Merge pull request #458 from hookdeck/feat/body-logging

feat: improve observability for destinations API 5xx error investigation

Author: leggetter

.plans/redis-error/README.md

@@ -0,0 +1 @@
+This could be useful if we see other errors. However, if we don't, this directory should be removed.

.plans/redis-error/reproduce_redis_execabort.sh

@@ -0,0 +1,136 @@
+#!/bin/bash
+
+# Script to reproduce Redis EXECABORT error by causing marshaling failures
+# in destination.Credentials.MarshalBinary() during Redis transaction
+
+set -e
+
+# Configuration
+BASE_URL="http://localhost:3333/api/v1"
+TENANT_ID="test-tenant"
+API_KEY="apikey"  # Replace with actual API key
+
+echo "=== Redis EXECABORT Reproduction Script ==="
+echo "This script creates API requests that cause json.Marshal() failures"
+echo "in destination.Credentials.MarshalBinary() during Redis transactions"
+echo ""
+
+# Function to make API request
+make_request() {
+    local payload="$1"
+    local description="$2"
+    
+    echo "Testing: $description"
+    echo "Payload: $payload"
+    echo ""
+    
+    curl -X POST \
+        -H "Content-Type: application/json" \
+        -H "Authorization: Bearer $API_KEY" \
+        -d "$payload" \
+        "$BASE_URL/$TENANT_ID/destinations" \
+        -v 2>&1 | head -20
+    
+    echo ""
+    echo "---"
+    echo ""
+}
+
+# Test Case 1: Invalid UTF-8 sequences in credentials
+# JSON marshaling fails when encountering invalid UTF-8 bytes
+echo "=== Test Case 1: Invalid UTF-8 in credentials ==="
+PAYLOAD_UTF8='{
+  "type": "webhook",
+  "topics": ["test.event"],
+  "config": {
+    "url": "https://example.com/webhook"
+  },
+  "credentials": {
+    "secret": "invalid_utf8_\xff\xfe\xfd",
+    "key": "test\x00null_byte"
+  }
+}'
+make_request "$PAYLOAD_UTF8" "Invalid UTF-8 sequences in credentials"
+
+# Test Case 2: Extremely large credential values that may cause memory issues
+echo "=== Test Case 2: Oversized credential values ==="
+LARGE_STRING=$(printf 'A%.0s' {1..1048576})  # 1MB string
+PAYLOAD_LARGE='{
+  "type": "webhook", 
+  "topics": ["test.event"],
+  "config": {
+    "url": "https://example.com/webhook"
+  },
+  "credentials": {
+    "secret": "'"$LARGE_STRING"'",
+    "large_data": "'"$LARGE_STRING"'"
+  }
+}'
+make_request "$PAYLOAD_LARGE" "Oversized credential values (1MB each)"
+
+# Test Case 3: Credentials containing control characters
+echo "=== Test Case 3: Control characters in credentials ==="
+PAYLOAD_CONTROL='{
+  "type": "webhook",
+  "topics": ["test.event"], 
+  "config": {
+    "url": "https://example.com/webhook"
+  },
+  "credentials": {
+    "secret": "control_chars_\u0000\u0001\u0002\u001f",
+    "data": "tabs_and_newlines\t\n\r\f\b"
+  }
+}'
+make_request "$PAYLOAD_CONTROL" "Control characters in credentials"
+
+# Test Case 4: Credentials with nested JSON that becomes malformed when stringified
+echo "=== Test Case 4: Malformed nested JSON structures ==="
+PAYLOAD_NESTED='{
+  "type": "webhook",
+  "topics": ["test.event"],
+  "config": {
+    "url": "https://example.com/webhook"  
+  },
+  "credentials": {
+    "secret": "whsec_abc123",
+    "nested_json": "{\"incomplete\": \"json\", \"missing\":",
+    "circular": "self_reference"
+  }
+}'
+make_request "$PAYLOAD_NESTED" "Malformed nested JSON in credentials"
+
+# Test Case 5: Very deep nested object structures (potential stack overflow)
+echo "=== Test Case 5: Extremely deep nesting ==="
+DEEP_JSON=""
+for i in {1..1000}; do
+    DEEP_JSON="{\"level$i\":$DEEP_JSON}"
+done
+DEEP_JSON="$DEEP_JSON$(printf '}%.0s' {1..1000})"
+
+PAYLOAD_DEEP='{
+  "type": "webhook",
+  "topics": ["test.event"],
+  "config": {
+    "url": "https://example.com/webhook"
+  },
+  "credentials": {
+    "secret": "whsec_abc123",
+    "deep_structure": "'"$DEEP_JSON"'"
+  }
+}'
+make_request "$PAYLOAD_DEEP" "Extremely deep nested structure"
+
+echo "=== Test Complete ==="
+echo ""
+echo "The above requests are designed to trigger json.Marshal() failures during"
+echo "the Redis transaction in entity.go:292, causing EXECABORT errors."
+echo ""
+echo "Expected behavior:"
+echo "- Invalid UTF-8 should cause json.Marshal to fail with invalid UTF-8 error"
+echo "- Oversized payloads may cause memory allocation failures"
+echo "- Control characters may cause marshaling issues"
+echo "- Malformed JSON strings may cause parsing issues during unmarshaling"
+echo "- Deep nesting may cause stack overflow during marshaling"
+echo ""
+echo "Monitor Redis logs and application logs for EXECABORT errors and"
+echo "marshaling failure messages."

.plans/redis-error/reproduce_redis_execabort_simple.md

@@ -0,0 +1,103 @@
+# Redis EXECABORT Reproduction Guide
+
+Based on analysis of the codebase, the Redis EXECABORT error occurs in [`entity.go:292`](internal/models/entity.go:292) when `destination.Credentials.MarshalBinary()` fails during the Redis transaction.
+
+## Root Cause
+
+The failure path is:
+1. POST request to `/api/v1/{tenant_id}/destinations` 
+2. [`destination_handlers.go:99`](internal/services/api/destination_handlers.go:99) calls `h.entityStore.CreateDestination()`
+3. [`entity.go:291`](internal/models/entity.go:291) starts Redis transaction with `TxPipelined()`  
+4. [`entity.go:292`](internal/models/entity.go:292) calls `destination.Credentials.MarshalBinary()`
+5. [`destination.go:176`](internal/models/destination.go:176) calls `json.Marshal(m)` on the credentials map
+6. If `json.Marshal()` fails, the Redis transaction aborts with EXECABORT
+
+## Most Effective Reproduction Methods
+
+### Method 1: Invalid UTF-8 Characters (MOST LIKELY TO SUCCEED)
+
+```bash
+curl -X POST \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer apiKey" \
+  -d '{
+    "type": "webhook",
+    "topics": ["test.event"],  
+    "config": {
+      "url": "https://example.com/webhook"
+    },
+    "credentials": {
+      "secret": "invalid_utf8_\xFF\xFE\xFD",
+      "key": "contains\x00null\x01bytes"
+    }
+  }' \
+  http://localhost:3333/api/v1/test-tenant/destinations
+```
+
+### Method 2: Non-Printable Control Characters
+
+```bash
+curl -X POST \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer apiKey" \
+  -d '{
+    "type": "webhook", 
+    "topics": ["test.event"],
+    "config": {
+      "url": "https://example.com/webhook"
+    },
+    "credentials": {
+      "secret": "control_chars_\u0000\u0001\u0002\u001f",
+      "data": "bell\u0007backspace\u0008"  
+    }
+  }' \
+  http://localhost:3333/api/v1/test-tenant/destinations
+```
+
+### Method 3: Oversized Payload (Memory Exhaustion)
+
+```bash
+# Create a very large credential value
+LARGE_VALUE=$(python3 -c "print('A' * 10485760)")  # 10MB string
+
+curl -X POST \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer apiKey" \
+  -d '{
+    "type": "webhook",
+    "topics": ["test.event"],
+    "config": {
+      "url": "https://example.com/webhook"
+    },
+    "credentials": {
+      "secret": "whsec_abc123",
+      "large_data": "'$LARGE_VALUE'"
+    }
+  }' \
+  http://localhost:3333/api/v1/test-tenant/destinations
+```
+
+## Expected Results
+
+When `json.Marshal()` fails in the Redis transaction, you should see:
+
+1. **In Application Logs:**
+   - Error from `json.Marshal()` (e.g., "invalid UTF-8 in string")
+   - Redis transaction failure
+   - 500 Internal Server Error returned to client
+
+2. **In Redis Logs:**
+   - `EXECABORT` message 
+   - Transaction rollback
+
+3. **Client Response:**
+   - HTTP 500 status code
+   - Internal server error response
+
+## Why These Methods Work
+
+- **Invalid UTF-8**: Go's `json.Marshal()` validates UTF-8 and fails on invalid sequences
+- **Control Characters**: Some control chars cannot be marshaled to valid JSON
+- **Oversized Payloads**: May cause memory allocation failures during marshaling
+
+The key insight is that since `Credentials` is a `map[string]string`, the marshaling failure must come from the string values themselves being unmarshalable, not from complex object structures.

internal/models/entity.go

@@ -288,19 +288,24 @@ func (m *entityStoreImpl) CreateDestination(ctx context.Context, destination Des
 
 func (m *entityStoreImpl) UpsertDestination(ctx context.Context, destination Destination) error {
 	key := redisDestinationID(destination.ID, destination.TenantID)
-	_, err := m.redisClient.TxPipelined(ctx, func(r redis.Pipeliner) error {
-		credentialsBytes, err := destination.Credentials.MarshalBinary()
-		if err != nil {
-			return err
-		}
-		encryptedCredentials, err := m.cipher.Encrypt(credentialsBytes)
-		if err != nil {
-			return err
-		}
+
+	// Pre-marshal and encrypt credentials BEFORE starting Redis transaction
+	// This isolates marshaling failures from Redis transaction failures
+	credentialsBytes, err := destination.Credentials.MarshalBinary()
+	if err != nil {
+		return fmt.Errorf("invalid destination credentials: %w", err)
+	}
+	encryptedCredentials, err := m.cipher.Encrypt(credentialsBytes)
+	if err != nil {
+		return fmt.Errorf("failed to encrypt destination credentials: %w", err)
+	}
+
+	// All marshaling and encryption successful - now perform Redis operations
+	_, err = m.redisClient.TxPipelined(ctx, func(r redis.Pipeliner) error {
 		// Support overriding deleted resources
 		r.Persist(ctx, key)
 		r.HDel(ctx, key, "deleted_at")
-		// Set the new destination values
+		// Set the new destination values with pre-processed data
 		r.HSet(ctx, key, "id", destination.ID)
 		r.HSet(ctx, key, "type", destination.Type)
 		r.HSet(ctx, key, "topics", &destination.Topics)

internal/services/api/logger_middleware.go

@@ -14,6 +14,10 @@ import (
 )
 
 func LoggerMiddleware(logger *logging.Logger) gin.HandlerFunc {
+	return LoggerMiddlewareWithSanitizer(logger, nil)
+}
+
+func LoggerMiddlewareWithSanitizer(logger *logging.Logger, sanitizer *RequestBodySanitizer) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		// Skip logging portal requests
 		if !strings.Contains(c.Request.URL.Path, "api/v") {
@@ -22,6 +26,19 @@ func LoggerMiddleware(logger *logging.Logger) gin.HandlerFunc {
 		}
 
 		logger := logger.Ctx(c.Request.Context()).WithOptions(zap.AddStacktrace(zap.FatalLevel))
+
+		// Buffer request body if we have a sanitizer and this might be a destination request
+		var bufferedBody *BufferedReader
+		var requestBodyFields []zap.Field
+
+		if sanitizer != nil && shouldBufferRequestBody(c) {
+			if br, err := NewBufferedReader(c.Request.Body); err == nil {
+				bufferedBody = br
+				// Replace the request body with a new reader so the handler can still read it
+				c.Request.Body = br.NewReadCloser()
+			}
+		}
+
 		c.Next()
 
 		fields := []zap.Field{}
@@ -30,6 +47,12 @@ func LoggerMiddleware(logger *logging.Logger) gin.HandlerFunc {
 		fields = append(fields, queryFields(c)...)
 		fields = append(fields, errorFields(c)...)
 
+		// Add sanitized request body for 5xx errors
+		if c.Writer.Status() >= 500 && bufferedBody != nil {
+			requestBodyFields = getRequestBodyFields(bufferedBody, sanitizer)
+			fields = append(fields, requestBodyFields...)
+		}
+
 		if c.Writer.Status() >= 500 {
 			logger.Error("request completed", fields...)
 
@@ -155,3 +178,47 @@ func getErrorWithStackTrace(err error) error {
 	}
 	return err
 }
+
+// shouldBufferRequestBody determines if we should buffer the request body for potential logging
+func shouldBufferRequestBody(c *gin.Context) bool {
+	// Only buffer POST, PUT, PATCH requests that might contain request bodies
+	method := c.Request.Method
+	if method != "POST" && method != "PUT" && method != "PATCH" {
+		return false
+	}
+
+	// Exclude publish endpoints since they contain user data that shouldn't be logged. We could consider making this configurable in the future.
+	path := c.Request.URL.Path
+	if strings.Contains(path, "/publish") {
+		return false
+	}
+
+	// Buffer all other POST/PUT/PATCH requests for potential 5xx error logging
+	return true
+}
+
+// getRequestBodyFields creates log fields for sanitized request body
+func getRequestBodyFields(bufferedBody *BufferedReader, sanitizer *RequestBodySanitizer) []zap.Field {
+	if bufferedBody == nil || sanitizer == nil {
+		return []zap.Field{
+			zap.String("request_body", "[NO_BODY]"),
+		}
+	}
+
+	sanitizedBody, err := sanitizer.SanitizeRequestBody(bufferedBody.NewReader())
+	if err != nil {
+		return []zap.Field{
+			zap.String("request_body_error", err.Error()),
+		}
+	}
+
+	if len(sanitizedBody) == 0 {
+		return []zap.Field{
+			zap.String("request_body", "[EMPTY_BODY]"),
+		}
+	}
+
+	return []zap.Field{
+		zap.String("request_body", string(sanitizedBody)),
+	}
+}