P10.4 followup: log warning on admin session cookie unseal failure

Logs a warning with path and error when cookie unseal fails, helping operators diagnose cross-pod ADMIN_SESSION_SEAL_KEY mismatches in HA deployments (acceptance criterion 2). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 17:26:20 -04:00 · 2026-04-19 17:26:20 -04:00 · 43e3367c73
commit 43e3367c73
parent 48f7c0aabf
1 changed files with 9 additions and 3 deletions
--- a/crates/miroir-proxy/src/auth.rs
+++ b/crates/miroir-proxy/src/auth.rs
@ -503,9 +503,15 @@ pub async fn auth_middleware(
                    req.extensions_mut().insert(AdminSessionId(session_id));
                    return next.run(req).await;
                }
-                Err(_) => {
-                    // Cookie tampering or wrong key — fall through to bearer chain
-                    // which will reject with InvalidAuth for admin paths.
+                Err(e) => {
+                    // Cookie tampering or wrong seal key (e.g. cross-pod key
+                    // mismatch in HA).  Log a warning so operators can diagnose
+                    // ADMIN_SESSION_SEAL_KEY divergence across pods.
+                    tracing::warn!(
+                        path = %path,
+                        error = %e,
+                        "admin session cookie unseal failed — tampered cookie or cross-pod key mismatch"
+                    );
                }
            }
        }