Merge 91c5fbd7b3a2d236fc4a22894176f21091143b47 into c68925152b1b6c8f92806cdbda9c4672dcc1608f

routers/api/v1/api.go

@@ -835,6 +835,7 @@ func apiAuth(authMethod auth.Method) func(*context.APIContext) {
 		if err != nil {
 			msg, ok := auth.ErrAsUserAuthMessage(err)
 			msg = util.Iif(ok, msg, "invalid username, password or token")
+			log.Warn("API auth failure: method=%s path=%s ip=%s reason=%q", ctx.Req.Method, ctx.Req.URL.Path, ctx.RemoteAddr(), msg)
 			ctx.APIError(http.StatusUnauthorized, msg)
 			return
 		}

services/auth/basic.go

@@ -116,6 +116,7 @@ func (b *Basic) VerifyAuthToken(req *http.Request, w http.ResponseWriter, store
 		store.GetData()["LoginMethod"] = ActionTokenMethodName
 		return user_model.NewActionsUserWithTaskID(task.ID), nil
 	}
+	log.Warn("Basic Authorization: token not found for any known token type")
 	return nil, nil //nolint:nilnil // the auth method is not applicable
 }
 

services/auth/oauth2.go

@@ -39,17 +39,19 @@ func GetOAuthAccessTokenScopeAndUserID(ctx context.Context, accessToken string)
 
 	token, err := oauth2_provider.ParseToken(accessToken, oauth2_provider.DefaultSigningKey)
 	if err != nil {
-		log.Trace("oauth2.ParseToken: %v", err)
+		log.Warn("oauth2.ParseToken: %v", err)
 		return accessTokenScope, 0
 	}
 	var grant *auth_model.OAuth2Grant
 	if grant, err = auth_model.GetOAuth2GrantByID(ctx, token.GrantID); err != nil || grant == nil {
+		log.Warn("oauth2: grant not found for token grantID=%d: %v", token.GrantID, err)
 		return accessTokenScope, 0
 	}
 	if token.Kind != oauth2_provider.KindAccessToken {
 		return accessTokenScope, 0
 	}
 	if token.ExpiresAt.Before(time.Now()) || token.IssuedAt.After(time.Now()) {
+		log.Warn("oauth2: token expired or not yet valid, grantID=%d expiresAt=%v issuedAt=%v", token.GrantID, token.ExpiresAt, token.IssuedAt)
 		return accessTokenScope, 0
 	}
 	accessTokenScope = oauth2_provider.GrantAdditionalScopes(grant.Scope)