Summary
The group_audit_log table has a jti column intended to record the JWT ID of the request that triggered each audit entry (src/db/migrations/group/001_initial.ts:39). However, every call to audit.log() passes null for this field — no call site supplies a value.
Details
- The schema intent is to allow tracing audit log entries back to specific authenticated requests.
- Without
jti, it is impossible to correlate an audit entry with a particular token or caller session.
- This is a gap between schema intent and implementation, not a security vulnerability.
Suggested Fix
- Thread the
jti from the verified auth token through to audit.log() at each call site.
- The
jti is already available in the auth verifier output (src/auth/verifier.ts).
Summary
The
group_audit_logtable has ajticolumn intended to record the JWT ID of the request that triggered each audit entry (src/db/migrations/group/001_initial.ts:39). However, every call toaudit.log()passesnullfor this field — no call site supplies a value.Details
jti, it is impossible to correlate an audit entry with a particular token or caller session.Suggested Fix
jtifrom the verified auth token through toaudit.log()at each call site.jtiis already available in the auth verifier output (src/auth/verifier.ts).