chore(logging): add diagnostic logs for inbound auth forwarding

Add info-level logging to trace bearer token capture and forwarding through fastagent, including token length/prefix and reasons for skipping forward (existing user auth, oauth, or missing inbound token). Also log warnings on bearer extraction errors instead of silently swallowing exceptions.
2026-05-04 21:20:49 -04:00
parent e7f1e044b7
commit 68b486d62a
2 changed files with 34 additions and 6 deletions
--- a/pallas/_fastagent_patch.py
+++ b/pallas/_fastagent_patch.py
@@ -32,25 +32,44 @@ _original_prepare = _mcm._prepare_headers_and_auth
 def _prepare_headers_and_auth_with_forward(server_config, **kwargs):
    headers, oauth_auth, user_auth_keys = _original_prepare(server_config, **kwargs)

-    if not getattr(server_config, "forward_inbound_auth", False):
+    server_name = getattr(server_config, "name", None)
+    forward_flag = getattr(server_config, "forward_inbound_auth", False)
+
+    if not forward_flag:
        return headers, oauth_auth, user_auth_keys

    if user_auth_keys:
+        logger.info(
+            "fastagent_forward_skipped_user_auth",
+            extra={"server": server_name},
+        )
        return headers, oauth_auth, user_auth_keys

    if oauth_auth is not None:
+        logger.info(
+            "fastagent_forward_skipped_oauth",
+            extra={"server": server_name},
+        )
        return headers, oauth_auth, user_auth_keys

    inbound = request_bearer_token.get()
    if not inbound:
+        logger.info(
+            "fastagent_forward_no_inbound",
+            extra={"server": server_name},
+        )
        return headers, oauth_auth, user_auth_keys

    headers = dict(headers)
    headers["Authorization"] = f"Bearer {inbound}"
    user_auth_keys = set(user_auth_keys) | {"Authorization"}
-    logger.debug(
+    logger.info(
        "fastagent_forward_inbound_auth",
-        extra={"server": getattr(server_config, "name", None)},
+        extra={
+            "server": server_name,
+            "token_len": len(inbound),
+            "token_prefix": inbound[:8],
+        },
    )
    return headers, oauth_auth, user_auth_keys

--- a/pallas/multimodal_server.py
+++ b/pallas/multimodal_server.py
@@ -52,9 +52,18 @@ def _get_request_bearer_token() -> str | None:
        request = get_http_request()
        auth = request.headers.get("authorization", "")
        if auth.lower().startswith("bearer "):
-            return auth[7:]
-    except Exception:
-        pass
+            token = auth[7:]
+            logger.info(
+                "pallas_inbound_bearer_captured",
+                data={"token_len": len(token), "token_prefix": token[:8]},
+            )
+            return token
+        logger.info(
+            "pallas_inbound_bearer_absent",
+            data={"has_auth_header": bool(auth)},
+        )
+    except Exception as exc:
+        logger.warning("pallas_inbound_bearer_error", data={"error": str(exc)})
    return None