Skip to content

[Security] Audit log records the request but never the outcome, and redaction is shallow so nested secrets are persisted #1183

Description

@grantfox-oss

Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0

Why this matters

backend/src/middleware/auditLog.ts:63-111 fires the INSERT and calls next() before the handler runs, so audit_logs has no HTTP status / allowed-vs-denied / success flag - a rejected admin action and a successful one are indistinguishable. sanitizePayload (auditLog.ts:8-30) only redacts top-level keys (shallow for now), so secret/token/signedTxXdr nested under e.g. body.tx are written to the DB in cleartext.

Acceptance criteria

  • Record the response status/outcome (e.g. log on res finish or write a second row) so audit entries capture success/denial
  • Make sanitizePayload recurse into nested objects/arrays to redact the sensitiveFields list at any depth
  • Add tests covering a denied admin request and a nested signedTxXdr field

Files to touch

  • backend/src/middleware/auditLog.ts

Out of scope

  • Audit-log IP correctness (depends on trust proxy, tracked separately)
  • Retention/cleanup job

Metadata

Metadata

Labels

Stellar WaveIssues in the Stellar wave programbackendIssues related to backend developmentenhancementNew feature or requestsecuritySecurity related issues

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions