UI fixes for adding user details

Signed-off-by: Shoumi <shoumimukherjee@gmail.com>

Author: shoummu1

.env.example

@@ -1173,6 +1173,16 @@ PAGINATION_INCLUDE_LINKS=true
 # Enable TLS for gRPC connections by default
 # MCPGATEWAY_GRPC_TLS_ENABLED=false
 
+#####################################
+# Security Event Logging
+#####################################
+
+# Enable security event logging (authentication attempts, authorization failures, etc.)
+# Options: true (default), false
+# When enabled, the AuthContextMiddleware will log all authentication attempts to the database
+# This is INDEPENDENT of observability settings - security logging is critical for audit trails
+# SECURITY_LOGGING_ENABLED=true
+
 #####################################
 # Observability Settings
 #####################################

mcpgateway/admin.py

@@ -8353,7 +8353,11 @@ async def admin_delete_resource(resource_id: str, request: Request, db: Session
     LOGGER.debug(f"User {get_user_email(user)} is deleting resource ID {resource_id}")
     error_message = None
     try:
-        await resource_service.delete_resource(user["db"] if isinstance(user, dict) else db, resource_id)
+        await resource_service.delete_resource(
+            user["db"] if isinstance(user, dict) else db,
+            resource_id,
+            user_email=user_email,
+        )
     except PermissionError as e:
         LOGGER.warning(f"Permission denied for user {user_email} deleting resource {resource_id}: {e}")
         error_message = str(e)
@@ -11425,6 +11429,7 @@ async def admin_test_a2a_agent(
         return JSONResponse(content={"success": False, "error": "A2A features are disabled"}, status_code=403)
 
     try:
+        user_email = get_user_email(user)
         # Get the agent by ID
         agent = await a2a_service.get_agent(db, agent_id)
 
@@ -11440,7 +11445,14 @@ async def admin_test_a2a_agent(
             test_params = {"message": "Hello from MCP Gateway Admin UI test!", "test": True, "timestamp": int(time.time())}
 
         # Invoke the agent
-        result = await a2a_service.invoke_agent(db, agent.name, test_params, "admin_test")
+        result = await a2a_service.invoke_agent(
+            db,
+            agent.name,
+            test_params,
+            "admin_test",
+            user_email=user_email,
+            user_id=user_email,
+        )
 
         return JSONResponse(content={"success": True, "result": result, "agent_name": agent.name, "test_timestamp": time.time()})
 

mcpgateway/config.py

@@ -777,6 +777,7 @@ def _parse_allowed_origins(cls, v: Any) -> Set[str]:
     metrics_aggregation_enabled: bool = Field(default=True, description="Enable automatic log aggregation into performance metrics")
     metrics_aggregation_backfill_hours: int = Field(default=6, ge=0, le=168, description="Hours of structured logs to backfill into performance metrics on startup")
     metrics_aggregation_window_minutes: int = Field(default=5, description="Time window for metrics aggregation (minutes)")
+    metrics_aggregation_auto_start: bool = Field(default=False, description="Automatically run the log aggregation loop on application startup")
 
     # Log Search Configuration
     log_search_max_results: int = Field(default=1000, description="Maximum results per log search query")

mcpgateway/main.py

@@ -452,7 +452,7 @@ async def lifespan(_app: FastAPI) -> AsyncIterator[None]:
         # Reconfigure uvicorn loggers after startup to capture access logs in dual output
         logging_service.configure_uvicorn_after_startup()
 
-        if settings.metrics_aggregation_enabled:
+        if settings.metrics_aggregation_enabled and settings.metrics_aggregation_auto_start:
             aggregation_stop_event = asyncio.Event()
             log_aggregator = get_log_aggregator()
 
@@ -491,6 +491,8 @@ async def run_log_aggregation_loop() -> None:
 
             aggregation_backfill_task = asyncio.create_task(run_log_backfill())
             aggregation_loop_task = asyncio.create_task(run_log_aggregation_loop())
+        elif settings.metrics_aggregation_enabled:
+            logger.info("Metrics aggregation auto-start disabled; performance metrics will be generated on-demand when requested.")
 
         yield
     except Exception as e:
@@ -1234,23 +1236,28 @@ async def _call_streamable_http(self, scope, receive, send):
     app.add_middleware(CorrelationIDMiddleware)
     logger.info(f"✅ Correlation ID tracking enabled (header: {settings.correlation_id_header})")
 
+# Add authentication context middleware if security logging is enabled
+# This middleware extracts user context and logs security events (authentication attempts)
+# Note: This is independent of observability - security logging is always important
+if settings.security_logging_enabled:
+    # First-Party
+    from mcpgateway.middleware.auth_middleware import AuthContextMiddleware
+
+    app.add_middleware(AuthContextMiddleware)
+    logger.info("🔐 Authentication context middleware enabled - logging security events")
+else:
+    logger.info("🔐 Security event logging disabled")
+
 # Add observability middleware if enabled
 # Note: Middleware runs in REVERSE order (last added runs first)
-# We add ObservabilityMiddleware first so it wraps AuthContextMiddleware
+# If AuthContextMiddleware is already registered, ObservabilityMiddleware wraps it
 # Execution order will be: AuthContext -> Observability -> Request Handler
 if settings.observability_enabled:
     # First-Party
     from mcpgateway.middleware.observability_middleware import ObservabilityMiddleware
 
     app.add_middleware(ObservabilityMiddleware, enabled=True)
     logger.info("🔍 Observability middleware enabled - tracing all HTTP requests")
-
-    # Add authentication context middleware (runs BEFORE observability in execution)
-    # First-Party
-    from mcpgateway.middleware.auth_middleware import AuthContextMiddleware
-
-    app.add_middleware(AuthContextMiddleware)
-    logger.info("🔐 Authentication context middleware enabled - extracting user info for observability")
 else:
     logger.info("🔍 Observability middleware disabled")
 
@@ -2454,7 +2461,20 @@ async def invoke_a2a_agent(
         logger.debug(f"User {user} is invoking A2A agent '{agent_name}' with type '{interaction_type}'")
         if a2a_service is None:
             raise HTTPException(status_code=503, detail="A2A service not available")
-        return await a2a_service.invoke_agent(db, agent_name, parameters, interaction_type)
+        user_email = get_user_email(user)
+        user_id = None
+        if isinstance(user, dict):
+            user_id = str(user.get("id") or user.get("sub") or user_email)
+        else:
+            user_id = str(user)
+        return await a2a_service.invoke_agent(
+            db,
+            agent_name,
+            parameters,
+            interaction_type,
+            user_id=user_id,
+            user_email=user_email,
+        )
     except A2AAgentNotFoundError as e:
         raise HTTPException(status_code=404, detail=str(e))
     except A2AAgentError as e:

mcpgateway/middleware/auth_middleware.py

@@ -87,14 +87,24 @@ async def dispatch(self, request: Request, call_next: Callable) -> Response:
             credentials = HTTPAuthorizationCredentials(scheme="Bearer", credentials=token)
             user = await get_current_user(credentials, db)
 
+            # Eagerly access user attributes before session closes to prevent DetachedInstanceError
+            # This forces SQLAlchemy to load the data while the session is still active
+            # Note: EmailUser uses 'email' as primary key, not 'id'
+            user_email = user.email
+            user_id = user_email  # For EmailUser, email IS the ID
+            
+            # Expunge the user from the session so it can be used after session closes
+            # This makes the object detached but with all attributes already loaded
+            db.expunge(user)
+            
             # Store user in request state for downstream use
             request.state.user = user
-            logger.info(f"✓ Authenticated user for observability: {user.email}")
+            logger.info(f"✓ Authenticated user: {user_email if user_email else user_id}")
 
             # Log successful authentication
             security_logger.log_authentication_attempt(
-                user_id=str(user.id),
-                user_email=user.email,
+                user_id=user_id,
+                user_email=user_email,
                 auth_method="bearer_token",
                 success=True,
                 client_ip=request.client.host if request.client else "unknown",

mcpgateway/middleware/request_logging_middleware.py

@@ -19,10 +19,14 @@
 from typing import Callable
 
 # Third-Party
-from fastapi import Request, Response
+from fastapi.security import HTTPAuthorizationCredentials
+from starlette.requests import Request
+from starlette.responses import Response
 from starlette.middleware.base import BaseHTTPMiddleware
 
 # First-Party
+from mcpgateway.auth import get_current_user
+from mcpgateway.db import SessionLocal
 from mcpgateway.services.logging_service import LoggingService
 from mcpgateway.services.structured_logger import get_structured_logger
 from mcpgateway.utils.correlation_id import get_correlation_id
@@ -127,6 +131,44 @@ def __init__(self, app, enable_gateway_logging: bool = True, log_detailed_reques
         self.log_detailed_requests = log_detailed_requests
         self.log_level = log_level.upper()
         self.max_body_size = max_body_size  # Expected to be in bytes
+        
+    async def _resolve_user_identity(self, request: Request):
+        """Best-effort extraction of user identity for request logs."""
+        # Prefer context injected by upstream middleware
+        if hasattr(request.state, "user") and request.state.user is not None:
+            raw_user_id = getattr(request.state.user, "id", None)
+            user_email = getattr(request.state.user, "email", None)
+            return (str(raw_user_id) if raw_user_id is not None else None, user_email)
+
+        # Fallback: try to authenticate using cookies/headers (matches AuthContextMiddleware)
+        token = None
+        if request.cookies:
+            token = request.cookies.get("jwt_token") or request.cookies.get("access_token") or request.cookies.get("token")
+
+        if not token:
+            auth_header = request.headers.get("authorization")
+            if auth_header and auth_header.startswith("Bearer "):
+                token = auth_header.replace("Bearer ", "")
+
+        if not token:
+            return (None, None)
+
+        db = None
+        try:
+            db = SessionLocal()
+            credentials = HTTPAuthorizationCredentials(scheme="Bearer", credentials=token)
+            user = await get_current_user(credentials, db)
+            raw_user_id = getattr(user, "id", None)
+            user_email = getattr(user, "email", None)
+            return (str(raw_user_id) if raw_user_id is not None else None, user_email)
+        except Exception:
+            return (None, None)
+        finally:
+            if db:
+                try:
+                    db.close()
+                except Exception:
+                    pass
 
     async def dispatch(self, request: Request, call_next: Callable):
         """Process incoming request and log details with sensitive data masked.
@@ -147,6 +189,7 @@ async def dispatch(self, request: Request, call_next: Callable):
         method = request.method
         user_agent = request.headers.get("user-agent", "unknown")
         client_ip = request.client.host if request.client else "unknown"
+        user_id, user_email = await self._resolve_user_identity(request)
 
         # Skip boundary logging for health checks and static assets
         skip_paths = ["/health", "/healthz", "/static", "/favicon.ico"]
@@ -160,6 +203,8 @@ async def dispatch(self, request: Request, call_next: Callable):
                     message=f"Request started: {method} {path}",
                     component="gateway",
                     correlation_id=correlation_id,
+                    user_email=user_email,
+                    user_id=user_id,
                     operation_type="http_request",
                     request_method=method,
                     request_path=path,
@@ -187,6 +232,8 @@ async def dispatch(self, request: Request, call_next: Callable):
                         message=f"Request completed: {method} {path} - {response.status_code}",
                         component="gateway",
                         correlation_id=correlation_id,
+                        user_email=user_email,
+                        user_id=user_id,
                         operation_type="http_request",
                         request_method=method,
                         request_path=path,
@@ -295,6 +342,8 @@ async def receive():
                         message=f"Request failed: {method} {path}",
                         component="gateway",
                         correlation_id=correlation_id,
+                        user_email=user_email,
+                        user_id=user_id,
                         operation_type="http_request",
                         request_method=method,
                         request_path=path,
@@ -324,6 +373,8 @@ async def receive():
                     message=f"Request completed: {method} {path} - {status_code}",
                     component="gateway",
                     correlation_id=correlation_id,
+                    user_email=user_email,
+                    user_id=user_id,
                     operation_type="http_request",
                     request_method=method,
                     request_path=path,