8.7 KiB
8.7 KiB
Session Callback Logging - Impact Analysis
Date: 2026-01-01
Purpose: Analyze the impact of reducing session callback logging on the multi-stack architecture
🏗️ Architecture Overview
Stack Components
- Next.js Dashboard (this application)
- Keycloak (SSO/Authentication provider)
- MinIO (Object storage for files)
- External Services (Leantime, Rocket.Chat, News API, etc.)
Integration Points
- Keycloak: OAuth2/OIDC provider, session tokens, role extraction
- MinIO: File storage (mission logos, attachments), S3-compatible API
- External APIs: All require authenticated session
📋 Current Session Callback Logging
What's Being Logged
// Lines 407-472 in app/api/auth/options.ts
- === SESSION CALLBACK START ===
- Token error status
- Access token presence
- Refresh token presence
- Token roles
- Token sub (user ID)
- Token email
- Token name
- Token username
- User roles for session
- Creating session user object
- Setting session tokens
- ✅ Session created successfully
- Session user details
- === SESSION CALLBACK END ===
Why It Was Added
Historical Context (from DEBUG_502_CALLBACK.md):
- Added specifically to debug 502 errors with Keycloak callbacks
- Critical for diagnosing authentication failures
- Helps identify when session callback doesn't execute
- Essential for troubleshooting SSO flow issues
🔍 Impact Analysis
1. Keycloak Integration Impact
Dependencies:
- ✅ No functional impact: Logging doesn't affect Keycloak authentication
- ⚠️ Debugging impact: Removing logs makes troubleshooting harder
- ✅ Error logging preserved: Critical errors still logged
Keycloak Flow:
1. User authenticates → Keycloak
2. Keycloak redirects → Next.js callback
3. JWT callback extracts tokens
4. Session callback builds session ← LOGGING HERE
5. Session used for all API calls
Recommendation:
- Keep error logging (always)
- Make success logging conditional (DEBUG_SESSION flag)
2. MinIO Integration Impact
Dependencies:
- ✅ No direct dependency: MinIO doesn't use session callback logs
- ✅ Uses session for auth: Session object used to verify user permissions
- ✅ No impact: Logging changes won't affect MinIO operations
MinIO Flow:
1. API route calls getServerSession()
2. Session callback executes (builds session)
3. Session used to verify user authentication
4. MinIO operations proceed with authenticated user
Recommendation:
- ✅ Safe to reduce logging: No impact on MinIO functionality
3. External Services Impact
Services:
- Leantime (project management)
- Rocket.Chat (messaging)
- News API
- Email/IMAP
Dependencies:
- ✅ No functional impact: Services don't read logs
- ✅ Session still created: Logging doesn't affect session creation
- ✅ Authentication works: Session object still valid
Recommendation:
- ✅ Safe to reduce logging: No impact on external services
4. Monitoring & Debugging Impact
Current Usage:
- Debugging 502 errors (Keycloak callbacks)
- Troubleshooting authentication issues
- Monitoring session creation frequency
- Identifying session callback failures
Impact of Reducing Logging:
- ⚠️ Harder to debug: Less visibility into session creation
- ✅ Still debuggable: Error logging preserved
- ✅ Can enable on-demand: DEBUG_SESSION flag for troubleshooting
Recommendation:
- Use conditional logging with DEBUG_SESSION flag
- Keep error logging always enabled
- Document how to enable debug logging
✅ Safe Implementation Strategy
Phase 1: Conditional Logging (Recommended)
Approach: Make success logging conditional, keep error logging always
async session({ session, token }) {
try {
// Always log errors
if (token.error) {
console.error("❌ Session callback error:", token.error);
}
// Conditional verbose logging
const DEBUG_SESSION = process.env.DEBUG_SESSION === 'true' ||
process.env.NODE_ENV === 'development';
if (DEBUG_SESSION) {
console.log('=== SESSION CALLBACK START ===');
console.log('Token error:', token.error);
console.log('Has accessToken:', !!token.accessToken);
// ... rest of verbose logging
}
// Always log critical errors
if (token.error === "SessionNotActive" ||
token.error === "NoRefreshToken" ||
!token.accessToken ||
!token.refreshToken) {
console.log("❌ Session invalidated or tokens missing", {
error: token.error,
hasAccessToken: !!token.accessToken,
hasRefreshToken: !!token.refreshToken
});
return null as any;
}
// ... rest of callback logic
if (DEBUG_SESSION) {
console.log('✅ Session created successfully');
console.log('Session user id:', session.user.id);
console.log('=== SESSION CALLBACK END ===');
}
return session;
} catch (error) {
// Always log critical errors
console.error('❌❌❌ CRITICAL ERROR IN SESSION CALLBACK ❌❌❌');
console.error('Error:', error);
throw error;
}
}
Benefits:
- ✅ Production: Minimal logging (errors only)
- ✅ Development: Full logging for debugging
- ✅ On-demand: Enable with DEBUG_SESSION=true
- ✅ No functional impact
Phase 2: Environment-Based Logging
Alternative: Use NODE_ENV
const isDevelopment = process.env.NODE_ENV === 'development';
if (isDevelopment || token.error) {
// Verbose logging
}
Benefits:
- ✅ Simple implementation
- ✅ Automatic in development
- ⚠️ Less flexible than DEBUG_SESSION flag
🎯 Recommended Approach
Option 1: DEBUG_SESSION Flag (Best)
Implementation:
- Add
DEBUG_SESSIONenvironment variable - Default:
false(minimal logging) - Set to
truewhen debugging needed
Usage:
# Production (minimal logging)
DEBUG_SESSION=false npm start
# Debugging (verbose logging)
DEBUG_SESSION=true npm start
Pros:
- ✅ Flexible (can enable on-demand)
- ✅ Production-friendly (minimal logs)
- ✅ Debug-friendly (full logs when needed)
- ✅ No code changes needed to toggle
Cons:
- ⚠️ Requires environment variable management
Option 2: NODE_ENV Based (Simpler)
Implementation:
- Use
NODE_ENV === 'development'for verbose logging - Always log errors
Pros:
- ✅ Simple (no new env vars)
- ✅ Automatic (works with existing setup)
Cons:
- ⚠️ Less flexible (can't enable in production easily)
📊 Risk Assessment
| Risk | Impact | Mitigation |
|---|---|---|
| Lost debugging capability | Medium | Keep error logging, add DEBUG_SESSION flag |
| Harder to troubleshoot 502 errors | Medium | Document how to enable debug logging |
| Performance impact | Low | Logging overhead is minimal |
| Functional impact | None | Logging doesn't affect functionality |
✅ Final Recommendation
Implementation Plan
-
Keep Error Logging Always ✅
- Critical errors always logged
- Session invalidation always logged
- Exception handling always logged
-
Make Success Logging Conditional ✅
- Use
DEBUG_SESSIONenvironment variable - Default:
false(production-friendly) - Can enable:
DEBUG_SESSION=true(debugging)
- Use
-
Document Debugging Process ✅
- Add to README or troubleshooting guide
- Explain when to enable DEBUG_SESSION
- Document what logs to look for
-
Test in Staging ✅
- Verify error logging still works
- Test with DEBUG_SESSION=true
- Test with DEBUG_SESSION=false
🔧 Implementation Checklist
- Update
app/api/auth/options.tswith conditional logging - Add
DEBUG_SESSIONto environment variable documentation - Test error logging (should always work)
- Test success logging with DEBUG_SESSION=true
- Test success logging with DEBUG_SESSION=false
- Verify Keycloak authentication still works
- Verify MinIO operations still work
- Verify external services still work
- Update troubleshooting documentation
📝 Summary
Impact Level: 🟢 LOW RISK
Key Findings:
- ✅ No functional impact on Keycloak, MinIO, or external services
- ✅ Logging was added for debugging, not functionality
- ✅ Error logging preserved (critical for troubleshooting)
- ✅ Conditional logging provides flexibility
Recommendation:
- ✅ Proceed with conditional logging
- ✅ Use DEBUG_SESSION flag for flexibility
- ✅ Keep error logging always enabled
Confidence: 🟢 HIGH - Safe to implement
Generated: 2026-01-01
Next Step: Implement conditional logging in app/api/auth/options.ts