Merge pull request #316 from Pseudo-Lab/feat/db-logging

feat(cert): Add DB access logging and pageview tracking

Author: soohyunme

cert/.env.example

@@ -16,4 +16,14 @@ APP_HOST=example.com
 ENVIRONMENT=dev
 NODE_ENV=development
 
-CERT_TEMPLATE_ARCHIVE_PASSWORD=your_secure_password
+CERT_TEMPLATE_ARCHIVE_PASSWORD=your_secure_password
+
+# DB configuration
+DB_HOST=your_db_host
+DB_PORT=your_db_port
+DB_NAME=your_db_name
+DB_USER=your_db_user
+DB_PASSWORD=your_db_password
+ACCESS_LOGGING_ENABLED=true
+ACCESS_LOGGING_EXCLUDE_PATHS=/health,/api/certs/all-projects,/api/log/pageview
+ACCESS_LOGGING_IP_SALT=your_ip_salt

cert/backend/pyproject.toml

@@ -6,6 +6,7 @@ readme = "README.md"
 requires-python = ">=3.11"
 dependencies = [
     "aiohttp>=3.12.15",
+    "asyncpg>=0.30.0",
     "aiosmtplib>=4.0.1",
     "fastapi>=0.109.1",
     "gunicorn>=21.2.0",

cert/backend/src/main.py

@@ -6,6 +6,8 @@
 from fastapi.middleware.cors import CORSMiddleware
 
 from .routers import certificate
+from .routers.logging import logging_router
+from .utils.access_log import access_log_middleware, close_access_log, init_access_log
 
 
 def configure_logging() -> None:
@@ -35,6 +37,9 @@ def configure_logging() -> None:
     openapi_url=None if hide_docs else "/openapi.json",
 )
 
+# Access log middleware
+app.middleware("http")(access_log_middleware)
+
 # CORS 미들웨어 설정
 origins = os.getenv("CORS_ORIGINS", "").split(",")
 app.add_middleware(
@@ -47,6 +52,7 @@ def configure_logging() -> None:
 
 # 모든 환경에서 /api 프리픽스 사용 (개발/프로덕션 통일)
 app.include_router(certificate.certificate_router, prefix="/api")
+app.include_router(logging_router, prefix="/api")
 logger.info("FastAPI app initialized", extra={"environment": os.getenv("ENVIRONMENT")})
 
 
@@ -64,3 +70,13 @@ async def read_root():
 async def health_check():
     """헬스 체크 엔드포인트"""
     return {"status": "healthy"}
+
+
+@app.on_event("startup")
+async def setup_access_log():
+    await init_access_log(app)
+
+
+@app.on_event("shutdown")
+async def teardown_access_log():
+    await close_access_log(app)

cert/backend/src/routers/logging.py

@@ -0,0 +1,21 @@
+from fastapi import APIRouter, HTTPException, Request
+from pydantic import BaseModel
+
+from ..utils.access_log import log_page_view
+
+
+logging_router = APIRouter(prefix="/log", tags=["log"])
+
+
+class PageViewRequest(BaseModel):
+    path: str
+
+
+@logging_router.post("/pageview")
+async def track_page_view(payload: PageViewRequest, request: Request):
+    path = payload.path.strip()
+    if not path.startswith("/"):
+        raise HTTPException(status_code=400, detail="path must start with '/'")
+
+    await log_page_view(request, path)
+    return {"status": "ok"}

cert/backend/src/utils/access_log.py

@@ -0,0 +1,180 @@
+import hashlib
+import logging
+import os
+import time
+from dataclasses import dataclass
+from typing import Optional, Set
+
+import asyncpg
+from fastapi import FastAPI, Request, Response
+
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass(frozen=True)
+class AccessLogConfig:
+    dsn: str
+    exclude_paths: Set[str]
+    ip_salt: str
+    environment: str
+
+
+def _build_dsn() -> Optional[str]:
+    host = os.getenv("DB_HOST")
+    port = os.getenv("DB_PORT", "5432")
+    name = os.getenv("DB_NAME")
+    user = os.getenv("DB_USER")
+    password = os.getenv("DB_PASSWORD")
+
+    if not all([host, port, name, user, password]):
+        logger.warning(
+            "Access logging disabled: database env vars missing",
+            extra={
+                "configured": {
+                    "DB_HOST": bool(host),
+                    "DB_PORT": bool(port),
+                    "DB_NAME": bool(name),
+                    "DB_USER": bool(user),
+                    "DB_PASSWORD": bool(password),
+                }
+            },
+        )
+        return None
+
+    return f"postgresql://{user}:{password}@{host}:{port}/{name}"
+
+
+def load_access_log_config() -> Optional[AccessLogConfig]:
+    enabled = os.getenv("ACCESS_LOGGING_ENABLED", "true").lower() in {"1", "true", "yes"}
+    if not enabled:
+        logger.info("Access logging disabled via ACCESS_LOGGING_ENABLED")
+        return None
+
+    dsn = _build_dsn()
+    if not dsn:
+        return None
+
+    exclude_raw = os.getenv("ACCESS_LOGGING_EXCLUDE_PATHS", "/health,/api/certs/all-projects,/api/log/pageview")
+    exclude_paths = {path.strip() for path in exclude_raw.split(",") if path.strip()}
+    ip_salt = os.getenv("ACCESS_LOGGING_IP_SALT", "")
+    environment = os.getenv("ENVIRONMENT", "dev").lower()
+
+    return AccessLogConfig(
+        dsn=dsn,
+        exclude_paths=exclude_paths,
+        ip_salt=ip_salt,
+        environment=environment,
+    )
+
+
+def _hash_ip(ip_address: Optional[str], salt: str) -> Optional[str]:
+    if not ip_address:
+        return None
+    digest = hashlib.sha256(f"{salt}{ip_address}".encode("utf-8")).hexdigest()
+    return digest
+
+
+async def init_access_log(app: FastAPI) -> None:
+    config = load_access_log_config()
+    if not config:
+        app.state.access_log_pool = None
+        app.state.access_log_config = None
+        return
+
+    pool = await asyncpg.create_pool(dsn=config.dsn, min_size=1, max_size=5)
+    app.state.access_log_pool = pool
+    app.state.access_log_config = config
+
+
+async def close_access_log(app: FastAPI) -> None:
+    pool = getattr(app.state, "access_log_pool", None)
+    if pool:
+        await pool.close()
+
+
+async def log_request(
+    request: Request,
+    response: Optional[Response],
+    latency_ms: int,
+    status_code: int,
+) -> None:
+    config: Optional[AccessLogConfig] = getattr(request.app.state, "access_log_config", None)
+    pool: Optional[asyncpg.Pool] = getattr(request.app.state, "access_log_pool", None)
+
+    if not config or not pool:
+        return
+
+    if request.url.path in config.exclude_paths:
+        return
+
+    ip_hash = _hash_ip(getattr(request.client, "host", None), config.ip_salt)
+    user_agent = request.headers.get("user-agent")
+    referrer = request.headers.get("referer") or request.headers.get("referrer")
+
+    try:
+        async with pool.acquire() as conn:
+            await conn.execute(
+                """
+                INSERT INTO logging.access_log
+                    (path, method, status, latency_ms, ip_hash, user_agent, referrer)
+                VALUES
+                    ($1, $2, $3, $4, $5, $6, $7)
+                """,
+                request.url.path,
+                request.method,
+                status_code,
+                latency_ms,
+                ip_hash,
+                user_agent,
+                referrer,
+            )
+
+    except Exception:
+        logger.warning("Failed to write access log", exc_info=True)
+
+
+async def log_page_view(request: Request, page_path: str) -> None:
+    config: Optional[AccessLogConfig] = getattr(request.app.state, "access_log_config", None)
+    pool: Optional[asyncpg.Pool] = getattr(request.app.state, "access_log_pool", None)
+
+    if not config or not pool:
+        return
+
+    ip_hash = _hash_ip(getattr(request.client, "host", None), config.ip_salt)
+    user_agent = request.headers.get("user-agent")
+    referrer = request.headers.get("referer") or request.headers.get("referrer")
+
+    try:
+        async with pool.acquire() as conn:
+            await conn.execute(
+                """
+                INSERT INTO logging.access_log
+                    (path, method, status, latency_ms, ip_hash, user_agent, referrer)
+                VALUES
+                    ($1, $2, $3, $4, $5, $6, $7)
+                """,
+                page_path,
+                "PAGEVIEW",
+                200,
+                None,
+                ip_hash,
+                user_agent,
+                referrer,
+            )
+    except Exception:
+        logger.warning("Failed to write pageview log", exc_info=True)
+
+
+async def access_log_middleware(request: Request, call_next):
+    start = time.perf_counter()
+    try:
+        response = await call_next(request)
+    except Exception:
+        latency_ms = int((time.perf_counter() - start) * 1000)
+        await log_request(request, None, latency_ms, status_code=500)
+        raise
+
+    latency_ms = int((time.perf_counter() - start) * 1000)
+    await log_request(request, response, latency_ms, status_code=response.status_code)
+    return response