feat: include authenticated user identity in HTTP access log

[ardentperf]

Set an X-Remote-User response header containing the authenticated username on every request. This allows the access log to be configured to include user identity via standard log format directives (%({x-remote-user}o)s in gunicorn, %{X-Remote-User}o in Apache) without requiring any changes to pgAdmin's session or auth behaviour.

Closes #9990

Default gunicorn access log format is at https://gunicorn.org/reference/settings/?h=access_log#access_log_format and https://github.com/benoitc/gunicorn/blob/9bc5891b4b06f25a8ce0e707053dcb2fb9bf638c/gunicorn/config.py#L1413 ; I confirmed that all other fields are default; this PR only changes the user name field.

Performed an end-to-end test on kubernetes with KIND

With this PR:

Master Branch:

Summary by CodeRabbit

• New Features
  • Enhanced access logging to include authenticated user identity for improved audit trails and security monitoring.

[coderabbitai]

Walkthrough

The PR coordinates Flask and Gunicorn to expose authenticated user identity in HTTP access logs. The Flask after_request hook sets an X-Remote-User response header with the username of authenticated users, and the Gunicorn access log format is configured to include that header in logged requests.

Changes

User Identity in HTTP Access Logs

Layer / File(s)	Summary
Flask response header for authenticated user web/pgadmin/__init__.py	The after_request hook conditionally adds an X-Remote-User response header containing current_user.username when the user is authenticated.
Gunicorn access log format configuration pkg/docker/gunicorn_config.py	Gunicorn access_log_format is explicitly configured to include the authenticated user identity from the X-Remote-User header, with a hyphen logged for unauthenticated requests.

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat: include authenticated user identity in HTTP access log' accurately describes the main change across both modified files, clearly summarizing the primary objective.
Linked Issues check	✅ Passed	The code changes fully implement the objective from issue #9990: adding X-Remote-User header to responses and including it in gunicorn access log format to expose authenticated username.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing the linked issue requirement: adding user identity to HTTP access logs without modifying authentication or session behavior.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

pkg/docker/gunicorn_config.py (2)

8-11: Consider privacy implications of logging user identities.

The access_log_format now includes authenticated usernames in HTTP access logs, which is the intended behavior per the PR objectives. However, deployments should be aware that:

• Usernames (e.g., email addresses like admin@pgadmin.org) constitute personally identifiable information (PII)
• Access logs may be subject to data retention policies under GDPR, CCPA, or other privacy regulations
• Log aggregation systems, backup procedures, and access controls should account for PII in logs

Consider documenting this change in deployment/administration guides so that operators can implement appropriate log handling policies for their regulatory environment.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/docker/gunicorn_config.py` around lines 8 - 11, The access_log_format in
pkg/docker/gunicorn_config.py now injects authenticated usernames via the
X-Remote-User header (access_log_format), which exposes PII; update
documentation and make the behavior configurable: add guidance in
deployment/administration docs describing the PII risk,
retention/aggregation/backup/access-control recommendations, and instructions to
disable or anonymize usernames (e.g., provide a deploy-time option or env var to
remove %({x-remote-user}o)s from access_log_format or enable masking) so
operators can comply with GDPR/CCPA and other policies.

---

8-11: ⚡ Quick win

Confirm Gunicorn access-log header lookup is case-insensitive (lowercase config is correct).

Gunicorn recommends using lowercase identifiers in access_log_format, and internally normalizes header lookups for %({header-name}o)s (response headers). So %({x-remote-user}o)s will correctly pick up X-Remote-User even though the actual header is capitalized.

• Operational: logging the authenticated username can be sensitive (PII/auditing concerns); ensure retention/access controls align with your compliance requirements.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/docker/gunicorn_config.py` around lines 8 - 11, The access_log_format
line currently uses the lowercase header token %({x-remote-user}o)s; confirm
that this is correct and leave it lowercase (Gunicorn normalizes header lookups
so %({x-remote-user}o)s will match X-Remote-User), and add a short inline
comment or README note next to access_log_format to document that header lookup
is case-insensitive and that logging usernames may contain PII so
retention/access controls must be applied; reference the access_log_format
setting and the %({x-remote-user}o)s token when making these clarifications.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/docker/gunicorn_config.py`:
- Around line 8-11: The access_log_format in pkg/docker/gunicorn_config.py now
injects authenticated usernames via the X-Remote-User header
(access_log_format), which exposes PII; update documentation and make the
behavior configurable: add guidance in deployment/administration docs describing
the PII risk, retention/aggregation/backup/access-control recommendations, and
instructions to disable or anonymize usernames (e.g., provide a deploy-time
option or env var to remove %({x-remote-user}o)s from access_log_format or
enable masking) so operators can comply with GDPR/CCPA and other policies.
- Around line 8-11: The access_log_format line currently uses the lowercase
header token %({x-remote-user}o)s; confirm that this is correct and leave it
lowercase (Gunicorn normalizes header lookups so %({x-remote-user}o)s will match
X-Remote-User), and add a short inline comment or README note next to
access_log_format to document that header lookup is case-insensitive and that
logging usernames may contain PII so retention/access controls must be applied;
reference the access_log_format setting and the %({x-remote-user}o)s token when
making these clarifications.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fddec9fa-afa7-41a9-b850-a7da26aafb89

📥 Commits

Reviewing files that changed from the base of the PR and between 0d11dbc and beea339.

📒 Files selected for processing (2)

• pkg/docker/gunicorn_config.py
• web/pgadmin/__init__.py