Skip to content

[Fraud Protection] Add decision record audit log#5555

Merged
carmenlau merged 11 commits intoauthgear:feat-fraud-protectionfrom
tung2744:dev-3410
Mar 17, 2026
Merged

[Fraud Protection] Add decision record audit log#5555
carmenlau merged 11 commits intoauthgear:feat-fraud-protectionfrom
tung2744:dev-3410

Conversation

@tung2744
Copy link
Copy Markdown
Contributor

@tung2744 tung2744 commented Mar 5, 2026

@tung2744 tung2744 requested a review from carmenlau March 5, 2026 09:01
@tung2744 tung2744 force-pushed the dev-3410 branch 3 times, most recently from e0f0e5b to fb4fe47 Compare March 12, 2026 09:31
tung2744
tung2744 commented Mar 13, 2026
View reviewed changes
Comment thread resources/authgear/templates/en/translation.json Outdated
"v2.component.verify-bot-protection.default.title": "Checking your system...",
"v2.error.account-conflict": "{ IdentityTypeIncoming, select, login_id {{FlowType, select, login {Looks like you used {OAuthProviderNameExisting} for login before.} other {This {LoginIDNameIncoming} is already registered.}}} oauth {The email of this {OAuthProviderNameIncoming} account is already registered with another method.} other {This account is already registered} }",
"v2.error.account-not-found": "{ IdentityTypeIncoming, select, login_id {{ LoginIDTypeIncoming, select, email {This email} phone {This phone number} username {This username} other {This identity} }} oauth {This email} other {This identity} } cannot be found. Do you want to create an account?",
"v2.error.blocked-by-fraud-protection": "Your request has been blocked. Please try again later.",
Copy link
Copy Markdown
Contributor Author

@tung2744 tung2744 Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use a better message

tung2744 and others added 11 commits March 16, 2026 19:30
@tung2744 @claude
event: add fraud_protection.decision_recorded audit event type
9404bbd 
- Remove block_mode from FraudProtectionDecisionRecord; it was specced
  but there is no corresponding config field and it adds no value over
  the decision field itself.
- Use time.Time for Timestamp instead of a pre-formatted string.
- Use typed consts (FraudProtectionDecision, FraudProtectionAction)
  instead of plain strings for the Decision and Action fields.
- Define FraudProtectionDecisionRecord in pkg/api/model so it can be
  reused outside the event package.
- Update docs/specs/fraud-protection.md and
  docs/plans/fraud-protection-implementation.md to reflect these changes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tung2744 @claude
fraudprotection: dispatch decision_recorded event from CheckAndRecord
8263b4b 
Add EventService interface to fraudprotection.Service and wire it to
event.Service in deps_common.go. In CheckAndRecord, dispatch a
fraud_protection.decision_recorded audit event after warning evaluation
and before the block-or-allow decision, recording the full decision
record (decision, action, triggered warnings, IP, user agent, HTTP URL,
HTTP referer, user ID, geo location code).

Add httputil.HTTPReferer type and its providers for request, background,
redis-queue, and e2e contexts so the Referer header is available via DI
in the same manner as UserAgentString and HTTPRequestURL.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tung2744 @claude
Add e2e test for fraud_protection.decision_recorded audit log event
7bdffd8 
Also fix event dispatch in fraudprotection.Service to wrap in a
read-only transaction when not already inside one. This is required
because DispatchEventImmediately internally calls nextSeq which
needs an active database transaction. Log an error if dispatch fails
rather than silently ignoring it.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tung2744
Add a skill to write e2e tests
6a92c44
@tung2744
Add e2e tests to test for always_allow in fraud_protection
e2e95a7
@tung2744
Use feature config test_mode in e2e
dad06a3
@tung2744
Ensure project level test mode config is not blocked by rate limit an…
7388b8d 
…d fraud protection
@tung2744
e2e: Ensure rate limits and fraud protection not triggered by test mode
4d72799
@tung2744
e2e: Ensure usage limit is bypassed by test mode
bdb8fd2
@tung2744
Fix unit test missing mocks
0188f95
@tung2744
Use a better error message to ask user to try again later
674fba6
@tung2744
Copy link
Copy Markdown
Contributor Author

tung2744 commented Mar 16, 2026

Rebased and updated the error message, thanks!

@carmenlau carmenlau merged commit abd385d into authgear:feat-fraud-protection Mar 17, 2026
11 checks passed
tung2744 pushed a commit that referenced this pull request Mar 17, 2026
@carmenlau @tung2744
[Fraud Protection] Add decision record audit log #5555
87f24b9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carmenlau carmenlau carmenlau approved these changes

Assignees

@carmenlau carmenlau

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tung2744 @carmenlau