Skip to content

Backend: ehnc - Einvoice auth and generation logs #1228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kavya-shree-s wants to merge 1 commit into
base: main
Choose a base branch
from
+14 −5
Open

Backend: ehnc - Einvoice auth and generation logs #1228

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 14 additions & 5 deletions lib/mobility-core/src/Kernel/External/GSTEInvoice/Interface.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,18 +21,27 @@ authenticateEInvoice ::
) =>
GSTEInvoiceConfig ->
m EInvoiceAuthResp
authenticateEInvoice serviceConfig = case serviceConfig of
CharteredInfoEInvoiceConfig cfg -> CharteredInfo.authenticate cfg
authenticateEInvoice serviceConfig = do
logInfo $ "GSTEInvoice.authenticateEInvoice: calling GSP with config=" <> show serviceConfig
resp <- case serviceConfig of
CharteredInfoEInvoiceConfig cfg -> CharteredInfo.authenticate cfg
logInfo $ "GSTEInvoice.authenticateEInvoice: received response=" <> show resp
Comment on lines +24 to +28
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Avoid logging full auth config and auth response.

show serviceConfig and show resp can persist credentials, GST identifiers, or auth tokens/session data in application logs. Prefer lifecycle logs with safe metadata only, or add explicit redacted renderers.

🔒 Proposed safe logging shape 
 authenticateEInvoice serviceConfig = do
-  logInfo $ "GSTEInvoice.authenticateEInvoice: calling GSP with config=" <> show serviceConfig
+  logInfo "GSTEInvoice.authenticateEInvoice: calling GSP"
   resp <- case serviceConfig of
     CharteredInfoEInvoiceConfig cfg -> CharteredInfo.authenticate cfg
-  logInfo $ "GSTEInvoice.authenticateEInvoice: received response=" <> show resp
+  logInfo "GSTEInvoice.authenticateEInvoice: received response"
   pure resp
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
authenticateEInvoice serviceConfig = do
logInfo $ "GSTEInvoice.authenticateEInvoice: calling GSP with config=" <> show serviceConfig
resp <- case serviceConfig of
CharteredInfoEInvoiceConfig cfg -> CharteredInfo.authenticate cfg
logInfo $ "GSTEInvoice.authenticateEInvoice: received response=" <> show resp
authenticateEInvoice serviceConfig = do
logInfo "GSTEInvoice.authenticateEInvoice: calling GSP"
resp <- case serviceConfig of
CharteredInfoEInvoiceConfig cfg -> CharteredInfo.authenticate cfg
logInfo "GSTEInvoice.authenticateEInvoice: received response"
pure resp
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@lib/mobility-core/src/Kernel/External/GSTEInvoice/Interface.hs` around lines
24 - 28, The current authenticateEInvoice function logs the entire serviceConfig
and resp (via show) which may leak credentials/tokens; change the logging to
avoid printing full structures by replacing show serviceConfig and show resp
with safe metadata (e.g., log only the config type/identifier and non-sensitive
flags) or call a redaction helper (e.g., renderRedactedConfig ::
CharteredInfoEInvoiceConfig -> Text and renderRedactedResp :: RespType -> Text)
before logging; keep the calls to CharteredInfo.authenticate(cfg) intact but
ensure any error/success logs only include redacted or high-level info (status,
service name, request id) not raw credentials or tokens.

pure resp

-- | Generate an e-invoice IRN via the configured GSP.
generateEInvoice ::
( EncFlow m r,
CoreMetrics m,
HasRequestId r
HasRequestId r,
MonadFlow m
) =>
GSTEInvoiceConfig ->
Text ->
CITypes.EInvoicePayload ->
m EInvoiceGenerateResp
generateEInvoice serviceConfig authToken payload = case serviceConfig of
CharteredInfoEInvoiceConfig cfg -> CharteredInfo.generateInvoice cfg authToken payload
generateEInvoice serviceConfig authToken payload = do
logInfo $ "GSTEInvoice.generateEInvoice: calling GSP with payload=" <> show payload
resp <- case serviceConfig of
CharteredInfoEInvoiceConfig cfg -> CharteredInfo.generateInvoice cfg authToken payload
logInfo $ "GSTEInvoice.generateEInvoice: received response=" <> show resp
Comment on lines +42 to +46
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Do not log full e-invoice payloads or generation responses.

payload and resp likely contain invoice/customer tax data and generated IRN/QR details. Logging them verbatim creates a privacy/compliance risk; log only non-sensitive identifiers/status, with redaction where needed.

🔒 Proposed safe logging shape 
 generateEInvoice serviceConfig authToken payload = do
-  logInfo $ "GSTEInvoice.generateEInvoice: calling GSP with payload=" <> show payload
+  logInfo "GSTEInvoice.generateEInvoice: calling GSP"
   resp <- case serviceConfig of
     CharteredInfoEInvoiceConfig cfg -> CharteredInfo.generateInvoice cfg authToken payload
-  logInfo $ "GSTEInvoice.generateEInvoice: received response=" <> show resp
+  logInfo "GSTEInvoice.generateEInvoice: received response"
   pure resp
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
generateEInvoice serviceConfig authToken payload = do
logInfo $ "GSTEInvoice.generateEInvoice: calling GSP with payload=" <> show payload
resp <- case serviceConfig of
CharteredInfoEInvoiceConfig cfg -> CharteredInfo.generateInvoice cfg authToken payload
logInfo $ "GSTEInvoice.generateEInvoice: received response=" <> show resp
generateEInvoice serviceConfig authToken payload = do
logInfo "GSTEInvoice.generateEInvoice: calling GSP"
resp <- case serviceConfig of
CharteredInfoEInvoiceConfig cfg -> CharteredInfo.generateInvoice cfg authToken payload
logInfo "GSTEInvoice.generateEInvoice: received response"
pure resp
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@lib/mobility-core/src/Kernel/External/GSTEInvoice/Interface.hs` around lines
42 - 46, The generateEInvoice function currently logs the full payload and resp
(variables payload and resp) which may contain sensitive invoice/customer tax
and IRN/QR data; update the two logInfo calls in generateEInvoice (and ensure
any downstream CharteredInfo.generateInvoice return shape is used) to redact or
extract only non-sensitive identifiers/status (e.g., invoiceId or invoiceNumber,
customerId masked, operation status, and a masked IRN/QR showing only last 4
characters) and log those minimal fields instead of show payload/show resp; do
not remove logging entirely—emit safe, contextual messages that avoid full
payload/response serialization.

pure resp
Loading