andrewmusselman opened a new issue, #549:
URL: https://github.com/apache/tooling-trusted-releases/issues/549
## Summary
API access is not logged, preventing forensic analysis and security
monitoring.
## ASVS Requirements
- 7.4.1 - Log authentication decisions
- 13.4.1 - API security controls
## Related Audit Reports
- [Basic Access #404](ASVS/basic-access-404.md) - Issue 13.4.1-3
- [Credential Integrity #406](ASVS/credential-integrity-406.md) - Issue 5
## Documented Acknowledgment
From `notes/api-security.md:34`:
> "We do not presently have logging or auditing of the logging for the API."
## Recommended Fix
```python
import structlog
logger = structlog.get_logger()
@_BLUEPRINT.before_request
async def log_api_request():
claims = getattr(quart.g, "jwt_claims", {})
user_id = claims.get("sub", "anonymous")
logger.info(
"api_request",
method=quart.request.method,
path=quart.request.path,
user_id=user_id,
remote_addr=quart.request.remote_addr,
)
```
## Acceptance Criteria
- [ ] All API requests logged
- [ ] User ID extracted from JWT (not token itself)
- [ ] IP address logged
- [ ] Response status logged
- [ ] Sensitive data NOT logged
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
