Improve realtime error logging with project, user, and auth context#11421
Merged
Improve realtime error logging with project, user, and auth context#11421
Conversation
Contributor
📝 WalkthroughWalkthroughAdds a public function Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Security Scan Results for PRDocker Image Scan Results
Source Code Scan Results🎉 No vulnerabilities found! |
88d4410 to
117fab7
Compare
✨ Benchmark results
⚡ Benchmark Comparison
|
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (4)
app/realtime.php (4)
705-705: Consider a more descriptive action string.The action
'realtime'is generic. For better log filtering and clarity, consider using'realtimeOpen'or'onOpen'to distinguish connection establishment errors from message handling errors.♻️ Suggested change
- logError($th, 'realtime', [], $project, $logUser, $authorization); + logError($th, 'realtimeOpen', [], $project, $logUser, $authorization);🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/realtime.php` at line 705, The log call uses a generic action string 'realtime' which makes it hard to distinguish connection-open errors from other realtime events; update the action argument in the logError invocation (the call to logError) to a more specific value like 'realtimeOpen' or 'onOpen' to indicate this is the connection establishment path so logs can be filtered and understood more easily.
274-276: Consider using null coalescing for tag values.The expression
$value ?: 'n/a'treats all falsy values (including"0","",false) as missing. If a tag value of"0"or empty string could be meaningful, consider using$value ?? 'n/a'instead.♻️ Suggested change
foreach ($tags as $key => $value) { - $log->addTag($key, $value ?: 'n/a'); + $log->addTag($key, $value ?? 'n/a'); }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/realtime.php` around lines 274 - 276, The loop that adds tags uses the PHP elvis operator (`$value ?: 'n/a'`) which treats all falsy values (like "0" or "") as missing; update the tag handling in the foreach over `$tags` so the default is applied only when the key is null using the null coalescing operator (`$value ?? 'n/a'`) before calling `$log->addTag($key, $value ?? 'n/a')`, leaving `$log->addTag` and the surrounding loop intact.
740-743: User context is not captured for onMessage error logging.The error logging at line 869 passes
nullfor the user parameter. However, for authentication-type messages (line 806), the$useris retrieved from the database. Consider capturing this user and passing it tologErrorfor richer error context on authentication failures.♻️ Suggested change to capture user context
$server->onMessage(function (int $connection, string $message) use ($server, $register, $realtime, $containerId) { $project = null; $authorization = null; + $logUser = null; try { // ... existing code ... /** `@var` User $user */ $user = $database->getDocument('users', $store->getProperty('id', '')); + $logUser = $user; // ... existing code ... } catch (Throwable $th) { - logError($th, 'realtimeMessage', [], $project, null, $authorization); + logError($th, 'realtimeMessage', [], $project, $logUser, $authorization);Also applies to: 869-869
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/realtime.php` around lines 740 - 743, The onMessage closure currently initializes $user as null only locally when handling authentication, but passes null into logError for exceptions; declare and capture a $user variable in the outer scope of the onMessage handler (e.g., initialize $user = null alongside $project and $authorization at the top of the closure), assign the retrieved user object to that $user when you fetch from the DB in the authentication branch, and then pass that $user into logError instead of null so error logs include the authenticated user context (update the closure variables and the logError call accordingly).
281-281: Be aware:detailedTracemay contain sensitive function arguments.
$error->getTrace()includes function arguments which could contain sensitive data (tokens, passwords, PII) that will be sent to the logging service. This is standard practice for internal error monitoring, but ensure your logging service has appropriate access controls and retention policies.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/realtime.php` at line 281, The current call $log->addExtra('detailedTrace', $error->getTrace()) may leak sensitive function arguments; replace it with a sanitized trace that strips or omits the "args" entries before sending to $log->addExtra. Locate the use of $error and getTrace() and transform the trace (e.g., iterate over $error->getTrace() and remove the 'args' key or replace values with redacted placeholders) and then pass that sanitized array to $log->addExtra('detailedTrace', ...).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@app/realtime.php`:
- Line 705: The log call uses a generic action string 'realtime' which makes it
hard to distinguish connection-open errors from other realtime events; update
the action argument in the logError invocation (the call to logError) to a more
specific value like 'realtimeOpen' or 'onOpen' to indicate this is the
connection establishment path so logs can be filtered and understood more
easily.
- Around line 274-276: The loop that adds tags uses the PHP elvis operator
(`$value ?: 'n/a'`) which treats all falsy values (like "0" or "") as missing;
update the tag handling in the foreach over `$tags` so the default is applied
only when the key is null using the null coalescing operator (`$value ?? 'n/a'`)
before calling `$log->addTag($key, $value ?? 'n/a')`, leaving `$log->addTag` and
the surrounding loop intact.
- Around line 740-743: The onMessage closure currently initializes $user as null
only locally when handling authentication, but passes null into logError for
exceptions; declare and capture a $user variable in the outer scope of the
onMessage handler (e.g., initialize $user = null alongside $project and
$authorization at the top of the closure), assign the retrieved user object to
that $user when you fetch from the DB in the authentication branch, and then
pass that $user into logError instead of null so error logs include the
authenticated user context (update the closure variables and the logError call
accordingly).
- Line 281: The current call $log->addExtra('detailedTrace', $error->getTrace())
may leak sensitive function arguments; replace it with a sanitized trace that
strips or omits the "args" entries before sending to $log->addExtra. Locate the
use of $error and getTrace() and transform the trace (e.g., iterate over
$error->getTrace() and remove the 'args' key or replace values with redacted
placeholders) and then pass that sanitized array to
$log->addExtra('detailedTrace', ...).
e4821b3 to
81e828a
Compare
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@app/realtime.php`:
- Around line 740-743: The onMessage closure is dropping authenticated user
context—ensure the resolved $user (from the authentication flow inside the
onMessage closure) is passed through to the realtime logging/emit call so userId
is not set to 'n/a'; locate the onMessage(...) closure and the logging/emission
call that currently omits $user (referenced by variables $server, $register,
$realtime, $containerId and local $project/$authorization) and update that call
to include the $user (or derived userId) in the payload/context used for logging
and realtime events so the richer user context is preserved.
- Around line 281-283: The code is currently passing $error->getTrace() directly
into $log->addExtra('detailedTrace', ...), which may contain sensitive argument
data; instead, build a sanitized trace array by mapping $error->getTrace() to
include only safe fields (e.g. 'file','line','class','function') and omit 'args'
(and any large or sensitive values), then pass that sanitizedTrace to
$log->addExtra('detailedTrace', $sanitizedTrace); update the call site using the
same symbols ($error->getTrace(), $log->addExtra('detailedTrace', ...)) so
authorization roles logging ($authorization?->getRoles()) remains unchanged.
abnegate
approved these changes
Feb 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
logErrorfrom closure to named function withfunction_existsguard, enabling cloud to override with region-specific tagsprojectId,userIdas tags anddetailedTrace,rolesas extras to realtime error logs sent to Sentry$project,$user, and$authorizationcontext atonOpenandonMessagecall sitesTest plan
projectId,userIdtags androles,detailedTraceextrasprojectRegionandregiontagspubSubConnection,updateWorkerDocument) still log correctly withn/adefaults