2024-12-09 09:28:34 +00:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
|
|
feat(observability): add structured audit log channel for API and webhook events
Introduce a dedicated `audit` log channel (daily rotation, configurable retention via
LOG_AUDIT_DAYS) and a small `auditLog()` / `auditLogWebhookFailure()` helper used to
record state-changing API operations and webhook events.
Instrumented:
- API mutation endpoints (create / update / delete / start / stop / restart) across
applications, services, databases (incl. backups, env vars, storage), servers,
projects + environments, scheduled tasks, private keys, GitHub apps, cloud provider
tokens, Hetzner server provisioning, instance enable/disable.
- Webhook signature verification outcomes for GitHub, GitLab, Bitbucket, Gitea and
Stripe, plus the Sentinel push endpoint.
- Authentication and authorization outcomes via the global exception handler and
the `ApiAbility` middleware (unauthenticated, ability-denied, policy-denied).
The helper is wrapped in try/catch so logging failures never affect the request
path. Successful operations log at `info`; suspicious/denied requests log at
`warning`. Operators wanting a failures-only feed can set `LOG_AUDIT_LEVEL=warning`.
Includes a feature test suite covering the helper, the webhook providers and the
new auth/authorization log paths.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-28 12:50:37 +00:00
|
|
|
use Illuminate\Auth\AuthenticationException;
|
2024-12-09 09:28:34 +00:00
|
|
|
use Laravel\Sanctum\Http\Middleware\CheckForAnyAbility;
|
|
|
|
|
|
|
|
|
|
class ApiAbility extends CheckForAnyAbility
|
|
|
|
|
{
|
|
|
|
|
public function handle($request, $next, ...$abilities)
|
|
|
|
|
{
|
|
|
|
|
try {
|
2024-12-09 09:52:38 +00:00
|
|
|
if ($request->user()->tokenCan('root')) {
|
|
|
|
|
return $next($request);
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-09 09:28:34 +00:00
|
|
|
return parent::handle($request, $next, ...$abilities);
|
feat(observability): add structured audit log channel for API and webhook events
Introduce a dedicated `audit` log channel (daily rotation, configurable retention via
LOG_AUDIT_DAYS) and a small `auditLog()` / `auditLogWebhookFailure()` helper used to
record state-changing API operations and webhook events.
Instrumented:
- API mutation endpoints (create / update / delete / start / stop / restart) across
applications, services, databases (incl. backups, env vars, storage), servers,
projects + environments, scheduled tasks, private keys, GitHub apps, cloud provider
tokens, Hetzner server provisioning, instance enable/disable.
- Webhook signature verification outcomes for GitHub, GitLab, Bitbucket, Gitea and
Stripe, plus the Sentinel push endpoint.
- Authentication and authorization outcomes via the global exception handler and
the `ApiAbility` middleware (unauthenticated, ability-denied, policy-denied).
The helper is wrapped in try/catch so logging failures never affect the request
path. Successful operations log at `info`; suspicious/denied requests log at
`warning`. Operators wanting a failures-only feed can set `LOG_AUDIT_LEVEL=warning`.
Includes a feature test suite covering the helper, the webhook providers and the
new auth/authorization log paths.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-28 12:50:37 +00:00
|
|
|
} catch (AuthenticationException $e) {
|
|
|
|
|
auditLog('api.auth.unauthenticated', [
|
|
|
|
|
'reason' => $e->getMessage(),
|
|
|
|
|
'required_abilities' => $abilities,
|
|
|
|
|
], 'warning');
|
|
|
|
|
|
2024-12-09 09:28:34 +00:00
|
|
|
return response()->json([
|
|
|
|
|
'message' => 'Unauthenticated.',
|
|
|
|
|
], 401);
|
|
|
|
|
} catch (\Exception $e) {
|
feat(observability): add structured audit log channel for API and webhook events
Introduce a dedicated `audit` log channel (daily rotation, configurable retention via
LOG_AUDIT_DAYS) and a small `auditLog()` / `auditLogWebhookFailure()` helper used to
record state-changing API operations and webhook events.
Instrumented:
- API mutation endpoints (create / update / delete / start / stop / restart) across
applications, services, databases (incl. backups, env vars, storage), servers,
projects + environments, scheduled tasks, private keys, GitHub apps, cloud provider
tokens, Hetzner server provisioning, instance enable/disable.
- Webhook signature verification outcomes for GitHub, GitLab, Bitbucket, Gitea and
Stripe, plus the Sentinel push endpoint.
- Authentication and authorization outcomes via the global exception handler and
the `ApiAbility` middleware (unauthenticated, ability-denied, policy-denied).
The helper is wrapped in try/catch so logging failures never affect the request
path. Successful operations log at `info`; suspicious/denied requests log at
`warning`. Operators wanting a failures-only feed can set `LOG_AUDIT_LEVEL=warning`.
Includes a feature test suite covering the helper, the webhook providers and the
new auth/authorization log paths.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-28 12:50:37 +00:00
|
|
|
auditLog('api.auth.ability_denied', [
|
|
|
|
|
'required_abilities' => $abilities,
|
|
|
|
|
'token_id' => $request->user()?->currentAccessToken()?->id,
|
|
|
|
|
'reason' => $e->getMessage(),
|
|
|
|
|
], 'warning');
|
|
|
|
|
|
2024-12-09 09:28:34 +00:00
|
|
|
return response()->json([
|
|
|
|
|
'message' => 'Missing required permissions: '.implode(', ', $abilities),
|
|
|
|
|
], 403);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|