From de405e3433727e6accdee7c8ff6da896d044b887 Mon Sep 17 00:00:00 2001
From: Tejas Saubhage <tsaubhage0007@gmail.com>
Date: Sat, 14 Mar 2026 22:55:37 -0400
Subject: [PATCH 1/2] Fix missing username in uWSGI logs when using API Token
 authentication fixes #13751

---
 dojo/middleware.py             | 19 +++++++++++++++++++
 dojo/settings/settings.dist.py |  1 +
 2 files changed, 20 insertions(+)

diff --git a/dojo/middleware.py b/dojo/middleware.py
index 8d274202f90..39a2be5fe7b 100644
--- a/dojo/middleware.py
+++ b/dojo/middleware.py
@@ -338,3 +338,22 @@ def _trigger_async_index_update(self, model_groups):
             for i, batch in enumerate(batches, 1):
                 logger.debug(f"AsyncSearchContextMiddleware: Triggering batch {i}/{len(batches)} for {model_name}: {len(batch)} instances")
                 update_watson_search_index_for_model(model_name, batch)
+
+
+class ApiTokenUsernameLoggingMiddleware:
+    """
+    Middleware to set REMOTE_USER in uWSGI logs when using API Token authentication.
+    When using API tokens, uWSGI logs show '-' instead of the username.
+    This middleware sets the REMOTE_USER environ variable so uWSGI can log it correctly.
+    """
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        response = self.get_response(request)
+        # After the request is processed, the user is authenticated
+        if request.user and request.user.is_authenticated:
+            # Set REMOTE_USER so uWSGI logs the username correctly
+            request.META["REMOTE_USER"] = request.user.username
+        return response
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
index 4bf0fbc651e..3d7dd140a8c 100644
--- a/dojo/settings/settings.dist.py
+++ b/dojo/settings/settings.dist.py
@@ -992,6 +992,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
     "django.middleware.security.SecurityMiddleware",
     "django_permissions_policy.PermissionsPolicyMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "dojo.middleware.ApiTokenUsernameLoggingMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "dojo.middleware.LoginRequiredMiddleware",

From 05a8d7356e1ea92ca68e85f2e9b5df10cdcb7b7d Mon Sep 17 00:00:00 2001
From: Tejas Saubhage <tsaubhage0007@gmail.com>
Date: Sun, 15 Mar 2026 23:09:30 -0400
Subject: [PATCH 2/2] Move username logging to RemoteUserMiddleware in
 remote_user.py

---
 dojo/middleware.py             | 18 ------------------
 dojo/remote_user.py            |  6 ++++++
 dojo/settings/settings.dist.py |  1 -
 3 files changed, 6 insertions(+), 19 deletions(-)

diff --git a/dojo/middleware.py b/dojo/middleware.py
index 39a2be5fe7b..8ec43f05586 100644
--- a/dojo/middleware.py
+++ b/dojo/middleware.py
@@ -339,21 +339,3 @@ def _trigger_async_index_update(self, model_groups):
                 logger.debug(f"AsyncSearchContextMiddleware: Triggering batch {i}/{len(batches)} for {model_name}: {len(batch)} instances")
                 update_watson_search_index_for_model(model_name, batch)
 
-
-class ApiTokenUsernameLoggingMiddleware:
-    """
-    Middleware to set REMOTE_USER in uWSGI logs when using API Token authentication.
-    When using API tokens, uWSGI logs show '-' instead of the username.
-    This middleware sets the REMOTE_USER environ variable so uWSGI can log it correctly.
-    """
-
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        response = self.get_response(request)
-        # After the request is processed, the user is authenticated
-        if request.user and request.user.is_authenticated:
-            # Set REMOTE_USER so uWSGI logs the username correctly
-            request.META["REMOTE_USER"] = request.user.username
-        return response
diff --git a/dojo/remote_user.py b/dojo/remote_user.py
index 2362a05ad30..8b285188d0f 100644
--- a/dojo/remote_user.py
+++ b/dojo/remote_user.py
@@ -43,6 +43,12 @@ def process_request(self, request):
             settings.AUTH_REMOTEUSER_TRUSTED_PROXY)
         return None
 
+    def process_response(self, request, response):
+        # Set REMOTE_USER so uWSGI logs the username correctly for all auth methods
+        if hasattr(request, "user") and request.user and request.user.is_authenticated:
+            request.META["REMOTE_USER"] = request.user.username
+        return response
+
 
 class PersistentRemoteUserMiddleware(RemoteUserMiddleware):
     # same as https://github.com/django/django/blob/6654289f5b350dfca3dc4f6abab777459b906756/django/contrib/auth/middleware.py#L128
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
index 3d7dd140a8c..4bf0fbc651e 100644
--- a/dojo/settings/settings.dist.py
+++ b/dojo/settings/settings.dist.py
@@ -992,7 +992,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
     "django.middleware.security.SecurityMiddleware",
     "django_permissions_policy.PermissionsPolicyMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
-    "dojo.middleware.ApiTokenUsernameLoggingMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "dojo.middleware.LoginRequiredMiddleware",