fix: add logging to authentication errors in controller and router

[mangelajo]

Fixes #811

Summary

Authentication failures were silently dropped in several places — no log output was produced, making it very hard to diagnose connection/auth issues.

Controller (Go)

controller/internal/service/controller_service.go
Added logger.Info("unable to authenticate ...") before returning auth errors in 5 methods that were previously silent:

• Listen (exporter auth)
• GetLease (client auth)
• RequestLease (client auth)
• ReleaseLease (client auth)
• ListLeases (client auth)

controller/internal/service/auth/auth.go
Added logging directly into the AuthClient and AuthExporter helpers. This covers all ClientService call sites at once (8 total). Both token verification failures and namespace mismatch errors are now logged.

controller/internal/service/router_service.go
Fixed the gRPC status code for invalid JWT tokens: codes.InvalidArgument → codes.Unauthenticated (semantically correct for a failed authentication).

Python Exporter

python/packages/jumpstarter/jumpstarter/exporter/auth.py
Added logger.warning(...) in PassphraseInterceptor.intercept_service when an RPC arrives with an invalid or missing passphrase. The logger was already defined at module level but never used.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds structured error logging on authentication failures across Auth.AuthClient, Auth.AuthExporter, and five ControllerService RPC methods. Introduces a PeerAddr helper to extract and normalize gRPC peer information for request context logging. Corrects the gRPC status code for JWT validation failure in the router service from InvalidArgument to Unauthenticated. Adds a warning log on passphrase rejection in the Python exporter interceptor. Comprehensive test suite validates logging behavior across Go and Python layers, including token leak prevention.

Changes

Authentication Error Logging and Status Fix

Layer / File(s)	Summary
Auth helpers setup with PeerAddr and net imports controller/internal/service/auth/auth.go	Adds net and peer package imports and exports PeerAddr(ctx) helper to extract gRPC peer addresses from context; the helper normalizes the remote host via net.SplitHostPort with fallback to "unknown" on parse failure or missing peer data.
AuthClient and AuthExporter structured logging and error handling controller/internal/service/auth/auth.go	Both AuthClient and AuthExporter create request-scoped loggers from context and bind the computed peer address into structured log fields; token verification errors are logged with "*_authentication failed" messages; namespace mismatches construct and return codes.PermissionDenied status errors with explicit logging of mismatch and authenticated identity.
ControllerService auth failure handling simplification controller/internal/service/controller_service.go	Register, Unregister, ReportStatus, Status, and Dial methods remove duplicate error logging and return authentication errors directly; logContext now derives peer information via PeerAddr instead of raw address strings, centralizing logging in the Auth helpers.
Router service JWT error code and logging updates controller/internal/service/router_service.go	JWT validation failure now returns codes.Unauthenticated instead of codes.InvalidArgument with the same error message; Stream authentication failure logging is updated to use logContext(stream.Context()) and emit Info-level logs with structured error fields and message "router authentication failed".
Python exporter passphrase rejection logging python/packages/jumpstarter/jumpstarter/exporter/auth.py	The server-side PassphraseInterceptor now emits a logger.warning that includes the failing RPC method name when passphrase validation fails.
Auth service test suite for logging and PeerAddr behavior controller/internal/service/auth/auth_test.go	Comprehensive test suite covers PeerAddr parsing edge cases (missing peers, IPv6 bracketing, unparseable addresses, nil addresses, Unix sockets), validates AuthClient and AuthExporter logging (token verification failures, namespace mismatches with PermissionDenied errors), ensures success paths emit no spurious failure logs, and verifies no token leaks in error messages.
ControllerService test coverage for auth logging and peer enrichment controller/internal/service/controller_service_test.go	Test imports are updated to support log capture via gRPC metadata and peer context; TestRouterAuthenticateNoTokenLeak verifies sensitive tokens are not leaked in captured logs; additional tests validate authentication error code classification, logContext peer enrichment across multiple address shapes, and a documentation-level invariant ensuring auth-failure logging is not duplicated in ControllerService RPC methods.
Python exporter session test coverage for auth logging python/packages/jumpstarter/jumpstarter/exporter/session_test.py	Session test imports are updated to support log capture; new async tests validate that passphrase authentication failures emit warning logs including the RPC method name, while successful authentication produces no spurious failure warnings.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• jumpstarter-dev/jumpstarter#726: Introduced VerifyClientObjectToken/VerifyExporterObjectToken with per-client/exporter error shaping that this PR now surfaces through the new error logging statements and gRPC status code corrections.

Suggested reviewers

• evakhoni

Poem

🐇 Hop hop, the errors speak now,
No more silent auth denials!
Unauthenticated rings true,
And logs trace each failed clue,
The rabbit hops through peer-aware paths,
Where namespace mishaps find their maps! 🪵

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 58.82% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main objective of adding logging to authentication errors across both controller and router components.
Description check	✅ Passed	The description provides a detailed overview of authentication error logging additions across multiple files and components, with clear before/after context.
Linked Issues check	✅ Passed	The PR fully addresses issue #811 by adding comprehensive logging to authentication errors in controller and router, improving observability for diagnosing connection/auth issues.
Out of Scope Changes check	✅ Passed	All changes are directly related to the objective of adding authentication error logging. The gRPC status code correction and PeerAddr helper function are necessary supporting changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auth-error-logging

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

controller/internal/service/controller_service.go (1)

527-528: ⚡ Quick win

Centralize auth-failure logging in the auth helper methods.

The same auth-failure log block is repeated in multiple RPC handlers. Moving this into authenticateClient / authenticateExporter will keep behavior consistent and reduce drift when new handlers are added.

Refactor sketch

 func (s *ControllerService) authenticateClient(ctx context.Context) (*jumpstarterdevv1alpha1.Client, error) {
-	return oidc.VerifyClientObjectToken(
+	logger := log.FromContext(ctx)
+	jclient, err := oidc.VerifyClientObjectToken(
 		ctx,
 		s.Authn,
 		s.Authz,
 		s.Attr,
 		s.Client,
 	)
+	if err != nil {
+		logger.Info("unable to authenticate client", "error", err.Error())
+		return nil, err
+	}
+	return jclient, nil
 }

-	logger := log.FromContext(ctx)
-	client, err := s.authenticateClient(ctx)
-	if err != nil {
-		logger.Info("unable to authenticate client", "error", err.Error())
-		return nil, err
-	}
+	client, err := s.authenticateClient(ctx)
+	if err != nil {
+		return nil, err
+	}

Also applies to: 902-907, 984-989, 1041-1046, 1075-1080

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controller/internal/service/controller_service.go` around lines 527 - 528,
The auth-failure logging at lines 527-528 is duplicated across multiple RPC
handlers (also appearing at 902-907, 984-989, 1041-1046, 1075-1080). Move the
logging logic from the error-handling blocks in each RPC handler into the
authenticateClient and authenticateExporter helper methods themselves. This way,
when these helper methods return an error, they will already include the
appropriate log statement, eliminating the need to repeat the logger.Info call
with "unable to authenticate" messages in each caller. Update all RPC handlers
to remove their redundant logging blocks and rely on the centralized logging
within the auth helper methods.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@controller/internal/service/controller_service.go`:
- Around line 527-528: The auth-failure logging at lines 527-528 is duplicated
across multiple RPC handlers (also appearing at 902-907, 984-989, 1041-1046,
1075-1080). Move the logging logic from the error-handling blocks in each RPC
handler into the authenticateClient and authenticateExporter helper methods
themselves. This way, when these helper methods return an error, they will
already include the appropriate log statement, eliminating the need to repeat
the logger.Info call with "unable to authenticate" messages in each caller.
Update all RPC handlers to remove their redundant logging blocks and rely on the
centralized logging within the auth helper methods.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f8053213-1afd-4b9c-872e-dac95c895fe8

📥 Commits

Reviewing files that changed from the base of the PR and between f19e473 and 06545bc.

📒 Files selected for processing (4)

• controller/internal/service/auth/auth.go
• controller/internal/service/controller_service.go
• controller/internal/service/router_service.go
• python/packages/jumpstarter/jumpstarter/exporter/auth.py

[mangelajo]

overall:

• we want some info on the authentication failure: exporter/client name, ip, etc..
• make sure that we don't repeat the log at several levels (auth function, final denial, ... )

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controller/internal/service/controller_service.go`:
- Around line 248-249: Remove the duplicate logger.Error calls that log
authentication failures at the controller service layer, as these failures are
already being logged by the authenticateClient and authenticateExporter helper
functions. For each occurrence where you have a logger.Error call with messages
like "exporter authentication failed", "client authentication failed", etc.,
followed by a return statement with the error, simply delete the logger.Error
line and keep only the return statement. This applies to the authentication
failure handling in all RPC methods that call these authentication helpers
(authenticateClient and authenticateExporter), eliminating duplicate noisy log
entries while maintaining error propagation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d89e5e1b-68c0-4c8e-8d61-5c469f9aa35c

📥 Commits

Reviewing files that changed from the base of the PR and between 06545bc and 91e0171.

📒 Files selected for processing (4)

• controller/internal/service/auth/auth.go
• controller/internal/service/controller_service.go
• controller/internal/service/router_service.go
• python/packages/jumpstarter/jumpstarter/exporter/auth.py

✅ Files skipped from review due to trivial changes (1)

• python/packages/jumpstarter/jumpstarter/exporter/auth.py

🚧 Files skipped from review as they are similar to previous changes (2)

• controller/internal/service/router_service.go
• controller/internal/service/auth/auth.go

[mangelajo]

Addressed all remaining review comments in the latest commit (ec9e5e14):

Deduplication of peer address logic (PRRT_kwDOQ9ieqs6K4AmS, PRRT_kwDOQ9ieqs6K1z9n, PRRT_kwDOQ9ieqs6K1z9p):

• Exported peerAddr → PeerAddr from the auth package so it can be shared
• logContext in controller_service.go now delegates to auth.PeerAddr instead of duplicating the net.SplitHostPort logic
• Removed the unused "net" import
• Both paths now produce the same IP-only format consistently

Standardised log messages (PRRT_kwDOQ9ieqs6K1z9l):

• Removed the stale logger.Info("unable to authenticate exporter", ...) call in Status — all auth logging is already handled inside AuthExporter in the auth package, so the call-site log was both duplicate and inconsistently worded

Router Stream method peer enrichment (PRRT_kwDOQ9ieqs6K1z9d):

• Already present in the previous commit: ctx := logContext(stream.Context()) enriches the context with the peer IP before the auth call

Duplicate controller-level auth logs (PRRT_kwDOQ9ieqs6Kyam0, CodeRabbit):

• Already handled in the previous commit: all logger.Error(..., "* authentication failed") call-site duplicates had been removed; auth logging lives exclusively in the auth helpers

Test for JWT token not leaking in logs (PRRT_kwDOQ9ieqs6K1z9s):

• Added TestRouterAuthenticateNoTokenLeak in controller_service_test.go — sends a clearly-identifiable bogus token through authenticate() and asserts it never appears in the captured log buffer

Unix socket comment / network-only clarification (PRRT_kwDOQ9ieqs6K1z93):

• The controller only exposes TCP gRPC; no Unix domain socket is involved, so net.SplitHostPort returning "unknown" on failure is the safe default. No code change needed.

[mangelajo]

@raballew adding tests to verify all this logging behavior properly.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controller/internal/service/controller_service_test.go`:
- Around line 1804-1812: The test calls authenticate(ctx) directly which does
not perform logging, but the actual logging that could leak the token happens in
RouterService.Stream, so this test does not exercise the real code path that
could cause credential leaks. Refactor the test to route through the Stream
method (or explicitly call the same log statement used in Stream) instead of
calling authenticate directly, so the test properly validates that the actual
logging path sanitizes the token and prevents it from appearing in log output.
- Around line 1792-1795: The test modifies global logger state by calling
logf.SetLogger() but does not restore the original logger after the test
completes, causing cross-test contamination. Before calling logf.SetLogger() to
set the new logger with the buffer, save the current logger by calling
logf.Log.GetLogger() or equivalent to capture the original logger instance. Then
use a defer statement immediately after logf.SetLogger() to restore the original
logger when the test function exits, ensuring subsequent tests are not affected
by the modified global logger state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9204b4b1-84bb-4aaf-8823-912f22c36049

📥 Commits

Reviewing files that changed from the base of the PR and between 8e33fea and ec9e5e1.

📒 Files selected for processing (3)

• controller/internal/service/auth/auth.go
• controller/internal/service/controller_service.go
• controller/internal/service/controller_service_test.go

[mangelajo]

Added comprehensive logging behavior tests in commit 5c368820. Here's a summary of what's covered:

Go — controller/internal/service/auth/auth_test.go (new file, 10 tests)

Test	What it verifies
TestPeerAddr (5 subtests)	No peer → "unknown", host:port → IP only, IPv6 → IP only, bare address → "unknown", empty → "unknown"
TestPeerAddr_NilAddr	No panic when p.Addr is nil (bugfix: added nil guard)
TestPeerAddr_UnixSocket	Unix socket path → "unknown" (not leaked)
TestAuthClient_TokenVerificationFailure_LogsPeerAndError	Log contains "client authentication failed", peer IP, and error text
TestAuthClient_NamespaceMismatch_LogsClientNameAndPeer	Log includes client name, peer IP, "namespace mismatch", returns PermissionDenied
TestAuthClient_Success_NoAuthFailureLog	No "authentication failed" log on successful auth
TestAuthExporter_* (3 tests)	Symmetric tests for exporter auth path
TestAuthClient_ErrorLogIncludesNoDuplicateTokenInMessage	No raw "Bearer" prefix in log output

Go — controller/internal/service/controller_service_test.go (8 new tests + fixes)

Test	What it verifies
TestRouterAuthenticateNoTokenLeak	Reworked: now exercises the full Stream logging path (logContext + logger.Info("router authentication failed")) with peer context — not just authenticate() alone
TestRouterAuthenticateReturnsUnauthenticated	Invalid JWT → codes.Unauthenticated
TestRouterAuthenticateMissingMetadata	Missing metadata → error
TestLogContext_WithPeer_EnrichesContextWithPeerIP	Peer IP appears in log, port is stripped
TestLogContext_WithoutPeer_ReturnsUnchangedContext	No "peer" key in log
TestLogContext_IPv6Peer_StripsPort	IPv6 address correctly extracted
TestLogContext_NilAddr_ReturnsUnchangedContext	No panic, no "peer" key
TestLogContext_UnixSocket_ReturnsUnknownPeer	Peer is "unknown", socket path not leaked

Test isolation fix: withCapturedLog helper now uses a context-based logger instead of mutating global logf.Log, preventing cross-test contamination.

Python — session_test.py (3 new tests)

Test	What it verifies
test_serve_tcp_passphrase_rejected_logs_warning	Wrong passphrase → WARNING log with "GetReport" method name
test_serve_tcp_passphrase_missing_logs_warning	Missing passphrase → WARNING log with method name
test_serve_tcp_passphrase_correct_no_warning_log	Correct passphrase → no auth failure warning

Bugfix discovered by tests

PeerAddr now guards against p.Addr == nil (previously would panic with nil pointer dereference).

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controller/internal/service/controller_service_test.go`:
- Around line 1993-2009: The
TestControllerServiceAuthMethodsDoNotLogAuthFailures function currently only
documents the intent with a t.Log statement but performs no actual assertions,
so it always passes and won't catch regressions. Refactor this test to actively
verify the invariant by scanning the source code of the listed RPC methods
(Register, Unregister, ReportStatus, Listen, Status, Dial, GetLease,
RequestLease, ReleaseLease, ListLeases) and asserting that they do not contain
duplicate auth-failure log statements. Use Go's AST parsing or source code
scanning to inspect the method bodies and ensure that any authentication-related
logging is not duplicated beyond what the auth package handles.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 989844bd-acfb-453f-aadc-ee01aa788a57

📥 Commits

Reviewing files that changed from the base of the PR and between ec9e5e1 and 5c36882.

📒 Files selected for processing (4)

• controller/internal/service/auth/auth.go
• controller/internal/service/auth/auth_test.go
• controller/internal/service/controller_service_test.go
• python/packages/jumpstarter/jumpstarter/exporter/session_test.py

🚧 Files skipped from review as they are similar to previous changes (1)

• controller/internal/service/auth/auth.go