Downgrade routine anon-403s on /api/v3/auth/profile/ to DEBUG#759
Merged
Conversation
A fresh browser visit to Codex probes /api/v3/auth/profile/ before any
session cookie exists, which Django's BaseHandler.get_response logs as
a WARNING ("Forbidden: /api/v3/auth/profile/") for every first-time
visitor. That drowns the main log in routine noise.
Add a logging.Filter on django.request that downgrades records matching
that exact "Forbidden: <path>" pattern to DEBUG, parameterized by a
small frozenset of known-noisy paths so abuse on other endpoints still
surfaces at WARNING.
Also move django.request into the loggers dict where dictConfig will
actually see it — the old top-level placement was silently ignored.
Records still flow to the root loguru handler via propagation.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cuts down log noise from every first-time visitor.
A fresh browser hits
/api/v3/auth/profile/before any session cookie exists, which Django'sBaseHandler.get_responselogs asWARNING: Forbidden: /api/v3/auth/profile/for every visit. That drowns the main log with routine first-load behaviour.This adds a
logging.Filteron thedjango.requestlogger that downgrades records matching"Forbidden: <noisy-path>"to DEBUG. The noisy-path list is a frozenset constant, so adding a future endpoint is a one-line change.Originating from review feedback after the failed-login log PR (#757) — true abuse of
/profile/is unlikely to matter for fail2ban, and a brute-forcer would surface infailed_logins.logfirst regardless.Also fixes a latent config bug
codex/settings/logging.pyhaddjango.request,django, anddjango.serverdeclared at the top level of the LOGGING dict, but Python'sdictConfigonly recognises"loggers"as the container for named loggers — those blocks were silently ignored. Records were still reaching the root loguru handler via propagation, but no per-logger filter could be attached.django.requestis now moved into theloggersdict (where the new filter lives). Leftdjangoanddjango.serveralone to keep this diff focused; happy to clean them up in a follow-up.Test plan
make fix && make lint && make tycleanpytest tests/test_logging_filter.py -v— 4 tests cover the noisy path, an unrelatedForbiddenpath (stays WARNING), a non-Forbidden4xx (stays WARNING), and non-WARNING levels (untouched)make test-python— full suite still passes (231 total)Forbidden: /api/v3/auth/profile/WARNING appears incodex.logat default INFO level🤖 Generated with Claude Code