feat: детализировать трейсинг auth, jwt и argon2

RomanVetrov · RomanVetrov · commit 3679a53e4ee5 · 2026-03-09T12:04:59.000+03:00
Что сделано:
- добавлены спаны на Argon2 hash/verify для точного замера криптографии
- добавлены спаны на создание и декодирование JWT
- добавлены спаны на парсинг refresh и выдачу token pair в auth-роуте
- в structlog добавлены trace_id и span_id для связи логов с Jaeger
diff --git a/app/logging_config.py b/app/logging_config.py
@@ -1,6 +1,20 @@
 import logging
 
 import structlog
+from opentelemetry import trace
+
+
+def _add_trace_context(
+    _logger: logging.Logger,
+    _method_name: str,
+    event_dict: dict,
+) -> dict:
+    span = trace.get_current_span()
+    span_context = span.get_span_context()
+    if span_context.is_valid:
+        event_dict["trace_id"] = f"{span_context.trace_id:032x}"
+        event_dict["span_id"] = f"{span_context.span_id:016x}"
+    return event_dict
 
 
 def setup_logging() -> None:
@@ -15,6 +29,7 @@ def setup_logging() -> None:
         processors=[
             structlog.stdlib.add_log_level,
             structlog.processors.TimeStamper(fmt="iso"),
+            _add_trace_context,
             structlog.processors.JSONRenderer(),
         ],
         wrapper_class=structlog.stdlib.BoundLogger,
diff --git a/app/routes/auth.py b/app/routes/auth.py
@@ -2,6 +2,7 @@
 
 from fastapi import APIRouter, Depends, HTTPException, Response, status
 from fastapi.security import OAuth2PasswordRequestForm
+from opentelemetry import trace
 from redis.asyncio import Redis
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -28,6 +29,7 @@
 )
 
 router = APIRouter(prefix="/auth", tags=["auth"])
+tracer = trace.get_tracer(__name__)
 
 
 def _refresh_ttl_seconds() -> int:
@@ -42,42 +44,44 @@ def _refresh_key(user_id: UUID, jti: str) -> str:
 
 def _parse_refresh_token_or_401(refresh_token: str) -> tuple[UUID, str]:
     """Декодирует refresh-токен и возвращает (user_id, jti). Поднимает 401 при ошибке."""
-    try:
-        token_data = decode_refresh_token(refresh_token)
-    except (TokenExpired, TokenInvalid):
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Недействительный или истёкший refresh токен",
-        )
-
-    try:
-        user_id = UUID(token_data.sub)
-    except (ValueError, TypeError):
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Некорректный идентификатор пользователя в refresh токене",
-        )
-
-    jti = str(token_data.payload["jti"])
-    return user_id, jti
+    with tracer.start_as_current_span("auth.parse_refresh_token"):
+        try:
+            token_data = decode_refresh_token(refresh_token)
+        except (TokenExpired, TokenInvalid):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Недействительный или истёкший refresh токен",
+            )
+
+        try:
+            user_id = UUID(token_data.sub)
+        except (ValueError, TypeError):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Некорректный идентификатор пользователя в refresh токене",
+            )
+
+        jti = str(token_data.payload["jti"])
+        return user_id, jti
 
 
 async def _issue_token_pair(user_id: UUID, redis: Redis) -> TokenPair:
     """Создаёт новую пару токенов и сохраняет jti refresh-токена в Redis."""
-    access_token = create_access_token(subject=str(user_id))
-    refresh_token, jti = create_refresh_token(subject=str(user_id))
-
-    await redis.set(
-        _refresh_key(user_id, jti),
-        str(user_id),
-        ex=_refresh_ttl_seconds(),
-    )
-
-    return TokenPair(
-        access_token=access_token,
-        refresh_token=refresh_token,
-        token_type="bearer",
-    )
+    with tracer.start_as_current_span("auth.issue_token_pair"):
+        access_token = create_access_token(subject=str(user_id))
+        refresh_token, jti = create_refresh_token(subject=str(user_id))
+
+        await redis.set(
+            _refresh_key(user_id, jti),
+            str(user_id),
+            ex=_refresh_ttl_seconds(),
+        )
+
+        return TokenPair(
+            access_token=access_token,
+            refresh_token=refresh_token,
+            token_type="bearer",
+        )
 
 
 @router.post(
diff --git a/app/security/jwt.py b/app/security/jwt.py
@@ -8,10 +8,13 @@
 from uuid import uuid4
 
 import jwt
+from opentelemetry import trace
 from jwt import ExpiredSignatureError, InvalidTokenError
 
 from app.config import settings
 
+tracer = trace.get_tracer(__name__)
+
 
 def create_access_token(
     *,
@@ -20,24 +23,25 @@ def create_access_token(
     expires_delta: timedelta | None = None,
 ) -> str:
     """Создаёт подписанный access-токен с TTL из настроек (или expires_delta)."""
-    now = datetime.now(timezone.utc)
-    expire = now + (
-        expires_delta or timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
-    )
-    payload: dict[str, Any] = {
-        "sub": subject,
-        "iat": int(now.timestamp()),
-        "exp": int(expire.timestamp()),
-        "type": "access",
-    }
-    if extra_claims:
-        payload.update(extra_claims)
-
-    return jwt.encode(
-        payload=payload,
-        key=settings.SECRET_KEY,
-        algorithm=settings.ALGORITHM,
-    )
+    with tracer.start_as_current_span("security.jwt.create_access_token"):
+        now = datetime.now(timezone.utc)
+        expire = now + (
+            expires_delta or timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
+        )
+        payload: dict[str, Any] = {
+            "sub": subject,
+            "iat": int(now.timestamp()),
+            "exp": int(expire.timestamp()),
+            "type": "access",
+        }
+        if extra_claims:
+            payload.update(extra_claims)
+
+        return jwt.encode(
+            payload=payload,
+            key=settings.SECRET_KEY,
+            algorithm=settings.ALGORITHM,
+        )
 
 
 def create_refresh_token(
@@ -46,24 +50,27 @@ def create_refresh_token(
     expires_delta: timedelta | None = None,
 ) -> tuple[str, str]:
     """Создаёт refresh-токен с уникальным jti. Возвращает (token, jti)."""
-    now = datetime.now(timezone.utc)
-    expire = now + (expires_delta or timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS))
-    jti = uuid4().hex
-
-    payload: dict[str, Any] = {
-        "sub": subject,
-        "iat": int(now.timestamp()),
-        "exp": int(expire.timestamp()),
-        "type": "refresh",
-        "jti": jti,
-    }
-
-    token = jwt.encode(
-        payload=payload,
-        key=settings.SECRET_KEY,
-        algorithm=settings.ALGORITHM,
-    )
-    return token, jti
+    with tracer.start_as_current_span("security.jwt.create_refresh_token"):
+        now = datetime.now(timezone.utc)
+        expire = now + (
+            expires_delta or timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS)
+        )
+        jti = uuid4().hex
+
+        payload: dict[str, Any] = {
+            "sub": subject,
+            "iat": int(now.timestamp()),
+            "exp": int(expire.timestamp()),
+            "type": "refresh",
+            "jti": jti,
+        }
+
+        token = jwt.encode(
+            payload=payload,
+            key=settings.SECRET_KEY,
+            algorithm=settings.ALGORITHM,
+        )
+        return token, jti
 
 
 class TokenExpired(Exception):
@@ -88,27 +95,28 @@ class TokenData:
 
 def _decode_token(token: str) -> dict[str, Any]:
     """Общая декодировка и базовая валидация JWT."""
-    try:
-        payload = jwt.decode(
-            jwt=token,
-            key=settings.SECRET_KEY,
-            algorithms=[settings.ALGORITHM],
-            options={"require": ["sub", "exp", "type"]},
-        )
-    except ExpiredSignatureError as e:
-        raise TokenExpired("Токен истёк") from e
-    except InvalidTokenError as e:
-        raise TokenInvalid("Неверный токен/Ошибка валидации токена") from e
-
-    sub = payload.get("sub")
-    if not isinstance(sub, str) or not sub:
-        raise TokenInvalid("Ошибка субъекта в токене")
-
-    token_type = payload.get("type")
-    if token_type not in {"access", "refresh"}:
-        raise TokenInvalid("Некорректный тип токена")
-
-    return payload
+    with tracer.start_as_current_span("security.jwt.decode_token"):
+        try:
+            payload = jwt.decode(
+                jwt=token,
+                key=settings.SECRET_KEY,
+                algorithms=[settings.ALGORITHM],
+                options={"require": ["sub", "exp", "type"]},
+            )
+        except ExpiredSignatureError as e:
+            raise TokenExpired("Токен истёк") from e
+        except InvalidTokenError as e:
+            raise TokenInvalid("Неверный токен/Ошибка валидации токена") from e
+
+        sub = payload.get("sub")
+        if not isinstance(sub, str) or not sub:
+            raise TokenInvalid("Ошибка субъекта в токене")
+
+        token_type = payload.get("type")
+        if token_type not in {"access", "refresh"}:
+            raise TokenInvalid("Некорректный тип токена")
+
+        return payload
 
 
 def decode_access_token(token: str) -> TokenData:
diff --git a/app/security/password.py b/app/security/password.py
@@ -8,6 +8,7 @@
 
 import logging
 
+from opentelemetry import trace
 from argon2 import PasswordHasher
 from argon2.exceptions import InvalidHash, VerificationError, VerifyMismatchError
 from argon2.low_level import Type
@@ -16,6 +17,7 @@
 from app.config import settings
 
 log = logging.getLogger(__name__)
+tracer = trace.get_tracer(__name__)
 
 pwd_hasher = PasswordHasher(
     time_cost=settings.ARGON_TIME_COST,
@@ -38,21 +40,23 @@ def get_dummy_hash() -> str:
 
 
 async def hash_password(*, password: str) -> str:
-    if len(password) > settings.ARGON_MAX_PASSWORD_LEN:
-        raise ValueError("Пароль слишком длинный")
-    return await run_in_threadpool(pwd_hasher.hash, password)
+    with tracer.start_as_current_span("security.password.hash_argon2"):
+        if len(password) > settings.ARGON_MAX_PASSWORD_LEN:
+            raise ValueError("Пароль слишком длинный")
+        return await run_in_threadpool(pwd_hasher.hash, password)
 
 
 async def verify_password(*, password: str, hashed_password: str) -> bool:
-    def _verify() -> bool:
-        if len(password) > settings.ARGON_MAX_PASSWORD_LEN:
-            return False
-        try:
-            return pwd_hasher.verify(hashed_password, password)
-        except VerifyMismatchError:
-            return False
-        except (VerificationError, InvalidHash) as exc:
-            log.warning("Argon2 verify failed (%s)", exc.__class__.__name__)
-            return False
-
-    return await run_in_threadpool(_verify)
+    with tracer.start_as_current_span("security.password.verify_argon2"):
+        def _verify() -> bool:
+            if len(password) > settings.ARGON_MAX_PASSWORD_LEN:
+                return False
+            try:
+                return pwd_hasher.verify(hashed_password, password)
+            except VerifyMismatchError:
+                return False
+            except (VerificationError, InvalidHash) as exc:
+                log.warning("Argon2 verify failed (%s)", exc.__class__.__name__)
+                return False
+
+        return await run_in_threadpool(_verify)
