From 4f092ea2fc13825295d761b9715325cd9f411b7c Mon Sep 17 00:00:00 2001
From: Benjamin Petetot <benjamin.petetot@pix.fr>
Date: Thu, 12 Dec 2024 15:34:51 +0100
Subject: [PATCH 1/3] refactor(api): export logWarnWithCorrelationIds from
 monitoring tools

---
 api/src/shared/infrastructure/monitoring-tools.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/api/src/shared/infrastructure/monitoring-tools.js b/api/src/shared/infrastructure/monitoring-tools.js
index 8bfd006a778..1c7a1270712 100644
--- a/api/src/shared/infrastructure/monitoring-tools.js
+++ b/api/src/shared/infrastructure/monitoring-tools.js
@@ -140,6 +140,7 @@ const monitoringTools = {
   incrementInContext,
   installHapiHook,
   logErrorWithCorrelationIds,
+  logWarnWithCorrelationIds,
   logInfoWithCorrelationIds,
   pushInContext,
   setInContext,

From c9a1d121b9fc7dffde980e32301d90d2a2349c29 Mon Sep 17 00:00:00 2001
From: Benjamin Petetot <benjamin.petetot@pix.fr>
Date: Thu, 12 Dec 2024 15:35:33 +0100
Subject: [PATCH 2/3] refactor(api): improve api token logs using
 logWarnWithCorrelationIds

---
 .../application/monitor-pre-handlers.js       | 23 +++++++++++---
 .../application/monitor-pre-handlers.test.js  | 31 +++++++++++++------
 2 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/api/src/identity-access-management/application/monitor-pre-handlers.js b/api/src/identity-access-management/application/monitor-pre-handlers.js
index 108b00b0f2d..a597a43c272 100644
--- a/api/src/identity-access-management/application/monitor-pre-handlers.js
+++ b/api/src/identity-access-management/application/monitor-pre-handlers.js
@@ -1,17 +1,30 @@
-import { logger } from '../../shared/infrastructure/utils/logger.js';
+import { monitoringTools } from '../../shared/infrastructure/monitoring-tools.js';
 import { generateHash } from '../infrastructure/utils/crypto.js';
 
-async function monitorApiTokenRoute(request, h, dependencies = { logger }) {
+async function monitorApiTokenRoute(request, h, dependencies = { monitoringTools }) {
   const { username, refresh_token, grant_type, scope } = request.payload;
 
   if (grant_type === 'password') {
     const hash = generateHash(username);
-    dependencies.logger.warn({ hash, grant_type, scope }, 'Authentication attempt');
+    dependencies.monitoringTools.logWarnWithCorrelationIds({
+      message: 'Authentication attempt',
+      hash,
+      grant_type,
+      scope,
+    });
   } else if (grant_type === 'refresh_token') {
     const hash = generateHash(refresh_token);
-    dependencies.logger.warn({ hash, grant_type, scope }, 'Authentication attempt');
+    dependencies.monitoringTools.logWarnWithCorrelationIds({
+      message: 'Authentication attempt',
+      hash,
+      grant_type,
+      scope,
+    });
   } else {
-    dependencies.logger.warn(request.payload, 'Authentication attempt with unknown method');
+    dependencies.monitoringTools.logWarnWithCorrelationIds({
+      message: 'Authentication attempt with unknown method',
+      ...request.payload,
+    });
   }
 
   return true;
diff --git a/api/tests/identity-access-management/unit/application/monitor-pre-handlers.test.js b/api/tests/identity-access-management/unit/application/monitor-pre-handlers.test.js
index cb6cb1a45b3..7bc3d7f250c 100644
--- a/api/tests/identity-access-management/unit/application/monitor-pre-handlers.test.js
+++ b/api/tests/identity-access-management/unit/application/monitor-pre-handlers.test.js
@@ -10,14 +10,19 @@ describe('Unit | Identity Access Management | Application | monitor-pre-handlers
       const grant_type = 'password';
       const scope = 'pix-app';
       const hash = generateHash(username);
-      const logger = { warn: sinon.stub() };
+      const monitoringTools = { logWarnWithCorrelationIds: sinon.stub() };
       const request = { payload: { grant_type, username, scope } };
 
       // when
-      monitorPreHandlers.monitorApiTokenRoute(request, hFake, { logger });
+      monitorPreHandlers.monitorApiTokenRoute(request, hFake, { monitoringTools });
 
       // then
-      expect(logger.warn).to.have.been.calledWith({ hash, grant_type, scope }, 'Authentication attempt');
+      expect(monitoringTools.logWarnWithCorrelationIds).to.have.been.calledWith({
+        message: 'Authentication attempt',
+        hash,
+        grant_type,
+        scope,
+      });
     });
 
     it('logs authentication attempt with grant type refresh token', async function () {
@@ -26,27 +31,35 @@ describe('Unit | Identity Access Management | Application | monitor-pre-handlers
       const grant_type = 'refresh_token';
       const scope = 'pix-app';
       const hash = generateHash(refresh_token);
-      const logger = { warn: sinon.stub() };
+      const monitoringTools = { logWarnWithCorrelationIds: sinon.stub() };
       const request = { payload: { grant_type, refresh_token, scope } };
 
       // when
-      monitorPreHandlers.monitorApiTokenRoute(request, hFake, { logger });
+      monitorPreHandlers.monitorApiTokenRoute(request, hFake, { monitoringTools });
 
       // then
-      expect(logger.warn).to.have.been.calledWith({ hash, grant_type, scope }, 'Authentication attempt');
+      expect(monitoringTools.logWarnWithCorrelationIds).to.have.been.calledWith({
+        message: 'Authentication attempt',
+        hash,
+        grant_type,
+        scope,
+      });
     });
 
     it('logs authentication attempt with grant type unknown', async function () {
       // given
       const grant_type = 'unknown';
-      const logger = { warn: sinon.stub() };
+      const monitoringTools = { logWarnWithCorrelationIds: sinon.stub() };
       const request = { payload: { foo: 'bar', grant_type } };
 
       // when
-      monitorPreHandlers.monitorApiTokenRoute(request, hFake, { logger });
+      monitorPreHandlers.monitorApiTokenRoute(request, hFake, { monitoringTools });
 
       // then
-      expect(logger.warn).to.have.been.calledWith(request.payload, 'Authentication attempt with unknown method');
+      expect(monitoringTools.logWarnWithCorrelationIds).to.have.been.calledWith({
+        message: 'Authentication attempt with unknown method',
+        ...request.payload,
+      });
     });
   });
 });

From c93798cb643b28905fadfb82bc2acd363328707f Mon Sep 17 00:00:00 2001
From: Benjamin Petetot <benjamin.petetot@pix.fr>
Date: Thu, 12 Dec 2024 15:36:25 +0100
Subject: [PATCH 3/3] feat(api): add more info in /api/token request log
 directly

---
 api/src/shared/infrastructure/plugins/pino.js | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/api/src/shared/infrastructure/plugins/pino.js b/api/src/shared/infrastructure/plugins/pino.js
index ab2228fa88b..07141b8eb3d 100644
--- a/api/src/shared/infrastructure/plugins/pino.js
+++ b/api/src/shared/infrastructure/plugins/pino.js
@@ -1,8 +1,7 @@
-import crypto from 'node:crypto';
-
 import { stdSerializers } from 'pino';
 
 import { monitoringTools } from '../../../../src/shared/infrastructure/monitoring-tools.js';
+import { generateHash } from '../../../identity-access-management/infrastructure/utils/crypto.js';
 import { config } from '../../config.js';
 import { logger } from '../utils/logger.js';
 
@@ -17,11 +16,15 @@ function requestSerializer(req) {
   };
 
   if (!config.hapi.enableRequestMonitoring) return enhancedReq;
+
+  // monitor api token route
   const context = monitoringTools.getContext();
   if (context?.request?.route?.path === '/api/token') {
-    const hash = crypto.createHash('sha256');
-    const username = context?.request?.payload?.username;
-    enhancedReq.usernameHash = username ? hash.update(username).digest('hex') : '-';
+    const { username, refresh_token, grant_type, scope } = context.request.payload || {};
+    enhancedReq.grantType = grant_type || '-';
+    enhancedReq.scope = scope || '-';
+    enhancedReq.usernameHash = generateHash(username) || '-';
+    enhancedReq.refreshTokenHash = generateHash(refresh_token) || '-';
   }
 
   return {