chore(oidc): show extra_data in debug mode

[Mohamed-Hacene]

Summary by CodeRabbit

Release Notes

• Chores
  • Enhanced debug logging for identity provider authentication and social account connection processes to improve troubleshooting and monitoring capabilities.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates logging in the social account authentication adapter, replacing structured logging of derived fields with raw IdP email data and adding more granular debug logs for database lookup results and account connection outcomes.

Changes

Cohort / File(s)	Summary
Social Authentication Logging backend/iam/adapter.py	Updated logging in SocialAccountAdapter.pre_social_login to emit raw IdP email and repr instead of derived email domain; added debug logs for successful user database lookups (with IdP email, DB email, user id, is_active) and failed lookups; added info log for successful social account connections; modified "user not found" message to include provider context and IdP email details.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Logs that once were sketchy, now tell tales so clear,
Raw IdP emails whisper, debug lines appear,
Database peeks and social links aligned,
A rabbit's traces—thoughtfully refined! 🔍✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: it reflects the shift from structured logging to passing the full extra_data object in debug logging, which aligns with the core modification in the OIDC social account adapter.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/oidc-logs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@backend/iam/adapter.py`:
- Around line 92-96: The logger.debug in pre_social_login is currently passing
the entire IdP payload via extra_data=extra; change it to avoid dumping full
provider responses by logging only the keys or a whitelist of safe fields
instead (e.g., use something like extra_keys=list(extra.keys()) or extract and
log only specific safe attributes), and update the logger.debug call in
pre_social_login / the adapter to include that keys-only or whitelisted summary
rather than the full extra dict.
- Around line 136-150: The logger.debug calls in pre_social_login are emitting
raw PII (idp_email, idp_email_repr, db_email); update the tracing in the
pre_social_login flow so it no longer logs raw email strings—modify the
logger.debug calls around User.objects.get and the subsequent match block to log
non-PII derived diagnostics such as normalized_email_hash or truncated hash,
domain (after normalization), case/whitespace flags, and user_id/is_active,
while removing idp_email, idp_email_repr and db_email fields; ensure the same
change is applied to the other debug block around lines 163-167 so no raw email
values are written to logs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9f74e200-801b-40f0-951d-d5a794eff7a8

📥 Commits

Reviewing files that changed from the base of the PR and between 8a2e6ff and 1256b0a.

📒 Files selected for processing (1)

• backend/iam/adapter.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Do not dump the full IdP payload to logs.

extra_data=extra will persist the full provider response whenever debug logging is enabled. This project has no log-redaction layer, and the failure path just below already shows the safer pattern by logging keys only.

🛡️ Suggested change

         logger.debug(
             "pre_social_login: extra_data received",
-            extra_data=extra,
             provider=sociallogin.account.provider,
+            extra_data_keys=list(extra.keys()),
+            userinfo_keys=list(extra.get("userinfo", {}).keys()),
+            id_token_keys=list(extra.get("id_token", {}).keys()),
         )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	logger.debug(
	"pre_social_login: extra_data received",
	extra_data_keys=list(extra.keys()),
	has_userinfo="userinfo" in extra,
	has_id_token="id_token" in extra,
	extra_data=extra,
	provider=sociallogin.account.provider,
	)
	logger.debug(
	"pre_social_login: extra_data received",
	provider=sociallogin.account.provider,
	extra_data_keys=list(extra.keys()),
	userinfo_keys=list(extra.get("userinfo", {}).keys()),
	id_token_keys=list(extra.get("id_token", {}).keys()),
	)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/iam/adapter.py` around lines 92 - 96, The logger.debug in
pre_social_login is currently passing the entire IdP payload via
extra_data=extra; change it to avoid dumping full provider responses by logging
only the keys or a whitelist of safe fields instead (e.g., use something like
extra_keys=list(extra.keys()) or extract and log only specific safe attributes),
and update the logger.debug call in pre_social_login / the adapter to include
that keys-only or whitelisted summary rather than the full extra dict.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Remove raw email values from these lookup traces.

idp_email, idp_email_repr, and db_email add long-lived PII to both the success and failure paths. If the goal is diagnosing normalization issues, derived fields like domain/whitespace/case flags are enough and avoid storing the actual address.

🛡️ Suggested change

+        normalized_email = email_address.strip()
+        email_domain = (
+            normalized_email.partition("@")[2].lower() if "@" in normalized_email else None
+        )
         logger.debug(
             "pre_social_login: resolved email from IdP",
-            idp_email=email_address,
-            idp_email_repr=repr(email_address),
             provider=sociallogin.account.provider,
+            email_domain=email_domain,
+            had_surrounding_whitespace=normalized_email != email_address,
+            had_uppercase=normalized_email != normalized_email.casefold(),
         )
@@
             logger.debug(
                 "pre_social_login: user matched",
-                idp_email=email_address,
-                db_email=user.email,
                 user_id=str(user.id),
                 is_active=user.is_active,
+                email_domain=email_domain,
             )
@@
             logger.debug(
                 "pre_social_login: user not found - check DB for this email",
-                idp_email=email_address,
-                idp_email_repr=repr(email_address),
                 provider=sociallogin.account.provider,
+                email_domain=email_domain,
+                had_surrounding_whitespace=normalized_email != email_address,
+                had_uppercase=normalized_email != normalized_email.casefold(),
             )

Also applies to: 163-167

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/iam/adapter.py` around lines 136 - 150, The logger.debug calls in
pre_social_login are emitting raw PII (idp_email, idp_email_repr, db_email);
update the tracing in the pre_social_login flow so it no longer logs raw email
strings—modify the logger.debug calls around User.objects.get and the subsequent
match block to log non-PII derived diagnostics such as normalized_email_hash or
truncated hash, domain (after normalization), case/whitespace flags, and
user_id/is_active, while removing idp_email, idp_email_repr and db_email fields;
ensure the same change is applied to the other debug block around lines 163-167
so no raw email values are written to logs.