Skip to content

Security logs

How users see their own security-related events through GET /me/security/logs, backed by the internal logs Durable Object cache (not a separate DB table for this list).

Related: Logs architecture · Cache architecture · public Security overview.


Endpoint

MethodPathBehavior
GET/me/security/logsList current user’s security/auth logs
DELETE/me/security/logsPolicy response — retention / who may delete is operator-defined
DELETE/me/security/logs/{id}Same policy response

Query: limit (default 100, max 500), optional cursor, level, category (auth | security).

Response: { data: InternalLogEntry[], pagination: { limit, nextCursor?, hasMore } }.

Code:

  • Route: apps/worker/src/routes/me/security.ts
  • Service: apps/worker/src/lib/services/me/logs/ (listUserLogs)
  • Zod: SecurityLogsQuerySchema in lib/services/zod/me/security.ts
  • Types: UserLogsListOptions / UserLogsListResult in src/types/me/logs.ts

What users see

Entries that include their userId, typically:

  1. Lockouts (category: security, level: suspicious)
  2. Login failures (invalid password, attempt counts)
  3. Login / register / logout success (category: auth)
  4. Other security events written with that userId

System-wide health logs without userId stay out of this list.


How listing works

  1. listUserLogs calls internalLogger.getLogs({ userId, … })
  2. Multi-shard reader prefers the per-user index (internal:userindex:{userId}) when userId is set
  3. Cursor pagination (timestamp:id) — no offset pages
  4. Optional filters: level, category

See logs.md for indexes, monthly shards, and the multi-shard reader.


Who should write with userId

AreaExpectation
Auth login / register / logoutAlways set userId (and ipAddress when known)
Profile / password / session revokeSet userId on security-relevant events
2FA / secure-actionSet userId so events appear in the user list
MaintenanceUse logger methods that accept userId when the action is user-attributable
Admin actions on a userLog with the target user’s id when audit visibility is desired
System healthOmit userId (stays out of /me/security/logs)

Facade: InternalLoggerServicelogAuthEvent, logSecurityEvent, logUserEvent, logMaintenance, suspicious, etc.