Project

General

Profile

Actions
Copy link

Task #99354

closed

Harmonize password reset log messages with other auth-related log messages

Added by J. Peter M. Schuler almost 2 years ago. Updated 10 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Torben Hansen
Category:
Logging
Target version:
-
Start date:
2022-12-13
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Currently I am logging a lot of auth stuff specifically and stumbled over an irregularity in the "password reset successful" log message in contrast to the rest.

Most auth related messages use "username" as primary reference and replace the field in the message, "password reset successful" uses userid and leaves a placeholder, examples from FileWriter:

[NOTICE] request="a" component="TYPO3.CMS.Core.Authentication.AuthenticationService": Login-attempt from 198.51.100.1, username 'john.doe', password not accepted!
[INFO] request="b" component="TYPO3.CMS.Backend.Authentication.PasswordReset": Sent password reset email to email address john.doe@example.org for user john.doe - {"email":"john.doe@example.org","username":"john.doe"}
[INFO] request="d" component="TYPO3.CMS.Backend.Authentication.PasswordReset": Password reset successful for user {user_id) - {"user_id":1234}
[NOTICE] request="e" component="TYPO3.CMS.Core.Authentication.AuthenticationService": BE Authentication successful for username 'john.doe'
[INFO] request="e" component="TYPO3.CMS.Core.Authentication.BackendUserAuthentication": User john.doe logged in from 198.51.100.1 - {"username":"john.doe","ip":"198.51.100.1"}

There is an additional discrepancy in when quotation is used in the log string to encapsulated values and when not. While the aim is not to fix all of them in one PR, the change here should probably adhere to a preferred standard. The documentation doesn't explicitly give a decision, however the example for using placeholders removes the quotation, so is suggestive into the direction of having no quotes. I'd prefer quotes. From the majority of core log messages I think that having quotes and a value array is the current best practice for string based content like username or email while e.g. IP dresses are done without.

Thus I propose to change the password reset success message to include username instead of ID and to do that in the message.
Before: Password reset successful for user {user_id) - {"user_id":1234}
After: Password reset successful for user 'john.doe' - {"username":"john.doe"}

Actions
Copy link

Also available in: Atom PDF