fix(provider,api-express-router,logger): stop request-logger context bleed and log every endpoint's envelope#2820
Merged
Merged
Conversation
…ields leaking across concurrent captcha requests and emit request/response envelopes on every endpoint - Tasks.setLogger no longer mutates the process-wide db.logger, which was causing user/siteKey/sessionId bindings from one in-flight request to overwrite another's on DB log lines (visible as a PuzzleCaptcha update for user A's challenge tagged with user B's account). Callers now pass the request logger through the Tasks constructor and drop the redundant setLogger call. - requestLoggerMiddleware emits "Request received" and "Response sent" lines for every route (method, path, status, durationMs, req_id), excluding /healthz|/health|/readyz. Also echoes x-request-id on the outbound response so downstream callers can correlate without Caddy. - Promote requestId from `data.requestId` to a top-level `req_id` field on the emitted JSON so OpenObserve indexes it as its own column and WHERE req_id = '…' becomes cheap. - New logger unit tests cover promotion + absent-when-unset. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Join `dataMaybeRequestId && typeof ...` onto a single line per biome's formatter — no logic change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Tasks.setLoggerno longer mutatesdb.logger(packages/provider/src/tasks/tasks.ts) —env.getDb()returns a process-wide singleton, so overwritingdb.loggeron every request meant concurrent captcha submits raced and one request'suser/siteKey/sessionIdbindings stamped the other's DB log lines. Callers ingetPoWCaptchaChallenge/getPuzzleCaptchaChallengenow passreq.loggerthrough the constructor and drop the redundantsetLoggercall.requestLoggerMiddlewareemitsRequest receivedandResponse sentenvelopes on every route (packages/api-express-router/src/middlewares/requestLoggerMiddleware.ts) — previously only/frictionlesshad per-endpoint response logging, sogetPow/PuzzleCaptchaChallenge,submitPow/PuzzleCaptchaSolution,verify.tshad no envelope in OpenObserve. Health probes (/healthz,/health,/readyz) skip the envelope so they don't drown the stream. Also mirrorsx-request-idback on the outbound response.requestIdto a top-levelreq_idfield on the log record (packages/logger/src/logger.ts) — OpenObserve indexes top-level fields as their own columns, soWHERE req_id = '…'is now cheap.data.requestIdis preserved for backwards compat. Two new unit tests.Motivation traced in a live incident: for a puzzle solve on
pronode15at 2026-07-09T13:03:55Z, thePuzzleCaptcha record updated successfullylog line for user5G3XQqmid…'s challenge showeddata_user=5HDoUo…because a concurrent request had just calledsetLoggerand clobbered the shareddb.logger. Signature validation was intact — the record was legitimately being updated for the right user — but the log output was misleading and broke user-scoped filtering.Test plan
npm run -w @prosopo/logger test— 39/39 passing (37 existing + 2 new)npm run -w @prosopo/logger build:tsc— cleannpm run -w @prosopo/api-express-router build:tsc— cleannpx tsc --noEmit -p packages/provider/tsconfig.json— no new errors in touched files (repo has pre-existing merge markers inblacklistRequestInspector.ts/captchaManager.tsunrelated to this PR)req_idappears at the top level ofproduction_provider_noderecordsdata_user/data_sitekey/data_sessionidRequest received/Response sentenvelopes appear for/captcha/puzzle,/captcha/pow, and/api/verifyroutes🤖 Generated with Claude Code