Add organisation visibility to admin API request logging #6532
Description
Problem
Traffic spikes on the admin API lack visibility into which organisation is the source. SDK requests are tracked in InfluxDB for billing, but admin requests have no equivalent attribution, which leads to efforts to find the traffic source from indirect artifacts.
Existing metrics (flagsmith_http_server_requests_total) include route, method, and response_status labels but not organisation context. Adding organisation_id as a Prometheus label would cause cardinality explosion in a multi-tenant SaaS environment.
Proposed Solution
Add organisation_id to structured JSON access logs for admin requests. Log search clients can aggregate data grouping by this new field.
Implementation:
- Create middleware that extracts organisation context from authenticated requests
- Use the existing
log_extra()mechanism inflagsmith-commonto attachorganisation_idto the WSGI environ - Configure
ACCESS_LOG_EXTRA_ITEMSto include the new field in JSON access logs
Acceptance Criteria
- Admin API access logs include
organisation_idfield when request is authenticated - Field is queryable via CloudWatch Logs Insights
- Documentation for common analysis queries