Key actions log available to clients #6795
Description
Problem
Clients collaborating on a form need to verify who did what, when—especially when something “goes wrong.” Today, we don’t provide a clear, shareable audit of critical actions taken. Clients often end up asking Support "what happened".
User story
As a client (form owner/collaborator), I need to see a reliable list of the most critical actions taken on my form (who/what/when), so I can resolve issues and maintain trust.
Context
As part of the security controls, login actions (failed and successful) must be logged, audit records must be stored and unusual activity should be identifiable, with timestamp and IP address, as per AU-3, AU-4, AU-11, AU-6.
Current state / constraints
- Events logged:
platform-forms-client/lib/auditLogs.ts
Line 24 in 9d66425
- Key actions log is behind a feature flag that is
ONin Staging andOFFin Production - The shared API key does not allow the identification of which user did which action as the key is per form
- The current implementation in Staging only renders the 50-100 latest events and/or the last 30 days
- There are performance concerns of querying all events all time, but if it's set up right to only call for a subset of the data it should not be a problem.
Definitions
clarifying similar-sounding terminology
- access log = logging authentication actions for auditing/security
- audit log = internally, we collect and store this data
- server log = server actions printed on the server console, throws errors and alerts
- key actions log = externally, we surface and make this data available to clients
Links
https://forms-staging.cdssandbox.xyz/en/form-builder/cmkl8rwc90000jv0dt1zbgk7s/settings
https://docs.google.com/document/d/1FJn6ZkIg4zEGUXvWsD_id7hBcIUuLlsptn2qCljXsro/edit?tab=t.0