From beea339b74b64ee9524f94571324c5a52d9c9fe0 Mon Sep 17 00:00:00 2001 From: Jeremy Schneider Date: Fri, 29 May 2026 09:38:29 -0700 Subject: [PATCH] feat: include authenticated user identity in HTTP access log Set an X-Remote-User response header containing the authenticated username on every request. This allows the access log to be configured to include user identity via standard log format directives (%({x-remote-user}o)s in gunicorn, %{X-Remote-User}o in Apache) without requiring any changes to pgAdmin's session or auth behaviour. Signed-off-by: Jeremy Schneider --- pkg/docker/gunicorn_config.py | 5 +++++ web/pgadmin/__init__.py | 3 +++ 2 files changed, 8 insertions(+) diff --git a/pkg/docker/gunicorn_config.py b/pkg/docker/gunicorn_config.py index ac7afe08175..699ab6b342d 100644 --- a/pkg/docker/gunicorn_config.py +++ b/pkg/docker/gunicorn_config.py @@ -5,6 +5,11 @@ gunicorn.SERVER_SOFTWARE = "Python" +# Include the authenticated user identity in the access log. +# %({x-remote-user}o)s reads the X-Remote-User response header set by pgAdmin +# for authenticated requests; unauthenticated requests log '-'. +access_log_format = '%(h)s %(l)s %({x-remote-user}o)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"' + if JSON_LOGGER: logconfig_dict = { "version": 1, diff --git a/web/pgadmin/__init__.py b/web/pgadmin/__init__.py index 171f02ed53f..d8992a149bb 100644 --- a/web/pgadmin/__init__.py +++ b/web/pgadmin/__init__.py @@ -863,6 +863,9 @@ def before_request(): @app.after_request def after_request(response): + if current_user.is_authenticated: + response.headers['X-Remote-User'] = current_user.username + if 'key' in request.args: domain = dict() if config.COOKIE_DEFAULT_DOMAIN and \