From 0306a58fceb5f97f3aa93649341d90533a279136 Mon Sep 17 00:00:00 2001
From: Jules LEIDELINGER <11395311+julio75012@users.noreply.github.com>
Date: Fri, 6 Mar 2026 11:30:06 +0800
Subject: [PATCH] server: integrate security logging with authentication

Integrates security audit logging into server initialization and cleanup
lifecycle. Adds authentication audit events to API key validation middleware,
logging success/failure events with endpoint, method, remote address,
and key status.
---
 tools/server/server-http.cpp | 12 ++++++++++++
 tools/server/server.cpp      |  3 +++
 2 files changed, 15 insertions(+)

diff --git a/tools/server/server-http.cpp b/tools/server/server-http.cpp
index 129022a711..96456867f9 100644
--- a/tools/server/server-http.cpp
+++ b/tools/server/server-http.cpp
@@ -155,12 +155,24 @@ bool server_http_context::init(const common_params & params) {
             req_api_key = req_api_key.substr(prefix.size());
         }
 
+        // audit logging for missing API key
+        if (req_api_key.empty()) {
+            security_log_audit_event("auth_failure", req.path, req.method, req.remote_addr, "missing",
+                                     "No API key provided");
+        }
+
         // validate the API key
         if (std::find(api_keys.begin(), api_keys.end(), req_api_key) != api_keys.end()) {
+            security_log_audit_event("auth_success", req.path, req.method, req.remote_addr, "provided",
+                                     "API key validated");
             return true; // API key is valid
         }
 
         // API key is invalid or not provided
+        if (!req_api_key.empty()) {
+            security_log_audit_event("auth_failure", req.path, req.method, req.remote_addr, "invalid",
+                                     "Invalid API key provided");
+        }
         res.status = 401;
         res.set_content(
             safe_json_to_str(json {
diff --git a/tools/server/server.cpp b/tools/server/server.cpp
index fab0bb587f..35542894cf 100644
--- a/tools/server/server.cpp
+++ b/tools/server/server.cpp
@@ -99,6 +99,7 @@ int main(int argc, char ** argv) {
     }
 
     common_init();
+    security_log_init(params.security_log_folder);
 
     // struct that contains llama context and inference
     server_context ctx_server;
@@ -216,6 +217,7 @@ int main(int argc, char ** argv) {
             if (models_routes.has_value()) {
                 models_routes->models.unload_all();
             }
+            security_log_cleanup();
             llama_backend_free();
         };
 
@@ -236,6 +238,7 @@ int main(int argc, char ** argv) {
             SRV_INF("%s: cleaning up before exit...\n", __func__);
             ctx_http.stop();
             ctx_server.terminate();
+            security_log_cleanup();
             llama_backend_free();
         };