docs: add Observability sections to all handler docs#220
Merged
Conversation
Document all slog.ErrorContext and slog.WarnContext events emitted by each handler. Every HTTP 500 response is now paired with the structured log message that precedes it in the source, making it easier to correlate log output with specific failure paths. Each handler page now includes an Observability table listing: - Event description - Log level (ERROR or WARN) - Exact slog message string - Endpoint that emits it A brief general Observability section is also added to docs/handler/index.md explaining the overall pattern. Follows the style established in docs/auth/middleware.md. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
Bot
added
automation
documentation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the handler documentation (docs/handler/) to reflect the project’s structured logging behavior (notably the slog.ErrorContext/slog.WarnContext events emitted around error paths), by adding per-handler “Observability” sections and a general overview on the handler docs index.
Changes:
- Add a general “Observability” section to
docs/handler/index.mddescribing the logging pattern. - Add per-handler observability tables (event/level/message/endpoint) across handler docs pages.
- Document non-fatal
ERROR/WARNevents (e.g., email delivery failures that still return 200, best-effort linking warnings, passkey counter update warnings).
Show a summary per file
| File | Description |
|---|---|
| docs/handler/index.md | Adds global observability guidance for handlers and structured logging conventions. |
| docs/handler/auth.md | Adds an observability table covering AuthHandler log events across key endpoints. |
| docs/handler/api-keys.md | Adds an observability table for APIKeyHandler error logs. |
| docs/handler/sessions.md | Adds an observability table for SessionHandler error logs. |
| docs/handler/totp.md | Adds an observability table for TOTPHandler error logs. |
| docs/handler/magic-links.md | Adds an observability table for MagicLinkHandler error logs and non-fatal email failures. |
| docs/handler/oidc.md | Adds an observability table for OIDCHandler logs across login/link flows. |
| docs/handler/oauth2.md | Adds an observability table for OAuth2Handler logs across login/link flows. |
| docs/handler/passkeys.md | Adds an observability table for PasskeyHandler error/warn logs (including internal WARN cases). |
| docs/handler/email-verification.md | Adds an observability table for EmailVerificationHandler logs and non-fatal email failures. |
| docs/handler/password-reset.md | Adds an observability table for PasswordResetHandler logs and non-fatal email failures. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 11/11 changed files
- Comments generated: 6
…ents, correct endpoint attribution for link errors, and fix TOTP event label - auth.md: add failed to generate refresh token / create session / create token events emitted by issueTokens helper - magic-links.md: same issueTokens events plus Sessions misconfiguration message for VerifyMagicLink - oidc.md: move "failed to consume link nonce" and "failed to look up user during OIDC link" from Callback (link flow) to Link; add three handleLinkCallback errors to Callback (link flow); add issueTokens events for Callback - oauth2.md: same endpoint corrections and additions as oidc.md for OAuth2 counterparts - passkeys.md: add FinishAuthentication to "failed to fetch user" endpoint list; add issueTokens events for FinishAuthentication - index.md: soften claim that all ERROR records carry an error attribute (issueTokens misconfiguration log is an exception) - totp.md: rename "TOTP code validation store failure" to "TOTP code validation failure" (failure comes from ValidateTOTP, not a store call)
…tion and password-reset - email-verification.md: the three SendVerification ERROR events (user lookup, token generation, token storage) return HTTP 200, not HTTP 500 — SendVerification always returns 200 to prevent email enumeration - password-reset.md: "password reset: consume token" does not abort the response; password has already been updated and HTTP 200 is returned
… 200 "password reset: cleanup token after email failure" falls through to the same HTTP 200 path as the email-delivery failure — it is not followed by an HTTP 500 response.
…turns HTTP 401 not 500
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The recent "Add missing 500 error logs" (#215) commit added
slog.ErrorContextcalls before every HTTP 500 response across all handler files. This PR updates the documentation to reflect that change.What changed
Every handler documentation page (
docs/handler/) now includes an Observability section with a structured table listing:ERRORorWARNslogmessageA brief introductory section is also added to
docs/handler/index.mdexplaining the general pattern (all 500 paths log viaslog.ErrorContext;slog.WarnContextfor non-fatal degradations; the globalsloghandler is never replaced).Files changed
docs/handler/index.mddocs/handler/auth.mddocs/handler/api-keys.mddocs/handler/sessions.mddocs/handler/totp.mddocs/handler/magic-links.mddocs/handler/oidc.mddocs/handler/oauth2.mddocs/handler/passkeys.mddocs/handler/email-verification.mddocs/handler/password-reset.mdStyle
Follows the logging-table pattern established in
docs/auth/middleware.md.Greptile Summary
This PR adds an Observability section to every handler documentation page, documenting the structured
slogevents emitted before HTTP 500 responses (and a handful of non-fatalWARN-level events). It also adds an overview section todocs/handler/index.mdexplaining the general logging pattern.slogmessages, their level, and the endpoint(s) that emit them; slog messages, levels, and endpoint attributions were verified against the source handler files.issueTokenshelper events, incorrect endpoint attribution for OIDC/OAuth2 link-flow errors, HTTP 200 vs 500 distinctions inemail-verification.md,password-reset.md, andoauth2.md) have been addressed."skipping corrupted passkey credential"inpasskeys.mdsays(internal, during listing)butloadWebAuthnCredentialsis never called fromListCredentials; it fires duringBeginRegistration,FinishRegistration, andFinishAuthentication.Confidence Score: 5/5
Documentation-only change; no production code is modified.
Every slog message, log level, and endpoint attribution in all 11 tables was verified against the handler source files. The only remaining issue is a misleading endpoint label in the passkeys table that names the wrong handler as the source of a WARN event — a minor doc inaccuracy with no runtime impact.
docs/handler/passkeys.md — the "skipping corrupted passkey credential" endpoint label should reference BeginRegistration, FinishRegistration, and FinishAuthentication rather than "(internal, during listing)".
Important Files Changed
Prompt To Fix All With AI
Reviews (5): Last reviewed commit: "docs(oauth2): correct observability foot..." | Re-trigger Greptile