feat: log sb-auth-user-id, sb-auth-session-id, ... on sign in not just refresh token (#2342)

hf · web-flow · commit a486ada3683b · 2026-01-22T13:50:37.000+07:00
In #2216 some new headers were added to responses that are able to track the user ID, session and other data which cannot be extracted from JWTs. This aids in debugging and correlation of all requests made by a specific user.
diff --git a/internal/api/anonymous.go b/internal/api/anonymous.go
@@ -44,7 +44,7 @@ func (a *API) SignupAnonymously(w http.ResponseWriter, r *http.Request) error {
 		if terr != nil {
 			return terr
 		}
-		token, terr = a.issueRefreshToken(r, tx, newUser, models.Anonymous, grantParams)
+		token, terr = a.issueRefreshToken(r, w.Header(), tx, newUser, models.Anonymous, grantParams)
 		if terr != nil {
 			return terr
 		}
diff --git a/internal/api/external.go b/internal/api/external.go
@@ -257,7 +257,7 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 			terr = tx.Update(flowState)
 		} else {
 			// Implicit flow: issue tokens directly
-			token, terr = a.issueRefreshToken(r, tx, user, models.OAuth, grantParams)
+			token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.OAuth, grantParams)
 			if terr == nil && flowState != nil {
 				terr = tx.Destroy(flowState)
 			}
diff --git a/internal/api/samlacs.go b/internal/api/samlacs.go
@@ -320,7 +320,7 @@ func (a *API) handleSamlAcs(w http.ResponseWriter, r *http.Request) error {
 			}
 		}
 
-		token, terr = a.issueRefreshToken(r, tx, user, models.SSOSAML, grantParams)
+		token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.SSOSAML, grantParams)
 
 		if terr != nil {
 			return apierrors.NewInternalServerError("Unable to issue refresh token from SAML Assertion").WithInternalError(terr)
diff --git a/internal/api/signup.go b/internal/api/signup.go
@@ -312,7 +312,7 @@ func (a *API) Signup(w http.ResponseWriter, r *http.Request) error {
 			}); terr != nil {
 				return terr
 			}
-			token, terr = a.issueRefreshToken(r, tx, user, models.PasswordGrant, grantParams)
+			token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.PasswordGrant, grantParams)
 
 			if terr != nil {
 				return terr
diff --git a/internal/api/token.go b/internal/api/token.go
@@ -295,8 +295,8 @@ func (a *API) generateAccessToken(r *http.Request, tx *storage.Connection, user
 	})
 }
 
-func (a *API) issueRefreshToken(r *http.Request, conn *storage.Connection, user *models.User, authenticationMethod models.AuthenticationMethod, grantParams models.GrantParams) (*tokens.AccessTokenResponse, error) {
-	return a.tokenService.IssueRefreshToken(r, make(http.Header), conn, user, authenticationMethod, grantParams)
+func (a *API) issueRefreshToken(r *http.Request, headers http.Header, conn *storage.Connection, user *models.User, authenticationMethod models.AuthenticationMethod, grantParams models.GrantParams) (*tokens.AccessTokenResponse, error) {
+	return a.tokenService.IssueRefreshToken(r, headers, conn, user, authenticationMethod, grantParams)
 }
 
 func (a *API) updateMFASessionAndClaims(r *http.Request, tx *storage.Connection, user *models.User, authenticationMethod models.AuthenticationMethod, grantParams models.GrantParams) (*tokens.AccessTokenResponse, error) {
diff --git a/internal/api/token_oidc.go b/internal/api/token_oidc.go
@@ -306,7 +306,7 @@ func (a *API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.R
 			return terr
 		}
 
-		token, terr = a.issueRefreshToken(r, tx, user, models.OAuth, grantParams)
+		token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.OAuth, grantParams)
 		if terr != nil {
 			return terr
 		}
diff --git a/internal/api/verify.go b/internal/api/verify.go
@@ -182,7 +182,7 @@ func (a *API) verifyGet(w http.ResponseWriter, r *http.Request, params *VerifyPa
 		}
 
 		if isImplicitFlow(flowType) {
-			token, terr = a.issueRefreshToken(r, tx, user, models.OTP, grantParams)
+			token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.OTP, grantParams)
 			if terr != nil {
 				return terr
 			}
@@ -282,7 +282,7 @@ func (a *API) verifyPost(w http.ResponseWriter, r *http.Request, params *VerifyP
 		if terr := tx.Reload(user); terr != nil {
 			return terr
 		}
-		token, terr = a.issueRefreshToken(r, tx, user, models.OTP, grantParams)
+		token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.OTP, grantParams)
 		if terr != nil {
 			return terr
 		}
diff --git a/internal/api/web3.go b/internal/api/web3.go
@@ -165,7 +165,7 @@ func (a *API) web3GrantSolana(ctx context.Context, w http.ResponseWriter, r *htt
 			return terr
 		}
 
-		token, terr = a.issueRefreshToken(r, tx, user, models.Web3, grantParams)
+		token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.Web3, grantParams)
 		if terr != nil {
 			return terr
 		}
@@ -311,7 +311,7 @@ func (a *API) web3GrantEthereum(ctx context.Context, w http.ResponseWriter, r *h
 			return terr
 		}
 
-		token, terr = a.issueRefreshToken(r, tx, user, models.Web3, grantParams)
+		token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.Web3, grantParams)
 		if terr != nil {
 			return terr
 		}

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ func (a API) SignupAnonymously(w http.ResponseWriter, r http.Request) error {`
`44`	`44`	`if terr != nil {`
`45`	`45`	`return terr`
`46`	`46`	`}`
`47`		`- token, terr = a.issueRefreshToken(r, tx, newUser, models.Anonymous, grantParams)`
	`47`	`+ token, terr = a.issueRefreshToken(r, w.Header(), tx, newUser, models.Anonymous, grantParams)`
`48`	`48`	`if terr != nil {`
`49`	`49`	`return terr`
`50`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -257,7 +257,7 @@ func (a API) internalExternalProviderCallback(w http.ResponseWriter, r http.Re`
`257`	`257`	`terr = tx.Update(flowState)`
`258`	`258`	`} else {`
`259`	`259`	`// Implicit flow: issue tokens directly`
`260`		`- token, terr = a.issueRefreshToken(r, tx, user, models.OAuth, grantParams)`
	`260`	`+ token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.OAuth, grantParams)`
`261`	`261`	`if terr == nil && flowState != nil {`
`262`	`262`	`terr = tx.Destroy(flowState)`
`263`	`263`	`}`
Original file line number	Diff line number	Diff line change
`@@ -320,7 +320,7 @@ func (a API) handleSamlAcs(w http.ResponseWriter, r http.Request) error {`
`320`	`320`	`}`
`321`	`321`	`}`
`322`	`322`
`323`		`- token, terr = a.issueRefreshToken(r, tx, user, models.SSOSAML, grantParams)`
	`323`	`+ token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.SSOSAML, grantParams)`
`324`	`324`
`325`	`325`	`if terr != nil {`
`326`	`326`	`return apierrors.NewInternalServerError("Unable to issue refresh token from SAML Assertion").WithInternalError(terr)`
Original file line number	Diff line number	Diff line change
`@@ -312,7 +312,7 @@ func (a API) Signup(w http.ResponseWriter, r http.Request) error {`
`312`	`312`	`}); terr != nil {`
`313`	`313`	`return terr`
`314`	`314`	`}`
`315`		`- token, terr = a.issueRefreshToken(r, tx, user, models.PasswordGrant, grantParams)`
	`315`	`+ token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.PasswordGrant, grantParams)`
`316`	`316`
`317`	`317`	`if terr != nil {`
`318`	`318`	`return terr`
Original file line number	Diff line number	Diff line change
`@@ -295,8 +295,8 @@ func (a API) generateAccessToken(r http.Request, tx *storage.Connection, user`
`295`	`295`	`})`
`296`	`296`	`}`
`297`	`297`
`298`		`-func (a API) issueRefreshToken(r http.Request, conn storage.Connection, user models.User, authenticationMethod models.AuthenticationMethod, grantParams models.GrantParams) (*tokens.AccessTokenResponse, error) {`
`299`		`- return a.tokenService.IssueRefreshToken(r, make(http.Header), conn, user, authenticationMethod, grantParams)`
	`298`	`+func (a API) issueRefreshToken(r http.Request, headers http.Header, conn storage.Connection, user models.User, authenticationMethod models.AuthenticationMethod, grantParams models.GrantParams) (*tokens.AccessTokenResponse, error) {`
	`299`	`+ return a.tokenService.IssueRefreshToken(r, headers, conn, user, authenticationMethod, grantParams)`
`300`	`300`	`}`
`301`	`301`
`302`	`302`	`func (a API) updateMFASessionAndClaims(r http.Request, tx storage.Connection, user models.User, authenticationMethod models.AuthenticationMethod, grantParams models.GrantParams) (*tokens.AccessTokenResponse, error) {`
Original file line number	Diff line number	Diff line change
`@@ -306,7 +306,7 @@ func (a API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r http.R`
`306`	`306`	`return terr`
`307`	`307`	`}`
`308`	`308`
`309`		`- token, terr = a.issueRefreshToken(r, tx, user, models.OAuth, grantParams)`
	`309`	`+ token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.OAuth, grantParams)`
`310`	`310`	`if terr != nil {`
`311`	`311`	`return terr`
`312`	`312`	`}`
Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,7 @@ func (a API) verifyGet(w http.ResponseWriter, r http.Request, params *VerifyPa`
`182`	`182`	`}`
`183`	`183`
`184`	`184`	`if isImplicitFlow(flowType) {`
`185`		`- token, terr = a.issueRefreshToken(r, tx, user, models.OTP, grantParams)`
	`185`	`+ token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.OTP, grantParams)`
`186`	`186`	`if terr != nil {`
`187`	`187`	`return terr`
`188`	`188`	`}`
`@@ -282,7 +282,7 @@ func (a API) verifyPost(w http.ResponseWriter, r http.Request, params *VerifyP`
`282`	`282`	`if terr := tx.Reload(user); terr != nil {`
`283`	`283`	`return terr`
`284`	`284`	`}`
`285`		`- token, terr = a.issueRefreshToken(r, tx, user, models.OTP, grantParams)`
	`285`	`+ token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.OTP, grantParams)`
`286`	`286`	`if terr != nil {`
`287`	`287`	`return terr`
`288`	`288`	`}`
Original file line number	Diff line number	Diff line change
`@@ -165,7 +165,7 @@ func (a API) web3GrantSolana(ctx context.Context, w http.ResponseWriter, r htt`
`165`	`165`	`return terr`
`166`	`166`	`}`
`167`	`167`
`168`		`- token, terr = a.issueRefreshToken(r, tx, user, models.Web3, grantParams)`
	`168`	`+ token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.Web3, grantParams)`
`169`	`169`	`if terr != nil {`
`170`	`170`	`return terr`
`171`	`171`	`}`
`@@ -311,7 +311,7 @@ func (a API) web3GrantEthereum(ctx context.Context, w http.ResponseWriter, r h`
`311`	`311`	`return terr`
`312`	`312`	`}`
`313`	`313`
`314`		`- token, terr = a.issueRefreshToken(r, tx, user, models.Web3, grantParams)`
	`314`	`+ token, terr = a.issueRefreshToken(r, w.Header(), tx, user, models.Web3, grantParams)`
`315`	`315`	`if terr != nil {`
`316`	`316`	`return terr`
`317`	`317`	`}`