All Docs
FeaturesCalmony PayUpdated March 15, 2026

Security Logging & Monitoring: What Changed in v1.0.32

Security Logging & Monitoring: What Changed in v1.0.32

OWASP Control: SEC-09 | Version: 1.0.32

This post covers the three security logging gaps closed in v1.0.32. All changes are in src/lib/audit.ts and directly improve the platform's ability to detect and respond to authentication abuse and credential attacks.

Background

Calmony Pay maintains an audit log (auditLog) for security and compliance purposes. Prior to this release, three significant gaps meant that certain failure events were never recorded:

  1. Auth.js had no mechanism to invoke logAudit() when a sign-in failed.
  2. The ipAddress column in the auditLog schema existed but was always undefined — no call to logAudit() ever populated it.
  3. The pay API's validateApiKey() function did not log failed key lookup attempts.

These gaps made it impossible to detect brute-force login attempts, credential stuffing against the API, or identify the origin of suspicious activity.

What Changed

1. Failed Sign-In Logging (Auth.js signIn Callback)

Auth.js does not automatically call application-level hooks when authentication fails. A dedicated signIn callback has been added that calls logAudit() whenever a sign-in attempt does not succeed. This ensures every failed login — whether due to wrong credentials, a locked account, or an unrecognised provider response — is recorded.

2. IP Address Population in Audit Logs

All calls to logAudit() now extract the requester's IP address from the incoming request headers before writing the log entry. The extraction follows standard proxy-aware precedence:

x-forwarded-for  →  x-real-ip  →  fallback

The resolved IP is passed into the ipAddress field of the auditLog record. This applies to every audit log entry across the platform — not just authentication events.

3. Failed API Key Validation Logging (validateApiKey)

When a request to the pay API presents an API key that cannot be found or is invalid, validateApiKey() now logs the failure via logAudit(). This makes it possible to:

  • Detect repeated failed attempts against a single key (indicating key enumeration or credential stuffing).
  • Identify the IP addresses involved in failed API key attempts.
  • Set alerts on abnormal failure rates.

Why This Matters

| Gap | Risk Before Fix | After Fix | |---|---|---|| | Failed sign-ins not logged | Brute-force attacks on user accounts go undetected | Every failed sign-in is recorded with timestamp | | ipAddress always undefined | No way to trace suspicious activity to an origin | IP captured from headers on every audit event | | Failed API key attempts not logged | Credential stuffing against the pay API is invisible | Failed key lookups recorded and attributable by IP |

Affected File

  • src/lib/audit.ts — audit logging utilities, Auth.js callback wiring, and validateApiKey() integration.