Skip to content

Add audit logging for connection approve/deny events #45

New issue
New issue
Open
Open
Add audit logging for connection approve/deny events#45
Labels
area:authAuthentication and access controlarea:backendBackend/server codearea:securitySecurity-sensitive behaviorenhancementNew feature or request
@guysmoilov

Description

@guysmoilov
guysmoilov
opened on Feb 17, 2026

Problem

The current implementation logs approval state changes at the debug level but does not produce a persistent audit trail of which connections were approved or denied, by whom, and when. For a security-sensitive access control feature this is valuable.

Proposed solution

  • Emit structured log entries (via the existing logger) when a connection is approved or denied
  • Include: timestamp, client IP, geolocation, user agent, challenge code, outcome (approved/denied), and client ID
  • Consider writing to a separate audit log file (e.g. --audit-log <path>) in addition to stdout

Example log line

[AUDIT] 2024-01-15T10:23:45Z approved clientId=abc123 ip=1.2.3.4 geo="New York, NY, US" ua="Mozilla/5.0 ..." code=X7K2

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:authAuthentication and access controlarea:backendBackend/server codearea:securitySecurity-sensitive behaviorenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions