`[AuditApi(IncludeRequestBody = false]` doesn't remove FormVariables

[esd-thg]

Describe the bug
[AuditApi(IncludeRequestBody = false] doesn't ignore FormVariables

To Reproduce
Given this endpoint

[AllowAnonymous]
[HttpPost("~/connect/token")]
[Consumes("application/x-www-form-urlencoded")]
[Produces("application/json")]
[AuditApi(IncludeRequestBody = false, IncludeResponseBody = false)]
public async Task<IActionResult> Exchange()
{
    var request = HttpContext.GetOpenIddictServerRequest();
    // ...
}

and this request

POST /connect/token
Content-Type: application/x-www-form-urlencoded
Accept: application/json

grant_type=client_credentials&client_id=CLIENT_ID&client_secret=SECRET

I'm seeing this in the log

{
  "Action": {
    "HttpMethod": "POST",
    "ActionName": "Exchange",
    "ActionParameters": {},
    "FormVariables": {
      "grant_type": "client_credentials",
      "client_id": "CLIENT_ID",
      "client_secret": "SECRET"
    },
    "ResponseStatus": "OK",
    "ResponseStatusCode": 200,
    "RequestBody": {
      "Type": "application/x-www-form-urlencoded",
      "Length": 151
    }
  },
  // rest omitted
}

Expected behavior
I was expecting IncludeRequestBody = false to remove the form-urlencoded body and not show FormVariables.

Strangely IncludeRequestBody = true only logs

    "RequestBody": {
      "Type": "application/x-www-form-urlencoded",
      "Length": 151
    }

I was expecting something like

    "RequestBody": {
      "Type": "application/x-www-form-urlencoded",
      "Length": 151,
      "Value": "grant_type=client_credentials&client_id=CLIENT_ID&client_secret=SECRET"
    }

Libraries (specify the Audit.NET extensions being used including version):

• Audit.WebApi.Core: 32.1.1

Target .NET framework:

• .NET 10

[thepirat000]

The reason you're not seeing the Value in the RequestBody when IncludeRequestBody is set to true is most likely because request body buffering is not enabled.

Try adding the following middleware during application startup:

app.Use(async (context, next) =>
{
    context.Request.EnableBuffering();
    await next();
});

Once buffering is enabled, the request body can be read multiple times, and you should start seeing the value captured in the audit RequestBody.

--

Regarding FormVariables, there is currently no built-in setting to exclude it in the current version. However, you can work around this by using a custom action during the save process:

// On your startup:
Audit.Core.Configuration.AddOnSavingAction(scope =>
{
    scope.EventAs<AuditEventWebApi>().Action.FormVariables = null;
});

This will clear the FormVariables collection before the audit event is persisted.

Anyway, I'll work on a fix to add an IncludeFormVariables setting, or alternatively make the existing IncludeRequestBody setting control whether form variables are included.

[thepirat000]

Fixed in version 32.2.0. Please upgrade your references and retest. The IncludeRequestBody setting now also controls the inclusion of form variables.