Skip to content

[Security] Audit log records the request but never the outcome, and redaction is shallow so nested secrets are persisted #1183

Description

@grantfox-oss

Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0

Why this matters

backend/src/middleware/auditLog.ts:63-111 fires the INSERT and calls next() before the handler runs, so audit_logs has no HTTP status / allowed-vs-denied / success flag - a rejected admin action and a successful one are indistinguishable. sanitizePayload (auditLog.ts:8-30) only redacts top-level keys (shallow for now), so secret/token/signedTxXdr nested under e.g. body.tx are written to the DB in cleartext.

Acceptance criteria

  • Record the response status/outcome (e.g. log on res finish or write a second row) so audit entries capture success/denial
  • Make sanitizePayload recurse into nested objects/arrays to redact the sensitiveFields list at any depth
  • Add tests covering a denied admin request and a nested signedTxXdr field

Files to touch

  • backend/src/middleware/auditLog.ts

Out of scope

  • Audit-log IP correctness (depends on trust proxy, tracked separately)
  • Retention/cleanup job

Metadata

Metadata

Labels

Stellar WaveIssues in the Stellar wave programbackendIssues related to backend developmentenhancementNew feature or requestsecuritySecurity related issues

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions