.dart';
import 'package:userfront/i18n.dart';
import 'http_client.dart';
import 'auth_token_store.dart';
import 'log_policy.dart';
class AuthProxyService {
static String _envOrDefault(String key, String fallback) {
@@ -793,15 +794,29 @@ class AuthProxyService {
if (!_canSendClientLog()) {
return;
}
final appEnv = _envOrDefault('APP_ENV', 'dev');
final productionDebugFlag = _envOrDefault(
'CLIENT_LOG_DEBUG',
_envOrDefault('USERFRONT_DEBUG_LOG', ''),
);
if (!LogPolicy.shouldRelayClientLog(
level: level,
appEnv: appEnv,
productionDebugFlag: productionDebugFlag,
)) {
return;
}
final url = Uri.parse('$_baseUrl/api/v1/client-log');
final sanitizedMessage = LogPolicy.sanitizeMessage(message);
final sanitizedData = data == null ? null : LogPolicy.sanitizeData(data);
try {
await http.post(
url,
headers: {'Content-Type': 'application/json'},
body: jsonEncode({
'level': level,
'message': message,
if (data != null) 'data': data,
'message': sanitizedMessage,
if (sanitizedData != null) 'data': sanitizedData,
}),
);
_recordClientLogSuccess();

123
userfront/lib/core/services/log_policy.dart Normal file
View File

@@ -0,0 +1,123 @@
class LogPolicy {
static const Set<String> _sensitiveKeys = {
'password',
'currentpassword',
'newpassword',
'oldpassword',
'token',
'accesstoken',
'refreshtoken',
'secret',
'clientsecret',
'authorization',
'cookie',
'setcookie',
'verificationcode',
'code',
'loginchallenge',
'loginverifier',
'sessionjwt',
'accessjwt',
'refreshjwt',
};
static bool isProductionEnv(String? appEnv) {
final env = (appEnv ?? '').trim().toLowerCase();
return env == 'prod' || env == 'production';
}
static bool parseBoolFlag(String? raw) {
final value = (raw ?? '').trim().toLowerCase();
return value == '1' ||
value == 'true' ||
value == 'yes' ||
value == 'y' ||
value == 'on';
}
static bool debugEnabled({
required String? appEnv,
required String? productionDebugFlag,
}) {
if (!isProductionEnv(appEnv)) {
return true;
}
return parseBoolFlag(productionDebugFlag);
}
static bool shouldRelayClientLog({
required String level,
required String? appEnv,
required String? productionDebugFlag,
}) {
if (debugEnabled(
appEnv: appEnv,
productionDebugFlag: productionDebugFlag,
)) {
return true;
}
final normalized = level.trim().toUpperCase();
return normalized == 'SEVERE' ||
normalized == 'ERROR' ||
normalized == 'WARNING' ||
normalized == 'WARN';
}
static String sanitizeMessage(String message) {
if (message.trim().isEmpty) {
return message;
}
var sanitized = message.replaceAllMapped(
RegExp(
r'"(password|currentpassword|newpassword|oldpassword|token|accesstoken|refreshtoken|secret|clientsecret|authorization|cookie|setcookie|verificationcode|code|loginchallenge|loginverifier|sessionjwt|accessjwt|refreshjwt)"\s*:\s*"[^"]*"',
caseSensitive: false,
),
(match) {
final key = match.group(1) ?? 'sensitive';
return '"$key":"*****"';
},
);
sanitized = sanitized.replaceAllMapped(
RegExp(
r'\b(password|current_password|currentpassword|new_password|newpassword|old_password|oldpassword|token|access_token|accesstoken|refresh_token|refreshtoken|authorization|cookie|session_jwt|sessionjwt|access_jwt|accessjwt|refresh_jwt|refreshjwt)\b\s*[:=]\s*([^\s,;]+)',
caseSensitive: false,
),
(match) {
final key = match.group(1) ?? 'sensitive';
return '$key=*****';
},
);
return sanitized;
}
static Map<String, dynamic> sanitizeData(Map<String, dynamic> input) {
final output = <String, dynamic>{};
for (final entry in input.entries) {
if (_isSensitiveKey(entry.key)) {
output[entry.key] = '*****';
} else {
output[entry.key] = _sanitizeValue(entry.value);
}
}
return output;
}
static dynamic _sanitizeValue(dynamic value) {
if (value is Map<String, dynamic>) {
return sanitizeData(value);
}
if (value is List) {
return value.map(_sanitizeValue).toList(growable: false);
}
if (value is String) {
return sanitizeMessage(value);
}
return value;
}
static bool _isSensitiveKey(String key) {
var normalized = key.trim().toLowerCase();
normalized = normalized.replaceAll(RegExp(r'[-_.\s]'), '');
return _sensitiveKeys.contains(normalized);
}
}

42
userfront/lib/core/services/logger_service.dart
View File

@@ -1,8 +1,10 @@
import 'dart:convert';
import 'package:flutter/foundation.dart';
import 'package:flutter_dotenv/flutter_dotenv.dart';
import 'package:logging/logging.dart' as std_log;
import 'package:logger/logger.dart' as pretty_log;
import 'auth_proxy_service.dart';
import 'log_policy.dart';
/// Global Logger Service for Baron SSO Frontend
class LoggerService {
@@ -10,8 +12,20 @@ class LoggerService {
factory LoggerService() => _instance;
late final pretty_log.Logger _prettyLogger;
late final String _appEnv;
late final String _productionDebugFlag;
LoggerService._internal() {
_appEnv = _envOrDefault('APP_ENV', 'dev');
_productionDebugFlag = _envOrDefault(
'CLIENT_LOG_DEBUG',
_envOrDefault('USERFRONT_DEBUG_LOG', ''),
);
final debugEnabled = LogPolicy.debugEnabled(
appEnv: _appEnv,
productionDebugFlag: _productionDebugFlag,
);
// 1. Initialize Pretty Logger for Dev
_prettyLogger = pretty_log.Logger(
printer: pretty_log.PrettyPrinter(
@@ -25,9 +39,9 @@ class LoggerService {
);
// 2. Configure Standard Logger (logging package)
std_log.Logger.root.level = kReleaseMode
? std_log.Level.WARNING
: std_log.Level.ALL;
std_log.Logger.root.level = debugEnabled
? std_log.Level.ALL
: std_log.Level.WARNING;
std_log.Logger.root.onRecord.listen((record) {
if (kReleaseMode) {
@@ -40,6 +54,17 @@ class LoggerService {
});
}
static String _envOrDefault(String key, String fallback) {
if (!dotenv.isInitialized) {
return fallback;
}
final value = dotenv.env[key];
if (value == null || value.trim().isEmpty) {
return fallback;
}
return value;
}
/// Initialize the logger. Call this in main.dart
static void init() {
// Accessing the instance triggers the constructor
@@ -64,10 +89,11 @@ class LoggerService {
}
void _logJson(std_log.LogRecord record) {
final sanitizedMessage = LogPolicy.sanitizeMessage(record.message);
final logData = {
'time': record.time.toUtc().toIso8601String(), // Use UTC for consistency
'level': record.level.name,
'msg': record.message,
'msg': sanitizedMessage,
'svc': 'baron-userfront',
if (record.error != null) 'error': record.error.toString(),
if (record.stackTrace != null) 'stack': record.stackTrace.toString(),
@@ -77,10 +103,14 @@ class LoggerService {
debugPrint(jsonEncode(logData));
// 2. Relay to Backend (Docker Terminal)
if (record.level >= std_log.Level.WARNING) {
if (LogPolicy.shouldRelayClientLog(
level: record.level.name,
appEnv: _appEnv,
productionDebugFlag: _productionDebugFlag,
)) {
AuthProxyService.sendLog(
record.level.name,
record.message,
sanitizedMessage,
data: {
'client_time': record.time.toUtc().toIso8601String(),
'logger': record.loggerName,

5
userfront/lib/features/auth/presentation/forgot_password_screen.dart
View File

@@ -98,7 +98,10 @@ class _ForgotPasswordScreenState extends State<ForgotPasswordScreen> {
children: [
Text(
tr('ui.userfront.forgot.heading'),
style: TextStyle(fontSize: 28, fontWeight: FontWeight.bold),
style: const TextStyle(
fontSize: 28,
fontWeight: FontWeight.bold,
),
textAlign: TextAlign.center,
),
if (_drySendEnabled) ...[

5
userfront/lib/features/auth/presentation/login_success_screen.dart
View File

@@ -23,7 +23,10 @@ class LoginSuccessScreen extends StatelessWidget {
const SizedBox(height: 24),
Text(
tr('ui.userfront.login_success.title'),
style: TextStyle(fontSize: 32, fontWeight: FontWeight.bold),
style: const TextStyle(
fontSize: 32,
fontWeight: FontWeight.bold,
),
),
const SizedBox(height: 16),
Text(

2
userfront/lib/features/auth/presentation/reset_password_screen.dart
View File

@@ -178,7 +178,7 @@ class _ResetPasswordScreenState extends State<ResetPasswordScreen> {
children: [
Text(
tr('ui.userfront.reset.subtitle'),
style: TextStyle(
style: const TextStyle(
fontSize: 28,
fontWeight: FontWeight.bold,
),

83
userfront/lib/features/profile/presentation/pages/profile_page.dart
View File

@@ -1,6 +1,7 @@
import 'package:flutter/material.dart';
import 'package:flutter_riverpod/flutter_riverpod.dart';
import 'package:go_router/go_router.dart';
import 'package:logging/logging.dart';
import 'package:userfront/i18n.dart';
import '../../../../core/notifiers/auth_notifier.dart';
import '../../../../core/i18n/locale_utils.dart';
@@ -22,6 +23,7 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
static const _surface = Colors.white;
static const _border = Color(0xFFE5E7EB);
static const _subtle = Color(0xFFF7F8FA);
static final _log = Logger('ProfilePage');
UserProfile? _cachedProfile;
String? _editingField;
@@ -65,6 +67,22 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
_phoneCodeFocus.addListener(_onPhoneCodeFocusChange);
}
void _debugLog(
String event, {
String? field,
String? reason,
bool? changed,
bool? hasFocus,
}) {
final parts = <String>['event=$event'];
if (field != null) parts.add('field=$field');
if (reason != null) parts.add('reason=$reason');
if (changed != null) parts.add('changed=$changed');
if (hasFocus != null) parts.add('hasFocus=$hasFocus');
if (_editingField != null) parts.add('editing=$_editingField');
_log.fine(parts.join(' '));
}
void _onNameFocusChange() {
if (!mounted) return;
if (!_nameFocus.hasFocus && _nameTouched) {
@@ -77,6 +95,11 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
void _onDepartmentFocusChange() {
if (!mounted) return;
_debugLog(
'department_focus_change',
field: 'department',
hasFocus: _departmentFocus.hasFocus,
);
if (!_departmentFocus.hasFocus && _departmentTouched) {
final profile = ref.read(profileProvider).value ?? _cachedProfile;
if (profile != null) _autoSaveIfEditing(profile, 'department');
@@ -180,6 +203,7 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
}
void _startEditing(String field, UserProfile profile) {
_debugLog('start_editing', field: field);
setState(() {
_editingField = field;
if (field == 'name') {
@@ -356,12 +380,25 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
void _autoSaveIfEditing(UserProfile profile, String field) {
if (_editingField != field) return;
if (_skipAutoSaveField == field) {
_debugLog('autosave_skip', field: field, reason: 'skip_flag');
_skipAutoSaveField = null;
return;
}
if (_isVerifying) return;
if (_isSavingField) return;
if (_isVerifying) {
_debugLog('autosave_skip', field: field, reason: 'verifying');
return;
}
if (_isSavingField) {
_debugLog('autosave_skip', field: field, reason: 'saving_in_flight');
return;
}
if (!_hasFieldChanged(profile, field)) {
_debugLog(
'autosave_skip',
field: field,
reason: 'unchanged',
changed: false,
);
setState(() {
if (field == 'phone') {
_resetPhoneState();
@@ -375,6 +412,7 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
});
return;
}
_debugLog('autosave_trigger', field: field, changed: true);
_saveField(profile);
}
@@ -412,25 +450,33 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
Future<void> _saveField(UserProfile profile) async {
if (_editingField == null) return;
if (_isSavingField) return;
if (_isSavingField) {
_debugLog('save_skip', reason: 'saving_in_flight');
return;
}
final currentField = _editingField!;
final nextName = _editingField == 'name'
final nextName = currentField == 'name'
? _nameController!.text.trim()
: profile.name;
final nextPhone = _editingField == 'phone'
final nextPhone = currentField == 'phone'
? _phoneController!.text.trim()
: profile.phone;
final nextDepartment = _editingField == 'department'
final nextDepartment = currentField == 'department'
? _departmentController!.text.trim()
: profile.department;
if (_editingField == 'name' && nextName.isEmpty) {
_debugLog('save_attempt', field: currentField);
if (currentField == 'name' && nextName.isEmpty) {
_debugLog('save_skip', field: currentField, reason: 'empty_name');
ScaffoldMessenger.of(context).showSnackBar(
SnackBar(content: Text(tr('msg.userfront.profile.name_required'))),
);
return;
}
if (_editingField == 'department' && nextDepartment.isEmpty) {
if (currentField == 'department' && nextDepartment.isEmpty) {
_debugLog('save_skip', field: currentField, reason: 'empty_department');
ScaffoldMessenger.of(context).showSnackBar(
SnackBar(
content: Text(tr('msg.userfront.profile.department_required')),
@@ -438,14 +484,20 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
);
return;
}
if (_editingField == 'phone') {
if (currentField == 'phone') {
if (nextPhone.isEmpty) {
_debugLog('save_skip', field: currentField, reason: 'empty_phone');
ScaffoldMessenger.of(context).showSnackBar(
SnackBar(content: Text(tr('msg.userfront.profile.phone_required'))),
);
return;
}
if (_isPhoneChanged && !_isPhoneVerified) {
_debugLog(
'save_skip',
field: currentField,
reason: 'phone_not_verified',
);
ScaffoldMessenger.of(context).showSnackBar(
SnackBar(
content: Text(tr('msg.userfront.profile.phone_verify_required')),
@@ -455,7 +507,13 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
}
}
if (!_hasFieldChanged(profile, _editingField!)) {
if (!_hasFieldChanged(profile, currentField)) {
_debugLog(
'save_skip',
field: currentField,
reason: 'unchanged',
changed: false,
);
setState(() {
if (_editingField == 'phone') {
_resetPhoneState();
@@ -468,6 +526,7 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
}
_isSavingField = true;
_debugLog('save_dispatch', field: currentField, changed: true);
try {
await ref
@@ -479,7 +538,7 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
);
if (mounted) {
setState(() {
if (_editingField == 'phone') {
if (currentField == 'phone') {
_initialPhone = nextPhone;
_resetPhoneState();
}
@@ -487,11 +546,13 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
_nameTouched = false;
_departmentTouched = false;
});
_debugLog('save_success', field: currentField);
ScaffoldMessenger.of(context).showSnackBar(
SnackBar(content: Text(tr('msg.userfront.profile.update_success'))),
);
}
} catch (e) {
_debugLog('save_failed', field: currentField, reason: e.toString());
if (mounted) {
ScaffoldMessenger.of(context).showSnackBar(
SnackBar(

114
userfront/test/log_policy_test.dart Normal file
View File

@@ -0,0 +1,114 @@
import 'package:flutter_test/flutter_test.dart';
import 'package:userfront/core/services/log_policy.dart';
void main() {
group('LogPolicy.debugEnabled', () {
test('non production enables debug by default', () {
expect(
LogPolicy.debugEnabled(appEnv: 'dev', productionDebugFlag: null),
isTrue,
);
expect(
LogPolicy.debugEnabled(appEnv: 'staging', productionDebugFlag: 'false'),
isTrue,
);
});
test('production disables debug unless explicitly enabled', () {
expect(
LogPolicy.debugEnabled(appEnv: 'production', productionDebugFlag: ''),
isFalse,
);
expect(
LogPolicy.debugEnabled(
appEnv: 'production',
productionDebugFlag: 'true',
),
isTrue,
);
expect(
LogPolicy.debugEnabled(appEnv: 'prod', productionDebugFlag: '1'),
isTrue,
);
});
});
group('LogPolicy.shouldRelayClientLog', () {
test('production default forwards only warning or higher', () {
expect(
LogPolicy.shouldRelayClientLog(
level: 'INFO',
appEnv: 'production',
productionDebugFlag: '',
),
isFalse,
);
expect(
LogPolicy.shouldRelayClientLog(
level: 'WARNING',
appEnv: 'production',
productionDebugFlag: '',
),
isTrue,
);
expect(
LogPolicy.shouldRelayClientLog(
level: 'ERROR',
appEnv: 'production',
productionDebugFlag: '',
),
isTrue,
);
});
test('production debug option forwards info logs', () {
expect(
LogPolicy.shouldRelayClientLog(
level: 'INFO',
appEnv: 'production',
productionDebugFlag: 'true',
),
isTrue,
);
});
});
group('LogPolicy.sanitize', () {
test('sanitizes sensitive message patterns', () {
const message =
'token=abc123 payload={"password":"hello","safe":"ok"} authorization:BearerXYZ';
final sanitized = LogPolicy.sanitizeMessage(message);
expect(sanitized, isNot(contains('abc123')));
expect(sanitized, contains('token=*****'));
expect(sanitized, contains('"password":"*****"'));
expect(sanitized, contains('authorization=*****'));
});
test('sanitizes nested sensitive keys', () {
final data = <String, dynamic>{
'token': 'tok',
'ok': 'value',
'nested': {'new_password': 'pw', 'safe': 'x'},
'arr': [
{'authorization': 'Bearer secret'},
'cookie=session=raw',
],
};
final sanitized = LogPolicy.sanitizeData(data);
expect(sanitized['token'], '*****');
expect(sanitized['ok'], 'value');
expect(
(sanitized['nested'] as Map<String, dynamic>)['new_password'],
'*****',
);
expect((sanitized['nested'] as Map<String, dynamic>)['safe'], 'x');
expect(
((sanitized['arr'] as List).first
as Map<String, dynamic>)['authorization'],
'*****',
);
expect((sanitized['arr'] as List)[1], 'cookie=*****');
});
});
}