feat: add detailed request logging and error tracing to API key and JWT guards

2026-05-09 09:55:30 +02:00
parent a207b3057e
commit 367c8fe002
2 changed files with 31 additions and 18 deletions
@@ -1,19 +1,25 @@
-import { CanActivate, ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common';
+import { CanActivate, ExecutionContext, Injectable, Logger, UnauthorizedException } from '@nestjs/common';
 import { ApiKeysService } from './api-keys.service';
@Injectable()
 export class ApiKeyGuard implements CanActivate {
  private readonly logger = new Logger(ApiKeyGuard.name);
  constructor(private readonly apiKeysService: ApiKeysService) {}
  async canActivate(context: ExecutionContext): Promise<boolean> {
    const request = context.switchToHttp().getRequest();
    const method: string = request.method;
    const url: string = request.url;
    // Check header (X-API-Key)
    let apiKey = request.headers['x-api-key'] || request.headers['X-API-Key'];
    let source = 'X-API-Key header';
    // Fallback to query parameter (apiKey)
    if (!apiKey) {
      apiKey = request.query['apiKey'];
      if (apiKey) source = 'apiKey query param';
    }
    // Fallback to Authorization: Bearer (used by SSE clients that can't set X-API-Key)
@@ -21,24 +27,28 @@ export class ApiKeyGuard implements CanActivate {
      const auth: string | undefined = request.headers['authorization'];
      if (auth?.startsWith('Bearer ')) {
        apiKey = auth.slice(7);
        source = 'Authorization: Bearer';
      }
    }
    this.logger.debug(
      `[${method} ${url}] key source: ${apiKey ? source : 'NONE'} | ` +
      `headers: ${JSON.stringify(Object.keys(request.headers))} | ` +
      `key prefix: ${apiKey ? String(apiKey).slice(0, 8) + '…' : 'n/a'}`,
    );
    if (!apiKey) {
      this.logger.warn(`[${method} ${url}] rejected – no API key found`);
      throw new UnauthorizedException('API Key missing');
    }
    try {
      const keyEntry = await this.apiKeysService.validateKey(apiKey as string);
-      
+      this.logger.debug(`[${method} ${url}] accepted – key "${keyEntry.name}" (id=${keyEntry.id})`);
-      // Attach metadata to request if needed later
+      request.apiKeyMetadata = { id: keyEntry.id, name: keyEntry.name };
      request.apiKeyMetadata = {
        id: keyEntry.id,
        name: keyEntry.name,
      };
      return true;
    } catch (err) {
      this.logger.warn(`[${method} ${url}] rejected – validation failed: ${err.message}`);
      throw new UnauthorizedException(err.message || 'Invalid API Key');
    }
  }
@@ -1,28 +1,31 @@
-import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { CanActivate, ExecutionContext, Injectable, Logger } from '@nestjs/common';
 import { JwtAuthGuard } from './jwt-auth.guard';
 import { ApiKeyGuard } from './api-key.guard';
 import { lastValueFrom, isObservable } from 'rxjs';
 /**
 * Combined guard that accepts either a valid JWT Bearer token
 * or a valid API key (X-API-Key header / apiKey query param).
 * Tries JWT first, falls back to API key.
 */
@Injectable()
 export class JwtOrApiKeyGuard implements CanActivate {
  private readonly logger = new Logger(JwtOrApiKeyGuard.name);
  constructor(
    private readonly jwtGuard: JwtAuthGuard,
    private readonly apiKeyGuard: ApiKeyGuard,
  ) {}
  async canActivate(context: ExecutionContext): Promise<boolean> {
    const req = context.switchToHttp().getRequest();
    const tag = `[${req.method} ${req.url}]`;
    // Try JWT first
    try {
      const result = this.jwtGuard.canActivate(context);
      const jwtOk = isObservable(result) ? await lastValueFrom(result) : await result;
-      if (jwtOk) return true;
+      if (jwtOk) {
-    } catch {
+        this.logger.debug(`${tag} authenticated via JWT`);
-      // JWT failed, try API key
+        return true;
      }
    } catch (err) {
      this.logger.debug(`${tag} JWT failed (${err.message}), trying API key…`);
    }
    // Fall back to API key