From a786afdff950586700ebd2f280f3f51c09b2f042 Mon Sep 17 00:00:00 2001
From: Walter Pearce <walterpearce@rustfoundation.org>
Date: Fri, 31 Oct 2025 12:07:25 -0700
Subject: [PATCH] Add logging of hashed authorization information

... for cross-checking usage of compromised keys.

Specifically, adds a `custom_metadata.auth_type` value, specifying the authentication type used for actions. Additionally, adds `http.request.headers.hashed_authorization` and `http.request.headers.hashed_cookie` for logging SHA256 hashed copies of the authorization and/or cookie headers used in the request.
---
 src/auth.rs                      | 10 ++++++++--
 src/controllers/krate/publish.rs |  2 ++
 src/middleware/log_request.rs    | 15 ++++++++++++++-
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/auth.rs b/src/auth.rs
index 8a39d18ce4a..e4d2d1a370d 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -288,13 +288,19 @@ async fn authenticate(parts: &Parts, conn: &mut AsyncPgConnection) -> AppResult<
 
     match authenticate_via_cookie(parts, conn).await {
         Ok(None) => {}
-        Ok(Some(auth)) => return Ok(Authentication::Cookie(auth)),
+        Ok(Some(auth)) => {
+            parts.request_log().add("auth_type", "cookie");
+            return Ok(Authentication::Cookie(auth));
+        }
         Err(err) => return Err(err),
     }
 
     match authenticate_via_token(parts, conn).await {
         Ok(None) => {}
-        Ok(Some(auth)) => return Ok(Authentication::Token(auth)),
+        Ok(Some(auth)) => {
+            parts.request_log().add("auth_type", "token");
+            return Ok(Authentication::Token(auth));
+        }
         Err(err) => return Err(err),
     }
 
diff --git a/src/controllers/krate/publish.rs b/src/controllers/krate/publish.rs
index a927357c815..56737663671 100644
--- a/src/controllers/krate/publish.rs
+++ b/src/controllers/krate/publish.rs
@@ -172,6 +172,8 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
         .transpose()?;
 
     let auth = if let Some(trustpub_token) = trustpub_token {
+        request_log.add("auth_type", "trustpub");
+
         let Some(existing_crate) = &existing_crate else {
             let error = forbidden(
                 "Trusted Publishing tokens do not support creating new crates. Publish the crate manually, first",
diff --git a/src/middleware/log_request.rs b/src/middleware/log_request.rs
index 007371aa895..9882aab3990 100644
--- a/src/middleware/log_request.rs
+++ b/src/middleware/log_request.rs
@@ -12,8 +12,9 @@ use axum::response::IntoResponse;
 use axum_extra::TypedHeader;
 use axum_extra::headers::UserAgent;
 use derive_more::Deref;
-use http::{Method, Uri};
+use http::{Method, Uri, header};
 use parking_lot::Mutex;
+use sha2::{Digest, Sha256};
 use std::borrow::Cow;
 use std::collections::HashMap;
 use std::fmt::Display;
@@ -48,6 +49,16 @@ pub async fn log_requests(
     let custom_metadata = RequestLog::default();
     req.extensions_mut().insert(custom_metadata.clone());
 
+    // Log all authorization headers via hashed mask
+    let hashed_auth_header = req
+        .headers()
+        .get(header::AUTHORIZATION)
+        .map(|header| hex::encode(Sha256::digest(header.as_bytes())));
+    let hashed_cookie_header = req
+        .headers()
+        .get(header::COOKIE)
+        .map(|header| hex::encode(Sha256::digest(header.as_bytes())));
+
     let response = next.run(req).await;
 
     let duration = start_instant.elapsed();
@@ -83,6 +94,8 @@ pub async fn log_requests(
         http.matched_path = %matched_path,
         http.request_id = %request_metadata.request_id.as_ref().map(|h| h.as_str()).unwrap_or_default(),
         http.useragent = %request_metadata.user_agent.as_ref().map(|h| h.as_str()).unwrap_or_default(),
+        http.request.headers.hashed_authorization = hashed_auth_header.unwrap_or_default(),
+        http.request.headers.hashed_cookie = hashed_cookie_header.unwrap_or_default(),
         http.status_code = status.as_u16(),
         cause = response.extensions().get::<CauseField>().map(|e| e.0.as_str()).unwrap_or_default(),
         error.message = response.extensions().get::<ErrorField>().map(|e| e.0.as_str()).unwrap_or_default(),