Improve logging for Git over HTTP with 2FA

Proposal

Customer, on zd-283642(internal) requested to improve logging for when an attack is made using Git over HTTP and 2FA is enabled.

Currently This is what itlooks like when a 2FA user performs a push using the correct username and password (in the case of 2FA the access token accordingly):

Started GET
"/project/path.git/info/refs?service=git-receive-pack" for xxx.xxx.xxx.xxx at 2022-04-18 14:49:17 +0200
Processing by Repositories::GitHttpController#info_refs as */*  Parameters: {"service"=>"git-receive-pack","repository_path"=>"project/path.git"}Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 46ms (Views: 1.2ms | ActiveRecord: 21.3ms
| Elasticsearch: 0.0ms | Allocations: 11360)

And this is what it looks like when an attacker guesses passwords:

Started GET
"/project/path.git/info/refs?service=git-receive-pack" for xxx.xxx.xxx.xxx at 2022-04-18 14:49:17 +0200
Processing by Repositories::GitHttpController#info_refs as */*  Parameters: {"service"=>"git-receive-pack","repository_path"=>"project/path.git"}Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 46ms (Views: 1.2ms | ActiveRecord: 21.3ms
| Elasticsearch: 0.0ms | Allocations: 11360)

Both are identical (apart from the time) "Completed 401 Unauthorized" events. My proposal would be, to log something different when a user is using 2FA with Git over HTTPS, like:

Started GET
"/project/path.git/info/refs?service=git-receive-pack" for xxx.xxx.xxx.xxx at 2022-04-18 14:49:17 +0200 Processing by Repositories::GitHttpController#info_refs as */*   Parameters: {"service"=>"git-receive-pack", "repository_path"=>"project/path.git"} Filter chain halted as :authenticate_user rendered or redirected
*Completed 401 token-based authentication* in 46ms (Views: 1.2ms | ActiveRecord: 21.3ms | Elasticsearch: 0.0ms | Allocations: 11360)

Instead of "Completed 401 Unauthorized" log e.g. "Completed 401 token-based authentication". Something like this would be fine. Then, I could configure my Firewall to block all IP addresses from attackers without blocking my own 2FA users.

Edited by Sean Carroll