[1808] User Router Logging Fix

[megatnt1122]

Ticket

#1808

Description

Fixes for user_router's logging

Tasks

• - A description of the PR has been provided, and a diagram included if it is a new feature.
• - Formatter has been run
• - CHANGELOG comment has been added
• - Labels have been assigned to the pr
• - A reviwer has been added
• - A user has been assigned to work on the pr
• - If new feature a unit test has been added

Summary by Sourcery

Improve user router request logging for authentication, key, token, and identity management endpoints.

Enhancements:

• Remove meaningless extra: "undefined" fields from multiple user router log entries.
• Enrich log descriptions for search, delete, and identity-related endpoints with contextual identifiers and query data.
• Add structured extra logging for user delete and ident list endpoints, including subject and number of linked IDs, and simplify ident removal logging.

[sourcery-ai]

Reviewer's Guide

Adjusts user_router request logging to remove meaningless 'extra: "undefined"' payloads and enrich several routes with more informative context, particularly for user lookup, deletion, key management, token access, and identity listing/removal.

Sequence diagram for updated /ident/list logging with enriched extra data

sequenceDiagram
    actor User
    participant UserRouter
    participant g_lib
    participant g_db
    participant logger

    User->>UserRouter: GET /ident/list?client=...
    UserRouter->>g_lib: getUserFromClientID(client)
    g_lib-->>UserRouter: client
    UserRouter->>g_db: query ident edges for client
    g_db-->>UserRouter: extra_log (list of ident keys)
    UserRouter->>logger: logRequestSuccess(client, correlationId, GET, /ident/list, Success, description, extra = { NumOfIds: extra_log })
    logger-->>UserRouter: ack
    UserRouter-->>User: 200 OK with ident list

    rect rgb(240,240,240)
        User->>UserRouter: GET /ident/list (error case)
        UserRouter->>g_lib: getUserFromClientID(client)
        g_lib-->>UserRouter: client or error
        UserRouter->>g_db: query ident edges for client (may fail)
        g_db-->>UserRouter: extra_log or error
        UserRouter->>logger: logRequestFailure(client, correlationId, GET, /ident/list, Failure, description, extra = { NumOfIds: extra_log }, error)
        logger-->>UserRouter: ack
        UserRouter-->>User: Error response
    end

Loading

File-Level Changes

Change	Details	Files
Clean up logging payloads by removing hard-coded "extra: 'undefined'" fields from user authentication, key, and token routes.	Removed extra fields set to the literal string 'undefined' from password and token authentication success/failure logs. Removed extra fields set to the literal string 'undefined' from key set/clear/get success/failure logs. Removed extra fields set to the literal string 'undefined' from token set/get failure logs and access token success/failure logs.	core/database/foxx/api/user_router.js
Enrich logging details for user search and deletion endpoints.	Updated find-by-name/uid success and failure logs to include the requested name_uid value in the description string. Updated user delete success and failure logs to include the user_id in the description and log the subject query parameter in the extra payload instead of just the raw user_id.	core/database/foxx/api/user_router.js
Enhance ident-related logging to capture additional context instead of raw identifiers.	Ident list success and failure logs now include an extra payload with the number/list of linked identity keys derived via a DB query. Ident remove success and failure logs move the ident value into the human-readable description and no longer log it as a bare extra field.	core/database/foxx/api/user_router.js

Possibly linked issues

• #(not specified): PR adjusts user_router log descriptions and extra fields, reducing undefined data and tightening logged information as issue requests.
• #: The PR modifies Foxx user_router logging to control logged fields, directly addressing sensitive logging concerns from the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• In the /ident/list handler, extra_log is set to the raw query result and then logged as NumOfIds; consider converting this to a count or an array of keys so the logged structure is explicit and doesn’t depend on the database cursor implementation.
• The additional context added to log descriptions (e.g. name_uid, user_id, ident) may include user identifiers; verify that logging these values aligns with your PII/sensitive-data logging policies, or mask/shorten them if necessary.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the `/ident/list` handler, `extra_log` is set to the raw query result and then logged as `NumOfIds`; consider converting this to a count or an array of keys so the logged structure is explicit and doesn’t depend on the database cursor implementation.
- The additional context added to log descriptions (e.g. `name_uid`, `user_id`, `ident`) may include user identifiers; verify that logging these values aligns with your PII/sensitive-data logging policies, or mask/shorten them if necessary.

## Individual Comments

### Comment 1
<location> `core/database/foxx/api/user_router.js:1544-1545` </location>
<code_context>
-                description: "Remove existing user entry",
-                extra: user_id,
+                description: `Remove existing user entry: ${user_id}`,
+                extra: {
+                    subject: req.query?.subject ?? null,
+                },
             });
</code_context>

<issue_to_address>
**issue (bug_risk):** `req.query?.subject` is inconsistent with `req.queryParams` usage and may always be `undefined`.

Elsewhere in this file query params are accessed via `req.queryParams`, so `req.query?.subject` will likely always be `undefined` and `subject` will never be logged. To correctly capture the query parameter and stay consistent, use `req.queryParams.subject ?? null` instead.
</issue_to_address>

### Comment 2
<location> `core/database/foxx/api/user_router.js:1611-1608` </location>
<code_context>
                         client: client._id,
                     }),
                 );
+                extra_log = g_db._query("for v in 1..1 outbound @client ident return v._key", {
+                    client: client._id,
+                });
                 logger.logRequestSuccess({
</code_context>

<issue_to_address>
**issue (bug_risk):** `extra_log` stores a cursor but is logged as `NumOfIds`, which is misleading and likely not what was intended.

Since `g_db._query` returns a cursor, this will log the cursor object rather than a count. If you want to record how many linked IDs there are, derive a numeric value first (e.g., `const numOfIds = extra_log.count()` or by materializing the results and using `.length`) and log that instead.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[JoshuaSBrown]

So this also needs to be fixed in the user_router.

There may be quite a lot of endpoints

You need to edit this too, maybe return the most recent one and also the number of endpoints found

const first = client?.eps.length ? client?.eps[0] : undefined;

Extra: { most_recent: first, count: client?.eps?.length }

[JoshuaSBrown]

Can you add the subject (not client) in the description in the user token set commands.

Subject should revert to client if subject is not defined.

let sub = req.queryParams.subject ? req.queryParams.subject : req.queryParams.client._id;

This should actually be true for every route that has a subject.

[JoshuaSBrown]

Password success auth is printing undefined, making us think the logs are not set up correct.

[t-ramz]

So a couple thoughts/questions:

1. What does this fix, exactly? Just to fill me in, I'm behind. From what I'm seeing the order is being fixed so that the logger at least gets a message regardless of any kind of success.
2. Are there any places where the string interpolation can bite us? I see we're trusting params, which could be fine depending on use. I just don't want this to go overlooked. e.g.

let sub = req.queryParams.subject ? req.queryParams.subject : req.queryParams.client;
...
description: `Set user public and private keys. Subject: ${sub}`,

[t-ramz]

Looks good!

Changes were for consistent naming on clients and to avoid confusion in "undefined" vs "not applicable"