From c9afbe3a57cf1f5f269c8396385db7369ca62d23 Mon Sep 17 00:00:00 2001
From: Travis Semple <travis8814@gmail.com>
Date: Thu, 12 Dec 2024 14:30:15 -0800
Subject: [PATCH 1/2] Changes to enable forbidden error logging for AUTH

---
 auth-api/src/auth_api/__init__.py | 21 ++++++++++++++++++++-
 auth-api/src/auth_api/config.py   |  1 +
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/auth-api/src/auth_api/__init__.py b/auth-api/src/auth_api/__init__.py
index 0344c6597..4d3967736 100644
--- a/auth-api/src/auth_api/__init__.py
+++ b/auth-api/src/auth_api/__init__.py
@@ -18,7 +18,7 @@
 import os
 import traceback
 
-from flask import Flask
+from flask import Flask, request
 from flask_cors import CORS
 from flask_migrate import Migrate, upgrade
 from sbc_common_components.utils.camel_case_response import convert_to_camel
@@ -33,6 +33,7 @@
 from auth_api.services.gcp_queue import queue
 from auth_api.utils.auth import jwt
 from auth_api.utils.cache import cache
+from auth_api.utils.user_context import _get_context
 
 logger = StructuredLogging.get_logger()
 
@@ -62,6 +63,7 @@ def create_app(run_mode=os.getenv("DEPLOYMENT_ENV", "production")):
         app.after_request(convert_to_camel)
 
         ExceptionHandler(app)
+        setup_403_logging(app)
         setup_jwt_manager(app, jwt)
         register_shellcontext(app)
         build_cache(app)
@@ -69,6 +71,23 @@ def create_app(run_mode=os.getenv("DEPLOYMENT_ENV", "production")):
     return app
 
 
+def setup_403_logging(app):
+    """Log setup for forbidden."""
+    if app.config.get("ENABLE_403_LOGGING") is True:
+
+        @app.errorhandler(403)
+        def handle_403_error(error):
+            user_context = _get_context()
+
+            user_name = user_context.user_name[:5] + "..."
+            roles = user_context.roles
+            app.logger.error(f"403 Forbidden - {request.method} {request.url} - {user_name} - {roles}")
+
+            message = {"message": getattr(error, "message", error.description)}
+            headers = {"Content-Type": "application/json", "Access-Control-Allow-Origin": "*"}
+            return message, error.code, headers
+
+
 def execute_migrations(app):
     """Execute the database migrations."""
     try:
diff --git a/auth-api/src/auth_api/config.py b/auth-api/src/auth_api/config.py
index d5eb4060d..31fc338a1 100644
--- a/auth-api/src/auth_api/config.py
+++ b/auth-api/src/auth_api/config.py
@@ -199,6 +199,7 @@ class _Config:  # pylint: disable=too-few-public-methods
 
     # LaunchDarkly SDK key
     AUTH_LD_SDK_KEY = os.getenv("AUTH_LD_SDK_KEY", None)
+    ENABLE_403_LOGGING = os.getenv("ENABLE_403_LOGGING", "False").lower() == "true"
 
 
 class DevConfig(_Config):  # pylint: disable=too-few-public-methods

From cc47b73870704754c5a2b01a0b34164a3f0c7af2 Mon Sep 17 00:00:00 2001
From: Travis Semple <travis8814@gmail.com>
Date: Thu, 12 Dec 2024 15:16:24 -0800
Subject: [PATCH 2/2] put in vaults

---
 auth-api/devops/vaults.gcp.env | 1 +
 1 file changed, 1 insertion(+)

diff --git a/auth-api/devops/vaults.gcp.env b/auth-api/devops/vaults.gcp.env
index ce718dafc..8660836a6 100644
--- a/auth-api/devops/vaults.gcp.env
+++ b/auth-api/devops/vaults.gcp.env
@@ -57,3 +57,4 @@ DIRECT_PAY_ENABLED="op://relationship/$APP_ENV/pay-api/DIRECT_PAY_ENABLED"
 DISABLE_ACTIVITY_LOGS="op://relationship/$APP_ENV/pay-api/DISABLE_ACTIVITY_LOGS"
 AUTH_LD_SDK_KEY="op://launchdarkly/$APP_ENV/auth/AUTH_LD_SDK_KEY"
 VPC_CONNECTOR="op://CD/$APP_ENV/auth-api/VPC_CONNECTOR"
+ENABLE_403_LOGGING="op://relationship/$APP_ENV/auth-api/ENABLE_403_LOGGING"