Skip to content

[Backend] No structured audit logging for destructive admin actions or auth outcomes #824

Description

@grantfox-oss

Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0

Why this matters

admin.routes.ts:206-249 exposes destructive indexer reset/replay endpoints but only logs on failure - there is no audit record of which admin publicKey triggered a reset/replay or with what params. Likewise auth.ts verifyChallenge logs only the error path, never successful authentications or admin-access grants.

Acceptance criteria

  • Emit a structured audit log entry (actor publicKey, action, params, requestId) on successful admin reset/replay
  • Log auth success in verifyChallenge and admin-access grant/deny in requireAdmin with the publicKey
  • Keep audit entries free of secrets/tokens

Files to touch

  • backend/src/routes/v1/admin.routes.ts
  • backend/src/middleware/auth.ts
  • backend/src/logger.ts

Out of scope

  • Shipping logs to an external SIEM

Metadata

Metadata

Assignees

Labels

Stellar WaveIssues in the Stellar wave programbackendBackend related tasksenhancementNew feature or requestsecuritySecurity related tasks

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions