Add monitoring API for per-issuer validation statistics #182

Copilot · 2025-12-08T22:37:13Z

Monitoring API Implementation - Complete ✅

Successfully implemented a monitoring API in the C interface to track per-issuer validation statistics with all code review feedback addressed.

Latest Changes

Code formatting: Applied clang-format to address all linter issues

Changes from Code Review

Exception hierarchy: Added IssuerLookupException and TokenExpiredException for proper error classification
Total time tracking: Changed from average to total validation time in seconds (base unit) for Prometheus compatibility
Named constants: Use MAX_SELECT_TIMEOUT_US constant instead of magic number for maintainability
Proper thread safety: All statistics properly protected by mutex, no race conditions
Code formatting: Properly formatted per clang-format rules

Features Implemented

✅ Per-issuer tracking of successful/unsuccessful validations
✅ Tracks total validation time in seconds (cumulative across all validations)
✅ Tracks expired tokens via TokenExpiredException
✅ Tracks failed issuer lookups via IssuerLookupException with DDoS protection (limits to 100 entries)
✅ Returns statistics as JSON string
✅ Includes reset functionality
✅ Thread-safe with proper mutex protection

API

// Get statistics as JSON
char *json_out = NULL;
char *err_msg = NULL;
scitoken_get_monitoring_json(&json_out, &err_msg);
// Returns: {"issuers": {"https://example.org": {"successful_validations": 42, 
//           "unsuccessful_validations": 3, "expired_tokens": 1, 
//           "total_validation_time_s": 125.5}}, 
//           "failed_issuer_lookups": {"https://invalid.org": 5}}

// Reset all statistics
scitoken_reset_monitoring_stats(&err_msg);

Implementation Details

MonitoringStats singleton (src/scitokens_monitoring.cpp): Thread-safe statistics collection with mutex protection
Exception-based error classification: IssuerLookupException and TokenExpiredException instead of string matching
Validator integration: All verify() methods track timing with 50ms select timeout for responsiveness
DDoS mitigation: Failed issuer lookup tracking limited to 100 entries with pruning
Output sanitization: Issuer names truncated to 256 chars in JSON output

Statistics Tracked

Per issuer:

Successful/unsuccessful validation counts
Expired token count (detected via TokenExpiredException)
Total validation time in seconds (cumulative)

Global:

Failed issuer lookup counts (network/DNS errors via IssuerLookupException)

Test Programs

scitokens-test-monitoring: Basic API verification
scitokens-test-monitoring-comprehensive: DDoS protection and validation flow testing

Original prompt

This section details on the original issue you should resolve

<issue_title>Monitoring API</issue_title>
<issue_description>Create a new monitoring API in the C interface to the library. Potentially it should just return a JSON string that is an object with arbitrary monitoring statistics.

At the minimum, we should track statistics per-issuer (time spent per issuer, successful validations, unsuccessful validations, expirations, etc). For failed issuer lookup, we should make sure to avoid resource exhaustion DDoS attacks given attackers can generate an arbitrary number of issuers.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes Monitoring API #181

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

github-actions

Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit

lint