This commit is contained in:
parent
ac13a39e7c
commit
b5fc03e94f
2 changed files with 168 additions and 14 deletions
|
|
@ -45,9 +45,7 @@ defmodule MvWeb.AuthController do
|
|||
- Generic authentication failures
|
||||
"""
|
||||
def failure(conn, activity, reason) do
|
||||
Logger.warning(
|
||||
"Authentication failure - Activity: #{inspect(activity)}, Reason: #{inspect(reason)}"
|
||||
)
|
||||
log_failure_safely(activity, reason)
|
||||
|
||||
case {activity, reason} do
|
||||
{{:rauthy, _action}, reason} ->
|
||||
|
|
@ -63,6 +61,63 @@ defmodule MvWeb.AuthController do
|
|||
end
|
||||
end
|
||||
|
||||
# Log authentication failures safely, avoiding sensitive data for {:rauthy, _} activities
|
||||
defp log_failure_safely({:rauthy, _action} = activity, reason) do
|
||||
# For Assent errors, use safe_assent_meta to avoid logging tokens/URLs with query params
|
||||
case reason do
|
||||
%Assent.ServerUnreachableError{} = err ->
|
||||
meta = safe_assent_meta(err)
|
||||
message = format_safe_log_message("Authentication failure", activity, meta)
|
||||
Logger.warning(message)
|
||||
|
||||
%Assent.InvalidResponseError{} = err ->
|
||||
meta = safe_assent_meta(err)
|
||||
message = format_safe_log_message("Authentication failure", activity, meta)
|
||||
Logger.warning(message)
|
||||
|
||||
_ ->
|
||||
# For other rauthy errors, log only error type, not full details
|
||||
error_type = get_error_type(reason)
|
||||
|
||||
Logger.warning(
|
||||
"Authentication failure - Activity: #{inspect(activity)}, Error type: #{error_type}"
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
defp log_failure_safely(activity, reason) do
|
||||
# For non-rauthy activities, safe to log full reason
|
||||
Logger.warning(
|
||||
"Authentication failure - Activity: #{inspect(activity)}, Reason: #{inspect(reason)}"
|
||||
)
|
||||
end
|
||||
|
||||
# Extract safe error type identifier without sensitive data
|
||||
defp get_error_type(%struct{}), do: "#{struct}"
|
||||
defp get_error_type(atom) when is_atom(atom), do: inspect(atom)
|
||||
defp get_error_type(_other), do: "[redacted]"
|
||||
|
||||
# Format safe log message with metadata included in the message string
|
||||
defp format_safe_log_message(base_message, activity, meta) when is_list(meta) do
|
||||
activity_str = "Activity: #{inspect(activity)}"
|
||||
meta_str = format_meta_string(meta)
|
||||
"#{base_message} - #{activity_str}#{meta_str}"
|
||||
end
|
||||
|
||||
defp format_meta_string([]), do: ""
|
||||
defp format_meta_string(meta) when is_list(meta) do
|
||||
parts =
|
||||
Enum.map(meta, fn
|
||||
{:request_url, url} -> "Request URL: #{url}"
|
||||
{:status, status} -> "Status: #{status}"
|
||||
{:http_adapter, adapter} -> "HTTP Adapter: #{inspect(adapter)}"
|
||||
_ -> nil
|
||||
end)
|
||||
|> Enum.filter(&(&1 != nil))
|
||||
|
||||
if Enum.empty?(parts), do: "", else: " - " <> Enum.join(parts, ", ")
|
||||
end
|
||||
|
||||
# Handle all Rauthy (OIDC) authentication failures
|
||||
defp handle_rauthy_failure(conn, %Ash.Error.Invalid{errors: errors}) do
|
||||
handle_oidc_email_collision(conn, errors)
|
||||
|
|
@ -83,9 +138,9 @@ defmodule MvWeb.AuthController do
|
|||
end
|
||||
|
||||
# Handle Assent server unreachable errors (network/connectivity issues)
|
||||
defp handle_rauthy_failure(conn, %Assent.ServerUnreachableError{} = err) do
|
||||
# Use warning level: server unreachable is often transient, not a critical system error
|
||||
Logger.warning("OIDC authentication server unreachable", safe_assent_meta(err))
|
||||
defp handle_rauthy_failure(conn, %Assent.ServerUnreachableError{} = _err) do
|
||||
# Logging already done safely in failure/3 via log_failure_safely/2
|
||||
# No need to log again here to avoid duplicate logs
|
||||
|
||||
conn
|
||||
|> put_flash(
|
||||
|
|
@ -96,9 +151,9 @@ defmodule MvWeb.AuthController do
|
|||
end
|
||||
|
||||
# Handle Assent invalid response errors (configuration or malformed responses)
|
||||
defp handle_rauthy_failure(conn, %Assent.InvalidResponseError{} = err) do
|
||||
# Use warning level: configuration errors are operational issues, not critical failures
|
||||
Logger.warning("OIDC authentication invalid response", safe_assent_meta(err))
|
||||
defp handle_rauthy_failure(conn, %Assent.InvalidResponseError{} = _err) do
|
||||
# Logging already done safely in failure/3 via log_failure_safely/2
|
||||
# No need to log again here to avoid duplicate logs
|
||||
|
||||
conn
|
||||
|> put_flash(
|
||||
|
|
@ -109,8 +164,9 @@ defmodule MvWeb.AuthController do
|
|||
end
|
||||
|
||||
# Catch-all clause for any other error types
|
||||
defp handle_rauthy_failure(conn, reason) do
|
||||
Logger.warning("Unhandled Rauthy failure reason: #{inspect(reason)}")
|
||||
defp handle_rauthy_failure(conn, _reason) do
|
||||
# Logging already done safely in failure/3 via log_failure_safely/2
|
||||
# No need to log again here to avoid duplicate logs
|
||||
|
||||
conn
|
||||
|> put_flash(:error, gettext("Unable to authenticate with OIDC. Please try again."))
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue