Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
156 changes: 138 additions & 18 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
"@privacybydesign/yivi-core": "^1.0.0",
"@privacybydesign/yivi-css": "^1.0.1",
"@privacybydesign/yivi-web": "^1.0.1",
"pino": "^10.3.1",
"sass": "^1.100.0",
"svelte-i18n": "^4.0.1"
},
Expand Down
2 changes: 2 additions & 0 deletions src/app.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ declare global {
yiviAttributes: Record<string, string>;
} | null;
locale: string;
requestId: string;
log: import('$lib/server/logger').Logger;
}
// interface PageData {}
// interface PageState {}
Expand Down
46 changes: 45 additions & 1 deletion src/hooks.server.ts
Original file line number Diff line number Diff line change
@@ -1,8 +1,25 @@
import type { Handle } from '@sveltejs/kit';
import type { Handle, HandleServerError } from '@sveltejs/kit';
import { resolveSession } from '$lib/server/auth/session';
import { normalizeLocale } from '$lib/i18n';
import { logger } from '$lib/server/logger';

const REQUEST_ID_MAX = 64;

// Use a client-supplied X-Request-Id when present (sanitised), otherwise mint
// one. Keeps correlation across a proxy without trusting arbitrary input.
function resolveRequestId(header: string | null): string {
if (header) {
const cleaned = header.replace(/[^a-zA-Z0-9_-]/g, '').slice(0, REQUEST_ID_MAX);
if (cleaned) return cleaned;
}
return crypto.randomUUID();
}

export const handle: Handle = async ({ event, resolve }) => {
const requestId = resolveRequestId(event.request.headers.get('x-request-id'));
event.locals.requestId = requestId;
event.locals.log = logger.child({ requestId });

const token = event.cookies.get('pg_session');

if (token) {
Expand All @@ -19,12 +36,39 @@ export const handle: Handle = async ({ event, resolve }) => {
// per-request inside `+layout.ts`.
event.locals.locale = normalizeLocale(event.request.headers.get('accept-language'));

const start = performance.now();
const response = await resolve(event);
const durationMs = Math.round(performance.now() - start);

response.headers.set('X-Request-Id', requestId);
response.headers.set('X-Frame-Options', 'DENY');
response.headers.set('X-Content-Type-Options', 'nosniff');
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');

// Skip the noisy liveness/readiness probes.
const path = event.url.pathname;
if (path !== '/health' && path !== '/readyz') {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the request-log skip excludes both /health and /readyz, but there's no /readyz route in the repo (only /health). Harmless dead condition — either add the readiness probe or drop the && path !== '/readyz' clause.

event.locals.log.info(
{ method: event.request.method, path, status: response.status, durationMs },
'request'
);
}

return response;
};

export const handleError: HandleServerError = ({ error, event, status, message }) => {
logger.error(
{
requestId: event.locals.requestId,
method: event.request.method,
path: event.url.pathname,
status,
err: error instanceof Error ? { message: error.message, stack: error.stack } : String(error)
},
'unhandled error'
);

return { message };
};
12 changes: 12 additions & 0 deletions src/lib/server/logger.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
import pino from 'pino';
import { env } from '$env/dynamic/private';

// Structured JSON logger to stdout. No transport is configured, which keeps it
// robust under the bundled adapter-node server; set LOG_LEVEL to control
// verbosity (default: info). Request-scoped child loggers (carrying a
// requestId) are created in hooks.server.ts and exposed via `event.locals.log`.
export const logger = pino({
level: env.LOG_LEVEL ?? 'info'
});

export type Logger = typeof logger;
16 changes: 10 additions & 6 deletions src/lib/server/services/dns-verification.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import { dnsVerifications } from '$lib/server/db/schema';
import { eq } from 'drizzle-orm';
import { randomBytes } from 'crypto';
import { resolve } from 'dns/promises';
import { logger } from '$lib/server/logger';

export async function getOrCreateDnsVerification(orgId: string, domain: string) {
const existing = await db
Expand Down Expand Up @@ -64,12 +65,15 @@ export async function verifyDns(orgId: string): Promise<{
}
} catch (err) {
const code = (err as NodeJS.ErrnoException)?.code;
console.error('[dns-verification] resolve failed', {
orgId,
domain: record.domain,
code,
message: err instanceof Error ? err.message : String(err)
});
logger.error(
{
orgId,
domain: record.domain,
code,
err: err instanceof Error ? err.message : String(err)
},
'dns resolve failed'
);
await db
.update(dnsVerifications)
.set({ lastCheckedAt: new Date() })
Expand Down
4 changes: 2 additions & 2 deletions src/routes/api/csp-report/+server.ts
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
import type { RequestHandler } from './$types';

export const POST: RequestHandler = async ({ request }) => {
export const POST: RequestHandler = async ({ request, locals }) => {
try {
const text = await request.text();
console.warn('[csp-report]', text.slice(0, 4096));
locals.log.warn({ report: text.slice(0, 4096) }, 'csp violation');
} catch {
// ignore — best-effort
}
Expand Down
Loading
Loading