added stack trace to some logging

backend/middleware/apiLogger.js

@@ -36,6 +36,34 @@ const apiLogger = (req, res, next) => {
       userId: req.user?.id || 'anonymous'
     };
 
+    // Parse response body for error responses to include error details
+    if (res.statusCode >= 400) {
+      let errorDetails = null;
+      if (body) {
+        try {
+          const parsed = typeof body === 'string' ? JSON.parse(body) : body;
+          // Extract error message, validation errors, or full response
+          errorDetails = {
+            error: parsed.error || parsed.message || null,
+            errors: parsed.errors || null, // validation errors array
+            details: parsed.details || null
+          };
+          // Remove null values
+          Object.keys(errorDetails).forEach(key => {
+            if (errorDetails[key] === null) delete errorDetails[key];
+          });
+          if (Object.keys(errorDetails).length > 0) {
+            responseData.errorDetails = errorDetails;
+          }
+        } catch (e) {
+          // Body is not JSON, include as string (truncated)
+          if (typeof body === 'string' && body.length > 0) {
+            responseData.errorDetails = { raw: body.substring(0, 500) };
+          }
+        }
+      }
+    }
+
     if (res.statusCode >= 400 && res.statusCode < 500) {
       // Don't log 401s for /users/profile - these are expected auth checks
       if (!(res.statusCode === 401 && req.url === '/profile')) {

backend/middleware/rateLimiter.js

@@ -1,4 +1,5 @@
 const rateLimit = require("express-rate-limit");
+const logger = require("../utils/logger");
 
 // General rate limiter for Maps API endpoints
 const createMapsRateLimiter = (windowMs, max, message) => {
@@ -111,6 +112,21 @@ const uploadPresignLimiter = createUserBasedRateLimiter(
   "Too many upload requests. Please slow down."
 );
 
+// Helper to create a rate limit handler that logs the event
+const createRateLimitHandler = (limiterName) => (req, res, next, options) => {
+  const reqLogger = logger.withRequestId(req.id);
+  reqLogger.warn('Rate limit exceeded', {
+    limiter: limiterName,
+    ip: req.ip,
+    userId: req.user?.id || 'anonymous',
+    method: req.method,
+    url: req.url,
+    userAgent: req.get('User-Agent'),
+    message: options.message?.error || 'Rate limit exceeded'
+  });
+  res.status(options.statusCode).json(options.message);
+};
+
 // Authentication rate limiters
 const authRateLimiters = {
   // Login rate limiter - stricter to prevent brute force
@@ -124,6 +140,7 @@ const authRateLimiters = {
     standardHeaders: true,
     legacyHeaders: false,
     skipSuccessfulRequests: true, // Don't count successful logins
+    handler: createRateLimitHandler('login'),
   }),
 
   // Registration rate limiter
@@ -136,6 +153,7 @@ const authRateLimiters = {
     },
     standardHeaders: true,
     legacyHeaders: false,
+    handler: createRateLimitHandler('register'),
   }),
 
   // Password reset rate limiter
@@ -148,6 +166,7 @@ const authRateLimiters = {
     },
     standardHeaders: true,
     legacyHeaders: false,
+    handler: createRateLimitHandler('passwordReset'),
   }),
 
   // Alpha code validation rate limiter
@@ -160,6 +179,7 @@ const authRateLimiters = {
     },
     standardHeaders: true,
     legacyHeaders: false,
+    handler: createRateLimitHandler('alphaCodeValidation'),
   }),
 
   // Email verification rate limiter - protect against brute force on 6-digit codes
@@ -172,6 +192,7 @@ const authRateLimiters = {
     },
     standardHeaders: true,
     legacyHeaders: false,
+    handler: createRateLimitHandler('emailVerification'),
   }),
 
   // General API rate limiter
@@ -184,6 +205,7 @@ const authRateLimiters = {
     },
     standardHeaders: true,
     legacyHeaders: false,
+    handler: createRateLimitHandler('general'),
   }),
 };