Fix security vulnerabilities. Add logging

src/routers/gates.py

@@ -1,5 +1,6 @@
 import json
-from datetime import datetime
+import logging
+from datetime import datetime, timezone
 from typing import Optional
 
 from fastapi import APIRouter, Depends, HTTPException, Request
@@ -12,6 +13,7 @@ from core.schemas import GateCreate, GatePublicResponse, GateResponse
 from services.gates import call_open_gate
 
 router = APIRouter(tags=["gates"])
+logger = logging.getLogger(__name__)
 
 
 # ── Admin: gate CRUD ──────────────────────────────────────────────────────────
@@ -85,7 +87,7 @@ async def admin_open_gate(
     if not cred_db:
         raise HTTPException(503, "AVConnect credentials not configured")
 
-    ip = request.headers.get("X-Forwarded-For", request.client.host if request.client else None)
+    ip = request.client.host if request.client else None
     ua = request.headers.get("User-Agent")
 
     mock = bool(cred_db.mock_avconnect)
@@ -98,7 +100,7 @@ async def admin_open_gate(
     )
 
     db.add(GateAccessLog(
-        timestamp=datetime.utcnow(),
+        timestamp=datetime.now(timezone.utc),
         keypass_id=0,
         keypass_code=f"[{caller['sub']}]",
         gate_id=gate_db.id,
@@ -114,8 +116,10 @@ async def admin_open_gate(
     db.commit()
 
     if not success:
+        logger.error("Gate open failed: gate_id=%d caller=%r error=%r", gate_db.id, caller["sub"], error_msg)
         raise HTTPException(502, error_msg or "Gate operation failed")
 
+    logger.info("Gate opened by admin: gate_id=%d gate=%r caller=%r ip=%r", gate_db.id, gate_db.name, caller["sub"], ip)
     return {"success": True, "gate": gate_db.name}
 
 
@@ -149,7 +153,7 @@ async def open_gate(
     if not cred_db:
         raise HTTPException(503, "AVConnect credentials not configured")
 
-    ip = request.headers.get("X-Forwarded-For", request.client.host if request.client else None)
+    ip = request.client.host if request.client else None
     ua = request.headers.get("User-Agent")
 
     allowed = json.loads(_kp.allowed_gates) if _kp.allowed_gates else None
@@ -166,7 +170,7 @@ async def open_gate(
     )
 
     db.add(GateAccessLog(
-        timestamp=datetime.utcnow(),
+        timestamp=datetime.now(timezone.utc),
         keypass_id=_kp.id,
         keypass_code=_kp.code,
         gate_id=gate_db.id,
@@ -177,11 +181,9 @@ async def open_gate(
         error=error_msg,
     ))
 
-    if new_sid and new_sid != cred_db.session_id:
-        cred_db.session_id = new_sid
-    db.commit()
-
     if not success:
+        logger.error("Gate open failed: gate_id=%d keypass_id=%d error=%r", gate_db.id, _kp.id, error_msg)
         raise HTTPException(502, error_msg or "Gate operation failed")
 
+    logger.info("Gate opened by keypass: gate_id=%d gate=%r keypass_id=%d ip=%r", gate_db.id, gate_db.name, _kp.id, ip)
     return {"success": True, "gate": gate_db.name}