feat: add missing metrics and logging to auth exceptions

seapagan · seapagan · commit a7c8d10d3dce · 2026-01-09T23:24:34.000Z
Complete observability for all auth HTTPExceptions in refresh, verify,
reset_password, and get_jwt_user flows.

All 663 tests passing with 100% coverage.
diff --git a/app/managers/auth.py b/app/managers/auth.py
@@ -179,6 +179,10 @@ async def refresh(
             or not is_valid_jwt_format(refresh_token.refresh)
         ):
             increment_auth_failure("invalid_token", "refresh_token")
+            category_logger.warning(
+                "Refresh attempted with invalid token format",
+                LogCategory.AUTH,
+            )
             raise HTTPException(
                 status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
             )
@@ -226,6 +230,11 @@ async def refresh(
             user_data = await get_user_by_id_(user_id, session)
 
             if not user_data:
+                increment_auth_failure("user_not_found", "refresh_token")
+                category_logger.warning(
+                    f"Refresh attempted with non-existent user ID: {user_id}",
+                    LogCategory.AUTH,
+                )
                 raise HTTPException(
                     status.HTTP_404_NOT_FOUND, ResponseMessages.USER_NOT_FOUND
                 )
@@ -273,6 +282,11 @@ async def verify(code: str, session: AsyncSession) -> None:
             or len(code) > MAX_JWT_TOKEN_LENGTH
             or not is_valid_jwt_format(code)
         ):
+            increment_auth_failure("invalid_token", "verify_email")
+            category_logger.warning(
+                "Email verification with invalid token format",
+                LogCategory.AUTH,
+            )
             raise HTTPException(
                 status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
             )
@@ -320,17 +334,32 @@ async def verify(code: str, session: AsyncSession) -> None:
             user_data = await get_user_by_id_(user_id, session)
 
             if not user_data:
+                increment_auth_failure("user_not_found", "verify_email")
+                category_logger.warning(
+                    f"Email verification with non-existent user ID: {user_id}",
+                    LogCategory.AUTH,
+                )
                 raise HTTPException(
                     status.HTTP_404_NOT_FOUND, ResponseMessages.USER_NOT_FOUND
                 )
 
             # block a banned user
             if bool(user_data.banned):
+                increment_auth_failure("banned_user", "verify_email")
+                category_logger.warning(
+                    f"Banned user {user_data.id} attempted email verification",
+                    LogCategory.AUTH,
+                )
                 raise HTTPException(
                     status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
                 )
 
             if bool(user_data.verified):
+                increment_auth_failure("already_verified", "verify_email")
+                category_logger.warning(
+                    f"User {user_data.id} verification when already verified",
+                    LogCategory.AUTH,
+                )
                 raise HTTPException(
                     status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
                 )
@@ -353,13 +382,15 @@ async def verify(code: str, session: AsyncSession) -> None:
             )
 
         except jwt.ExpiredSignatureError as exc:
+            increment_auth_failure("expired_token", "verify_email")
             category_logger.warning(
                 "Expired verification token used", LogCategory.AUTH
             )
             raise HTTPException(
                 status.HTTP_401_UNAUTHORIZED, ResponseMessages.EXPIRED_TOKEN
             ) from exc
         except jwt.InvalidTokenError as exc:
+            increment_auth_failure("invalid_token", "verify_email")
             category_logger.warning(
                 "Invalid verification token used", LogCategory.AUTH
             )
@@ -425,6 +456,11 @@ async def reset_password(
             or len(code) > MAX_JWT_TOKEN_LENGTH
             or not is_valid_jwt_format(code)
         ):
+            increment_auth_failure("invalid_token", "password_reset")
+            category_logger.warning(
+                "Password reset with invalid token format",
+                LogCategory.AUTH,
+            )
             raise HTTPException(
                 status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
             )
@@ -472,12 +508,22 @@ async def reset_password(
             user_data = await get_user_by_id_(user_id, session)
 
             if not user_data:
+                increment_auth_failure("user_not_found", "password_reset")
+                category_logger.warning(
+                    f"Password reset with non-existent user ID: {user_id}",
+                    LogCategory.AUTH,
+                )
                 raise HTTPException(
                     status.HTTP_404_NOT_FOUND, ResponseMessages.USER_NOT_FOUND
                 )
 
             # Block banned users from resetting password
             if bool(user_data.banned):
+                increment_auth_failure("banned_user", "password_reset")
+                category_logger.warning(
+                    f"Banned user {user_data.id} attempted password reset",
+                    LogCategory.AUTH,
+                )
                 raise HTTPException(
                     status.HTTP_401_UNAUTHORIZED, ResponseMessages.INVALID_TOKEN
                 )
@@ -499,13 +545,15 @@ async def reset_password(
             )
 
         except jwt.ExpiredSignatureError as exc:
+            increment_auth_failure("expired_token", "password_reset")
             category_logger.warning(
                 "Expired password reset token used", LogCategory.AUTH
             )
             raise HTTPException(
                 status.HTTP_401_UNAUTHORIZED, ResponseMessages.EXPIRED_TOKEN
             ) from exc
         except jwt.InvalidTokenError as exc:
+            increment_auth_failure("invalid_token", "password_reset")
             category_logger.warning(
                 "Invalid password reset token used", LogCategory.AUTH
             )
@@ -636,6 +684,7 @@ async def get_jwt_user(  # noqa: C901
 
         # Check user validity - user must exist, be verified, and not banned
         if not user_data:
+            increment_auth_failure("user_not_found", "jwt")
             category_logger.warning(
                 "Authentication attempted with invalid user token",
                 LogCategory.AUTH,
diff --git a/tests/unit/test_jwt_auth.py b/tests/unit/test_jwt_auth.py
@@ -134,7 +134,7 @@ async def test_jwt_auth_missing_sub_rejected(self, test_db, mocker) -> None:
 
     async def test_jwt_auth_string_sub_claim(self, test_db, mocker) -> None:
         """Test with a token containing string sub claim."""
-        token, _ = await UserManager.register(self.test_user, test_db)
+        await UserManager.register(self.test_user, test_db)
         # Create a JWT with string 'sub' instead of int
         token = jwt.encode(
             {

Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@ async def test_jwt_auth_missing_sub_rejected(self, test_db, mocker) -> None:`
`134`	`134`
`135`	`135`	`async def test_jwt_auth_string_sub_claim(self, test_db, mocker) -> None:`
`136`	`136`	`"""Test with a token containing string sub claim."""`
`137`		`- token, _ = await UserManager.register(self.test_user, test_db)`
	`137`	`+ await UserManager.register(self.test_user, test_db)`
`138`	`138`	`# Create a JWT with string 'sub' instead of int`
`139`	`139`	`token = jwt.encode(`
`140`	`140`	`{`