Add source column to AuditLog with request context propagation#7825
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7825 +/- ##
==========================================
+ Coverage 75.10% 75.17% +0.06%
==========================================
Files 430 432 +2
Lines 22846 22933 +87
Branches 6055 6076 +21
==========================================
+ Hits 17159 17239 +80
- Misses 5687 5694 +7
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Test coverage gap: the nonce trust boundary is untested
The most security-relevant case is never exercised: a request with a bogus or expired nonce must not receive an MCP source. Suggested auth-level cases:
Since this is the anti-spoofing boundary, it is worth covering here rather than deferring to #7563. |
|
Follow-up: reconcile the downstream issues with the nonce approach The PR description documents the nonce mechanism (
Not a change to this PR, just a heads up for the follow-up work. |
|
In const meta = { ...metadata }
if (!meta.correlationId) {
meta.correlationId = crypto.randomUUID()
}
return this.create(meta, ttl) |
|
Minor:
|
|
What is solid
|
andypalmi
left a comment
There was a problem hiding this comment.
Looks great, thanks for the quick turnaround on the earlier notes. The nonce clone fix is in, and the new resolveSourceContext integration test covers exactly the anti-spoofing cases that matter: bogus nonce, expired nonce, valid nonce, PAT fallback, and single-use reuse, all checked end to end against the audit source column. That was the main thing I wanted to see.
The nonce approach reads as a solid anti-spoofing model, and the migration is nicely backwards compatible. Approving. Nothing blocking from me.
|
This will need types re-generated if merged after #7733 |
|
will merge it now |
Description
Adds infrastructure so audit log entries can record how an action was triggered, not just who triggered it. A new source column on the AuditLog table distinguishes cookie sessions (null), direct PAT API calls (api), first party expert agent calls (mcp:expert), and eventually third party MCP agents (mcp).
Anti-spoofing: external requests can't set a fake source because only in-process code can mint nonces via app.nonceStore. No valid nonce means no MCP source, regardless of what headers a caller sends.
Related Issue(s)
closes #7562
Checklist
flowforge.yml?FlowFuse/helmto update ConfigMap TemplateFlowFuse/CloudProjectto update values for Staging/ProductionLabels
area:migrationlabel