Skip to content

server: unify and improve logging #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

server: unify and improve logging #56

wants to merge 2 commits into from

Conversation

mostlygeek
Copy link
Contributor

@mostlygeek mostlygeek commented Sep 23, 2025
edited
Loading

This commit switches tsidp to slog and collapses HTTP error logging to a single function.

  • use WARN/DEBUG level logging depending on http status code
  • move tsnet.Server logging to new flag: -debug-tsnet
  • move request/response logging to new flag: -debug-all-requests
  • unify API error handling logic to writeHTTPError

Updates #25

Log output:

2025/09/23 16:26:06 WARN HTTP error status=401 method=GET path=/ error=access_denied description="not available over funnel"
2025/09/23 16:26:35 WARN HTTP error status=401 method=GET path=/authorize error=access_denied description="not allowed over funnel"
2025/09/23 16:26:44 WARN HTTP error status=401 method=GET path=/authorize error=access_denied description="not allowed over funnel"
  • 401, 403 are logged at a WARN level
  • 500 logged at an ERR level
  • all other HTTP errors logged at DEBUG level

@mostlygeek mostlygeek requested a review from awly September 23, 2025 21:10
@mostlygeek mostlygeek changed the title tsidp-server.go,server: switch to slog tsidp-server.go,server: use structured logging Sep 23, 2025
@mostlygeek mostlygeek removed the request for review from awly September 23, 2025 21:25
@mostlygeek mostlygeek force-pushed the mostlygeek/unifylogging-25 branch 3 times, most recently from 3d95e1b to 5836d93 Compare September 23, 2025 23:28
@mostlygeek mostlygeek changed the title tsidp-server.go,server: use structured logging server: unify and improve logging Sep 23, 2025
@mostlygeek mostlygeek requested a review from awly September 23, 2025 23:50
awly
awly reviewed Sep 24, 2025
View reviewed changes
Copy link
Member

@awly awly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also add logging for successful authorizations through tsidp?
I'd like to have an audit log of everyone who used tsidp to successfully login to some remote service.

@mostlygeek mostlygeek force-pushed the mostlygeek/unifylogging-25 branch 3 times, most recently from 1e92fef to 56d3719 Compare September 24, 2025 17:59
mostlygeek
mostlygeek commented Sep 24, 2025
View reviewed changes
@mostlygeek mostlygeek force-pushed the mostlygeek/unifylogging-25 branch from 56d3719 to 4f4ca34 Compare September 24, 2025 18:11
@mostlygeek
Copy link
Contributor Author

Hi @awly Thanks for the initial detailed review. I addressed the main issues:

  • don't leak error messages
  • replace errorCode strings with constants
  • cleaned up some nits and legacy messages
  • removed some legacy code/conventions

awly
awly reviewed Sep 24, 2025
View reviewed changes
README.md
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please generally avoid bundling multiple unrelated changes in one PR.
it makes it harder to review and slower for you to merge.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. That is typically my preference too. The README, at this early stage in the project, I think we can be a bit more flexible on.

tsidp-server.go
Comment on lines +136 to +138
cur := slog.SetLogLoggerLevel(slog.LevelDebug) // force debug if this option is on
slog.Debug(fmt.Sprintf(format, args...))
slog.SetLogLoggerLevel(cur)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will flip the global logger level while a line is printed.
instead, create a dedicated slog.Logger to use in tsnet.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was part of the examples in the slog documentation. I can create a separate logger instead if we prefer to do it that way instead.

Copy link
Contributor Author

@mostlygeek mostlygeek Sep 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked into this. I would prefer to keep it this way.

Rationale:

  • slog uses an internal, unexported handler to format logging. No way to keep consistency with the rest of the logging.
  • it's ugly but less ugly than all the logs being in two different formats
  • -debug-tsnet is meant for troubleshooting and is not a hot code path.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, this actually sets the log level for log.Print* functions, not for slog.Debug. I don't think it matters here at all.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe?

This is a work around for the situation where -log info (default), and -debug-tsnet is used but doesn't print anything because slog filtered out debug level logs.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, https://pkg.go.dev/log/slog#SetLogLoggerLevel says

Before SetDefault is called, slog top-level logging functions call the default log.Logger. In that mode, SetLogLoggerLevel sets the minimum level for those calls.

so because your code never calls slog.SetDefault, this implicitly sets the slog log level too.

@mostlygeek mostlygeek force-pushed the mostlygeek/unifylogging-25 branch from 8b10e83 to 5a96c09 Compare September 24, 2025 20:01
@mostlygeek @awly
tsidp-server.go,Makefile,server: switch to slog
c460b6b 
Switch to slog for structured logging with appropriate log levels for
activity within the app.

- log all token api errors at WARN level
- move tsnet.Server logging to new flag: -debug-tsnet
- move request/response logging to new flag: -debug-all-requests
- unify API error handling logic to writeHTTPError
- switch funnel error to http.StatusUnauthorized
- update docker image to use new logging flags
- update README.md with new flags and env vars

Co-authored-by: Andrew Lytvynov <[email protected]>
Signed-off-by: Benson Wong <[email protected]>
@mostlygeek mostlygeek force-pushed the mostlygeek/unifylogging-25 branch from 5a96c09 to c460b6b Compare September 24, 2025 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awly awly awly left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mostlygeek @awly