API: Improve audit logs in cluster_nodes_register.go

lastzero · lastzero · commit ddc37e08abd7 · 2025-10-20T14:53:11.000+02:00
Signed-off-by: Michael Mayer &lt;michael@photoprism.app&gt;
diff --git a/internal/api/cluster_nodes_register.go b/internal/api/cluster_nodes_register.go
@@ -154,7 +154,7 @@ func ClusterNodesRegister(router *gin.RouterGroup) {
 			// If caller attempts to change UUID by name without proving client secret, block with 409.
 			if RegisterRequireClientSecret {
 				if requestedUUID != "" && n.UUID != "" && requestedUUID != n.UUID && req.ClientID == "" {
-					event.AuditWarn([]string{clientIp, string(acl.ResourceCluster), "node %s uuid change requires client secret", event.Denied}, clean.Log(name))
+					event.AuditWarn([]string{clientIp, string(acl.ResourceCluster), "node %s", "invalid client secret", event.Denied}, clean.Log(name))
 					c.JSON(http.StatusConflict, gin.H{"error": "client secret required to change node uuid"})
 					return
 				}
@@ -206,7 +206,7 @@ func ClusterNodesRegister(router *gin.RouterGroup) {
 					return
 				}
 				respSecret = &cluster.RegisterSecrets{ClientSecret: n.ClientSecret, RotatedAt: n.RotatedAt}
-				event.AuditInfo([]string{clientIp, string(acl.ResourceCluster), "node %s rotate secret", event.Succeeded}, clean.Log(name))
+				event.AuditInfo([]string{clientIp, string(acl.ResourceCluster), "node %s", "rotate secret", event.Succeeded}, clean.Log(name))
 
 				// Extra safety: ensure the updated secret is persisted even if subsequent steps fail.
 				if putErr := regy.Put(n); putErr != nil {
@@ -239,7 +239,7 @@ func ClusterNodesRegister(router *gin.RouterGroup) {
 						AbortUnexpectedError(c)
 						return
 					}
-					event.AuditInfo([]string{clientIp, string(acl.ResourceCluster), "node %s rotate database", event.Succeeded}, clean.Log(name))
+					event.AuditInfo([]string{clientIp, string(acl.ResourceCluster), "node %s", "rotate database", event.Succeeded}, clean.Log(name))
 				}
 			}
 

Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ func ClusterNodesRegister(router *gin.RouterGroup) {`
`154`	`154`	`// If caller attempts to change UUID by name without proving client secret, block with 409.`
`155`	`155`	`if RegisterRequireClientSecret {`
`156`	`156`	`if requestedUUID != "" && n.UUID != "" && requestedUUID != n.UUID && req.ClientID == "" {`
`157`		`- event.AuditWarn([]string{clientIp, string(acl.ResourceCluster), "node %s uuid change requires client secret", event.Denied}, clean.Log(name))`
	`157`	`+ event.AuditWarn([]string{clientIp, string(acl.ResourceCluster), "node %s", "invalid client secret", event.Denied}, clean.Log(name))`
`158`	`158`	`c.JSON(http.StatusConflict, gin.H{"error": "client secret required to change node uuid"})`
`159`	`159`	`return`
`160`	`160`	`}`
`@@ -206,7 +206,7 @@ func ClusterNodesRegister(router *gin.RouterGroup) {`
`206`	`206`	`return`
`207`	`207`	`}`
`208`	`208`	`respSecret = &cluster.RegisterSecrets{ClientSecret: n.ClientSecret, RotatedAt: n.RotatedAt}`
`209`		`- event.AuditInfo([]string{clientIp, string(acl.ResourceCluster), "node %s rotate secret", event.Succeeded}, clean.Log(name))`
	`209`	`+ event.AuditInfo([]string{clientIp, string(acl.ResourceCluster), "node %s", "rotate secret", event.Succeeded}, clean.Log(name))`
`210`	`210`
`211`	`211`	`// Extra safety: ensure the updated secret is persisted even if subsequent steps fail.`
`212`	`212`	`if putErr := regy.Put(n); putErr != nil {`
`@@ -239,7 +239,7 @@ func ClusterNodesRegister(router *gin.RouterGroup) {`
`239`	`239`	`AbortUnexpectedError(c)`
`240`	`240`	`return`
`241`	`241`	`}`
`242`		`- event.AuditInfo([]string{clientIp, string(acl.ResourceCluster), "node %s rotate database", event.Succeeded}, clean.Log(name))`
	`242`	`+ event.AuditInfo([]string{clientIp, string(acl.ResourceCluster), "node %s", "rotate database", event.Succeeded}, clean.Log(name))`
`243`	`243`	`}`
`244`	`244`	`}`
`245`	`245`