baron-sso/backend/internal/logger/audit_logger.go

package logger

import (
	"context"
	"fmt"
	"log/slog"
	"time"

	"github.com/gofiber/fiber/v2"
	"github.com/google/uuid"
)

// AuditLogEntry holds common audit logging fields.
type AuditLogEntry struct {
	RequestID        string
	Stage            string
	Operation        string // e.g., "SendPasswordReset", "Verify"
	Method           string
	Path             string
	Status           int
	LatencyMs        time.Duration
	IP               string
	UserAgent        string
	Origin           string
	Referer          string
	Query            map[string]string
	Headers          map[string]string // Core headers like Host, Cookie, Set-Cookie
	LoginIDs         map[string]string // loginId and loginId_normalized
	Token            string            // For reset tokens, magic link tokens
	DescopeError     string
	DescopeStatus    int    // Descope HTTP status
	DescopeBody      string // Descope response body (full raw)
	RefreshToken     string
	SessionJwt       string
	AccessJwt        string
	UserLoginId      string
	UserID           string
	Email            string
	Phone            string
	SetCookieName    string
	SetCookieValue   string
	SetCookieAttrs   map[string]string
	RedirectTo       string
	HasCookieDSRF    bool
	ParsedCookieDSRF string
	RequestBody      string // For complete stage
	NewPassword      string // For complete stage (test only, sensitive)
	// ... potentially more fields specific to different stages
}

// NewAuditLogEntry creates a new AuditLogEntry with a generated RequestID and initial common fields.
func NewAuditLogEntry(c *fiber.Ctx, stage string) *AuditLogEntry {
	reqID := uuid.New().String()

	// Extract query parameters
	queryParams := make(map[string]string)
	c.Context().QueryArgs().VisitAll(func(key, value []byte) {
		queryParams[string(key)] = string(value)
	})

	// Extract relevant headers
	headers := make(map[string]string)
	headers["Host"] = c.Get("Host")
	headers["User-Agent"] = c.Get("User-Agent")
	if cookie := c.Get("Cookie"); cookie != "" {
		headers["Cookie"] = cookie
	}
	headers["Origin"] = c.Get("Origin")
	headers["Referer"] = c.Get("Referer")

	return &AuditLogEntry{
		RequestID:      reqID,
		Stage:          stage,
		Method:         c.Method(),
		Path:           c.Path(),
		IP:             c.IP(),
		UserAgent:      c.Get("User-Agent"),
		Origin:         c.Get("Origin"),
		Referer:        c.Get("Referer"),
		Query:          queryParams,
		Headers:        headers,
		LoginIDs:       make(map[string]string),
		SetCookieAttrs: make(map[string]string),
	}
}

// Log emits an audit log entry using slog.
// It includes common fields and allows for additional custom fields.
func (ale *AuditLogEntry) Log(level slog.Level, msg string, args ...any) {
	attrs := []slog.Attr{
		slog.String("req_id", ale.RequestID),
		slog.String("stage", ale.Stage),
	}

	if ale.Operation != "" {
		attrs = append(attrs, slog.String("op", ale.Operation))
	}
	if ale.Method != "" {
		attrs = append(attrs, slog.String("method", ale.Method))
	}
	if ale.Path != "" {
		attrs = append(attrs, slog.String("path", ale.Path))
	}
	if ale.Status != 0 {
		attrs = append(attrs, slog.Int("status", ale.Status))
	}
	if ale.LatencyMs != 0 {
		attrs = append(attrs, slog.Duration("latency_ms", ale.LatencyMs))
	}
	if ale.IP != "" {
		attrs = append(attrs, slog.String("ip", ale.IP))
	}
	if ale.UserAgent != "" {
		attrs = append(attrs, slog.String("user_agent", ale.UserAgent))
	}
	if ale.Origin != "" {
		attrs = append(attrs, slog.String("origin", ale.Origin))
	}
	if ale.Referer != "" {
		attrs = append(attrs, slog.String("referer", ale.Referer))
	}
	if len(ale.Query) > 0 {
		queryGroupArgs := make([]any, 0, len(ale.Query))
		for k, v := range ale.Query {
			queryGroupArgs = append(queryGroupArgs, slog.String(k, v))
		}
		attrs = append(attrs, slog.Group("query", queryGroupArgs...))
	}
	if len(ale.Headers) > 0 {
		headersGroupArgs := make([]any, 0, len(ale.Headers))
		for k, v := range ale.Headers {
			headersGroupArgs = append(headersGroupArgs, slog.String(k, v))
		}
		attrs = append(attrs, slog.Group("headers", headersGroupArgs...))
	}
	if len(ale.LoginIDs) > 0 {
		loginIDGroupArgs := make([]any, 0, len(ale.LoginIDs))
		for k, v := range ale.LoginIDs {
			loginIDGroupArgs = append(loginIDGroupArgs, slog.String(k, v))
		}
		attrs = append(attrs, slog.Group("login_ids", loginIDGroupArgs...))
	}
	if ale.Token != "" {
		attrs = append(attrs, slog.String("token", ale.Token))
	}
	if ale.DescopeError != "" {
		attrs = append(attrs, slog.String("descope_error", ale.DescopeError))
	}
	if ale.DescopeStatus != 0 {
		attrs = append(attrs, slog.Int("descope_http_status", ale.DescopeStatus))
	}
	if ale.DescopeBody != "" {
		attrs = append(attrs, slog.String("descope_response_body", ale.DescopeBody))
	}
	if ale.RefreshToken != "" {
		attrs = append(attrs, slog.String("refresh_token", ale.RefreshToken))
	}
	if ale.SessionJwt != "" {
		attrs = append(attrs, slog.String("session_jwt", ale.SessionJwt))
	}
	if ale.AccessJwt != "" {
		attrs = append(attrs, slog.String("access_jwt", ale.AccessJwt))
	}
	if ale.UserLoginId != "" {
		attrs = append(attrs, slog.String("user_login_id", ale.UserLoginId))
	}
	if ale.UserID != "" {
		attrs = append(attrs, slog.String("user_id", ale.UserID))
	}
	if ale.Email != "" {
		attrs = append(attrs, slog.String("email", ale.Email))
	}
	if ale.Phone != "" {
		attrs = append(attrs, slog.String("phone", ale.Phone))
	}
	if ale.SetCookieName != "" {
		attrs = append(attrs, slog.String("set_cookie_name", ale.SetCookieName))
		attrs = append(attrs, slog.String("set_cookie_value", ale.SetCookieValue))
		if len(ale.SetCookieAttrs) > 0 {
			cookieAttrsGroupArgs := make([]any, 0, len(ale.SetCookieAttrs))
			for k, v := range ale.SetCookieAttrs {
				cookieAttrsGroupArgs = append(cookieAttrsGroupArgs, slog.String(k, v))
			}
			attrs = append(attrs, slog.Group("set_cookie_attrs", cookieAttrsGroupArgs...))
		}
	}
	if ale.RedirectTo != "" {
		attrs = append(attrs, slog.String("redirect_to", ale.RedirectTo))
	}
	if ale.HasCookieDSRF {
		attrs = append(attrs, slog.Bool("has_cookie_DSRF", ale.HasCookieDSRF))
	}
	if ale.ParsedCookieDSRF != "" {
		attrs = append(attrs, slog.String("parsed_cookie_DSRF", ale.ParsedCookieDSRF))
	}
	if ale.RequestBody != "" {
		attrs = append(attrs, slog.String("request_body", ale.RequestBody))
	}
	if ale.NewPassword != "" { // FOR TEST ONLY - DO NOT LOG IN PRODUCTION
		attrs = append(attrs, slog.String("new_password", ale.NewPassword))
	}

	// Convert variadic args to slog.Attr before appending
	for i := 0; i < len(args); i += 2 {
		if i+1 < len(args) {
			attrs = append(attrs, slog.Any(fmt.Sprintf("%v", args[i]), args[i+1]))
		} else {
			// Handle odd number of arguments - log the last one with a generic key
			attrs = append(attrs, slog.Any(fmt.Sprintf("extra_arg_%d", i), args[i]))
		}
	}

	slog.Default().LogAttrs(context.Background(), level, msg, attrs...)
}