[TECH] Ajouter des logs spécifiques pour certains tokens problématiques (audience mismatch, revoked token) (PIX-16551)

 #11411

Author: pix-service-auto-merge

Diff for: api/lib/infrastructure/authentication.js

@@ -5,6 +5,7 @@ import { revokedUserAccessRepository } from '../../src/identity-access-managemen
 import { getForwardedOrigin } from '../../src/identity-access-management/infrastructure/utils/network.js';
 import { config } from '../../src/shared/config.js';
 import { tokenService } from '../../src/shared/domain/services/token-service.js';
+import { monitoringTools } from '../../src/shared/infrastructure/monitoring-tools.js';
 
 const { find } = lodash;
 
@@ -88,11 +89,22 @@ async function validateUser(decodedAccessToken, { request, revokedUserAccessRepo
   if (config.featureToggles.isUserTokenAudConfinementEnabled && userId) {
     const revokedUserAccess = await revokedUserAccessRepository.findByUserId(userId);
     if (revokedUserAccess.isAccessTokenRevoked(decodedAccessToken)) {
+      monitoringTools.logWarnWithCorrelationIds({
+        message: 'Revoked user AccessToken usage',
+        decodedAccessToken,
+      });
+
       return { isValid: false };
     }
 
     const audience = getForwardedOrigin(request.headers);
     if (decodedAccessToken.aud !== audience) {
+      monitoringTools.logWarnWithCorrelationIds({
+        message: 'User AccessToken audience mismatch',
+        audience,
+        decodedAccessToken,
+      });
+
       return { isValid: false };
     }
   }

Diff for: api/src/identity-access-management/infrastructure/repositories/revoked-user-access.repository.js

@@ -14,7 +14,7 @@ const revokedUserAccessLifespanMs = config.authentication.revokedUserAccessLifes
  * @param {string} params.userId - The ID of the user to revoke access for.
  * @param {Date} params.revokeUntil - The date until the user's access should be revoked.
  */
-export const saveForUser = async function ({ userId, revokeUntil }) {
+const saveForUser = async function ({ userId, revokeUntil }) {
   if (!userId) {
     throw new UserIdIsRequiredError();
   }
@@ -34,7 +34,7 @@ export const saveForUser = async function ({ userId, revokeUntil }) {
  * Retrieves the revoked access for a user from the temporary storage.
  *
  * @param {string} userId - The ID of the user to retrieve the revocation date for.
- * @returns {RevokedUserAccess} - The revoked user access object.
+ * @returns {Promise<RevokedUserAccess>} - The revoked user access object.
  */
 const findByUserId = async function (userId) {
   const value = await revokedUserAccessTemporaryStorage.get(userId);