OpenDIF · ginaxu1 · Nov 17, 2025 · Dec 19, 2025 · Dec 5, 2025 · Dec 8, 2025
diff --git a/PR_DESCRIPTION.md b/PR_DESCRIPTION.md
@@ -0,0 +1,139 @@
+## Summary
+
+This PR addresses critical security and observability issues identified during code review:
+
+1. **Security Regression Fix**: Resolves Nginx security header inheritance issue across all portal configurations
+2. **Observability Improvements**: Fixes histogram bucket configuration and prevents metric cardinality explosion in the monitoring package
+
+**Note**: This PR focuses on security and observability fixes. Audit service improvements and OE integration changes are handled in separate PRs.
+
+## Key Changes
+
+### 1. Security: Nginx Header Inheritance Fix
+
+**Problem**: In Nginx, `add_header` directives from a parent block (like `server`) are not inherited by child blocks (like `location`) if the child block defines its own `add_header` directives. This caused a security regression where location blocks with custom headers (e.g., `Cache-Control`, `Content-Type`) were missing critical security headers (`X-Frame-Options`, `X-Content-Type-Options`, `Content-Security-Policy`).
+
+**Solution**: Explicitly added security headers to all location blocks that define their own `add_header` directives in all three portals:
+
+#### Files Modified:
+- `portals/consent-portal/nginx.conf`
+- `portals/member-portal/nginx.conf`
+- `portals/admin-portal/nginx.conf`
+
+#### Changes:
+- Added security headers (`X-Frame-Options`, `X-Content-Type-Options`, `Content-Security-Policy`) to all location blocks:
+  - `/config.js` location block
+  - Hashed static assets location block (`^.+\\.[a-f0-9]{6,}\\.(jpg|jpeg|png|...)`)
+  - Non-hashed static assets location block (`\\.(jpg|jpeg|png|...)`)
+  - `/health` location block
+- Added `always` flag to all `add_header` directives in `admin-portal/nginx.conf` for consistency
+- Fixed Content-Security-Policy in `consent-portal` to include `connect-src 'self' https: http:`
+
+**Security Impact**: All HTTP responses from portal services now include security headers, preventing vulnerabilities like clickjacking and MIME-type sniffing attacks.
+
+### 2. Observability: Histogram Bucket Configuration Fix
+
+**Problem**: Only `http_request_duration_seconds` had custom histogram buckets configured. The `external_call_duration_seconds` metric was using default OpenTelemetry buckets, leading to inconsistent metric configurations.
+
+**Solution**: Added explicit histogram bucket configuration for `external_call_duration_seconds` to match `http_request_duration_seconds`.
+
+#### File Modified:
+- `exchange/shared/monitoring/otel_metrics.go`
+
+#### Changes:
+- Added `sdkmetric.WithView` configuration for `external_call_duration_seconds` metric
+- Both duration metrics now use consistent custom buckets: `[.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10]` seconds
+
+**Impact**: Consistent histogram bucket configuration across all duration metrics enables accurate performance analysis and alerting.
+
+### 3. Observability: Metric Cardinality Explosion Prevention
+
+**Problem**: The `looksLikeID` function in route normalization was too broad, incorrectly classifying static path segments like `data-owner` or `list-all` as dynamic IDs because they contained hyphens. This created excessive unique metric time series and could overload monitoring systems.
+
+**Solution**: Improved ID detection logic to be more specific and prevent false positives.
+
+#### File Modified:
+- `exchange/shared/monitoring/metrics.go`
+
+#### Changes:
+- **UUID Detection**: Added specific check for UUID format (`len(s) == 36 && strings.Count(s, "-") == 4`)
+- **Separator + Number Detection**: Updated logic to require both separators (`_` or `-`) AND numeric characters: `(strings.Contains(s, "_") || strings.Contains(s, "-")) && strings.ContainsAny(s, "0123456789")`
+- **Prevents False Positives**: Static paths like `data-owner`, `list-all`, `check-status` are no longer incorrectly normalized
+- **Correctly Detects**: Actual IDs like `consent_abc123`, `app-456`, UUIDs are still properly detected
+
+**Impact**: Prevents metric cardinality explosion while maintaining accurate route normalization for actual dynamic IDs.
+
+### 4. Testing: Comprehensive Test Coverage
+
+Added comprehensive unit tests to verify all improvements:
+
+#### File Modified:
+- `exchange/shared/monitoring/metrics_test.go`
+
+#### New Tests Added:
+1. `TestLooksLikeIDImprovedLogic` - Verifies improved ID detection prevents false positives
+2. `TestRouteNormalizationWithStaticPaths` - Ensures static paths with hyphens are not incorrectly normalized
+3. `TestHistogramBucketsConfiguration` - Verifies both histogram metrics use custom buckets
+4. `TestIsInitialized` - Tests initialization state functions
+5. `TestMultipleInitializations` - Verifies thread-safety of multiple initialization calls
+6. `TestHTTPMetricsMiddlewareWithDifferentStatusCodes` - Tests different HTTP status code recording
+7. `TestNormalizeRouteWith404` - Ensures 404s are normalized to "unknown"
+
+**Impact**: Ensures all improvements work correctly and prevents regressions.
+
+## Files Changed
+
+### Security Fixes
+- `portals/consent-portal/nginx.conf`
+- `portals/member-portal/nginx.conf`
+- `portals/admin-portal/nginx.conf`
+
+### Observability Fixes
+- `exchange/shared/monitoring/otel_metrics.go`
+- `exchange/shared/monitoring/metrics.go`
+- `exchange/shared/monitoring/metrics_test.go`
+
+### Documentation
+- `exchange/shared/monitoring/TEST_SUMMARY.md` (new)
+- `exchange/shared/monitoring/VERIFICATION.md` (new)
+
+## Testing
+
+- [x] **Unit Tests**: All new and existing tests pass
+- [x] **Build Verification**: Code compiles successfully with no linter errors
+- [x] **Security Verification**: All location blocks include security headers
+- [x] **Observability Verification**: Histogram buckets configured correctly, ID detection prevents false positives
+- [x] **Backward Compatibility**: API contract remains the same, only internal improvements
+
+## Verification
+
+### Security Headers Verification
+All location blocks that define their own `add_header` directives now include:
+- ✅ `X-Frame-Options: SAMEORIGIN`
+- ✅ `X-Content-Type-Options: nosniff`
+- ✅ `Content-Security-Policy: ...` (portal-specific)
+
+All security headers use the `always` flag to ensure they're sent even on error responses.
+
+### Observability Verification
+- ✅ Both `http_request_duration_seconds` and `external_call_duration_seconds` use custom histogram buckets
+- ✅ Static paths with hyphens (e.g., `data-owner`, `list-all`) are NOT incorrectly normalized
+- ✅ Actual IDs (UUIDs, numeric IDs, IDs with separators + numbers) are correctly detected
+- ✅ Route normalization prevents metric cardinality explosion
+
+## Impact
+
+### Security
+- **Critical**: All portal responses now include security headers, preventing clickjacking and MIME-type sniffing attacks
+- **Compliance**: Meets security best practices for web application headers
+
+### Observability
+- **Performance**: Consistent histogram buckets enable accurate performance analysis
+- **Reliability**: Prevents metric cardinality explosion that could overload monitoring systems
+- **Maintainability**: Comprehensive test coverage ensures improvements work correctly
+
+## Related Issues
+
+- Addresses security regression in Nginx configuration
+- Fixes inconsistent histogram bucket configuration
+- Prevents metric cardinality explosion in route normalization
diff --git a/audit-service/go.mod b/audit-service/go.mod
@@ -3,6 +3,7 @@ module github.com/gov-dx-sandbox/audit-service
 go 1.24.6
 
 require (
+	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
 	github.com/stretchr/testify v1.8.1
 	gorm.io/driver/postgres v1.6.0

diff --git a/audit-service/go.sum b/audit-service/go.sum
@@ -2,6 +2,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=

diff --git a/audit-service/main.go b/audit-service/main.go
@@ -14,6 +14,8 @@ import (
 	"github.com/gov-dx-sandbox/audit-service/handlers"
 	"github.com/gov-dx-sandbox/audit-service/middleware"
 	"github.com/gov-dx-sandbox/audit-service/services"
+	v1handlers "github.com/gov-dx-sandbox/audit-service/v1/handlers"
+	v1services "github.com/gov-dx-sandbox/audit-service/v1/services"
 )
 
 // Build information - set during build
@@ -53,10 +55,12 @@ func main() {
 	// Initialize services
 	dataExchangeEventService := services.NewDataExchangeEventService(gormDB)
 	managementEventService := services.NewManagementEventService(gormDB)
+	v1AuditService := v1services.NewAuditService(gormDB)
 
 	// Initialize handlers
 	dataExchangeEventHandler := handlers.NewDataExchangeEventHandler(dataExchangeEventService)
 	managementEventHandler := handlers.NewManagementEventHandler(managementEventService)
+	v1AuditHandler := v1handlers.NewAuditHandler(v1AuditService)
 
 	// Setup routes
 	mux := http.NewServeMux()
@@ -115,6 +119,18 @@ func main() {
 		}
 	})
 
+	// API endpoint for generalized audit logs (V1)
+	mux.HandleFunc("/api/audit-logs", func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case http.MethodPost:
+			v1AuditHandler.CreateAuditLog(w, r)
+		case http.MethodGet:
+			v1AuditHandler.GetAuditLogs(w, r)
+		default:
+			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		}
+	})
+
 	// Start server
 	slog.Info("Audit Service starting",
 		"environment", *env,

diff --git a/audit-service/v1/handlers/audit_handler.go b/audit-service/v1/handlers/audit_handler.go
@@ -0,0 +1,134 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"github.com/gov-dx-sandbox/audit-service/v1/services"
+	v1types "github.com/gov-dx-sandbox/audit-service/v1/types"
+)
+
+// AuditHandler handles HTTP requests for audit logs
+type AuditHandler struct {
+	service *services.AuditService
+}
+
+// NewAuditHandler creates a new audit handler
+func NewAuditHandler(service *services.AuditService) *AuditHandler {
+	return &AuditHandler{service: service}
+}
+
+// CreateAuditLog handles POST /api/audit-logs
+func (h *AuditHandler) CreateAuditLog(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var req v1types.CreateAuditLogRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body: "+err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// Validate required fields
+	if req.EventName == "" {
+		http.Error(w, "eventName is required", http.StatusBadRequest)
+		return
+	}
+	if req.Status == "" {
+		http.Error(w, "status is required", http.StatusBadRequest)
+		return
+	}
+	if req.ActorType == "" {
+		http.Error(w, "actorType is required", http.StatusBadRequest)
+		return
+	}
+	if req.TargetType == "" {
+		http.Error(w, "targetType is required", http.StatusBadRequest)
+		return
+	}
+
+	auditLog, err := h.service.CreateAuditLog(&req)
+	if err != nil {
+		http.Error(w, "Failed to create audit log: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(auditLog)
+}
+
+// GetAuditLogs handles GET /api/audit-logs
+func (h *AuditHandler) GetAuditLogs(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Parse query parameters
+	traceID := r.URL.Query().Get("traceId")
+	eventName := r.URL.Query().Get("eventName")
+	limitStr := r.URL.Query().Get("limit")
+	offsetStr := r.URL.Query().Get("offset")
+
+	limit := 100 // default
+	offset := 0  // default
+
+	if limitStr != "" {
+		if l, err := strconv.Atoi(limitStr); err == nil && l > 0 && l <= 1000 {
+			limit = l
+		}
+	}
+	if offsetStr != "" {
+		if o, err := strconv.Atoi(offsetStr); err == nil && o >= 0 {
+			offset = o
+		}
+	}
+
+	var traceIDPtr *string
+	if traceID != "" {
+		traceIDPtr = &traceID
+	}
+
+	var eventNamePtr *string
+	if eventName != "" {
+		eventNamePtr = &eventName
+	}
+
+	logs, total, err := h.service.GetAuditLogs(traceIDPtr, eventNamePtr, limit, offset)
+	if err != nil {
+		http.Error(w, "Failed to retrieve audit logs: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	response := v1types.GetAuditLogsResponse{
+		Logs:  make([]v1types.AuditLogResponse, len(logs)),
+		Total: int(total),
+	}
+
+	for i, log := range logs {
+		response.Logs[i] = v1types.AuditLogResponse{
+			ID:                log.ID,
+			Timestamp:         log.Timestamp,
+			TraceID:           log.TraceID,
+			EventName:         log.EventName,
+			EventType:         log.EventType,
+			Status:            log.Status,
+			ActorType:         log.ActorType,
+			ActorServiceName:  log.ActorServiceName,
+			ActorUserID:       log.ActorUserID,
+			ActorUserType:     log.ActorUserType,
+			TargetType:        log.TargetType,
+			TargetServiceName: log.TargetServiceName,
+			TargetResource:    log.TargetResource,
+			TargetResourceID:  log.TargetResourceID,
+		}
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(response)
+}