From 54d210978fd5e72cd3e17f698a998ae47f86d521 Mon Sep 17 00:00:00 2001
From: toto <antitbone@jefaismonrhum.sdv.fr>
Date: Thu, 5 Mar 2026 14:42:00 +0100
Subject: [PATCH] fix: timestamp uses r->request_time; remove unparsed_uri,
 fragment from architecture

- FIX: timestamp JSON field now uses r->request_time (set at request reception
  by Apache) instead of apr_time_now() called during log processing
- DOC: remove unparsed_uri and fragment fields from architecture.yml data model
  (these fields are not logged by the module)
- DOC: update example_full and timestamp description in architecture.yml

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 architecture.yml    | 16 ++--------------
 mod_reqin_log.spec  |  7 ++++++-
 src/mod_reqin_log.c |  5 ++---
 3 files changed, 10 insertions(+), 18 deletions(-)

diff --git a/architecture.yml b/architecture.yml
index 285566e..6c089a1 100644
--- a/architecture.yml
+++ b/architecture.yml
@@ -98,7 +98,7 @@ module:
           description: >
             Wall-clock timestamp in microseconds since Unix epoch, expressed
             as nanoseconds for compatibility (multiplied by 1000).
-            Note: apr_time_now() returns microseconds with microsecond precision.
+            Uses r->request_time (set by Apache at request reception).
             The nanosecond representation is for API compatibility only.
           example: 1708948770000000000
         - name: scheme
@@ -120,12 +120,6 @@ module:
         - name: method
           type: string
           example: "GET"
-        - name: unparsed_uri
-          type: string
-          description: >
-            Raw, uncleaned URI exactly as requested by the client (r->unparsed_uri).
-            Essential for detecting Path Traversal or bot anomalies before Apache normalizes it.
-          example: "//dossier/../api/users"
         - name: path
           type: string
           description: Cleaned and normalized path (r->parsed_uri.path).
@@ -137,12 +131,6 @@ module:
             Does not include the leading '?'. Allows detection of payloads like
             SQLi or XSS passed in GET requests.
           example: "id=1%20UNION%20SELECT"
-        - name: fragment
-          type: string
-          description: >
-            Fragment component from the parsed URI (r->parsed_uri.fragment).
-            Does not include the leading '#'.
-          example: "section1"
         - name: host
           type: string
           example: "example.com"
@@ -174,7 +162,7 @@ module:
             header_X-Request-Id: "abcd-1234"
             header_User-Agent: "curl/7.70.0"
       example_full: |
-        {"time":"2026-02-26T11:59:30Z","timestamp":1708948770000000000,"scheme":"https","src_ip":"192.0.2.10","src_port":45678,"dst_ip":"198.51.100.5","dst_port":443,"method":"GET","unparsed_uri":"//api/users?id=1#section","path":"/api/users","query":"id=1","fragment":"section","host":"example.com","http_version":"HTTP/1.1","keepalives":0,"content_length":0,"header_X-Request-Id":"abcd-1234","header_User-Agent":"curl/7.70.0"}
+        {"time":"2026-02-26T11:59:30Z","timestamp":1708948770000000000,"scheme":"https","src_ip":"192.0.2.10","src_port":45678,"dst_ip":"198.51.100.5","dst_port":443,"method":"GET","path":"/api/users","query":"id=1","host":"example.com","http_version":"HTTP/1.1","keepalives":0,"content_length":0,"header_X-Request-Id":"abcd-1234","header_User-Agent":"curl/7.70.0"}
 
 configuration:
   scope: global
diff --git a/mod_reqin_log.spec b/mod_reqin_log.spec
index 11ffba0..797ea24 100644
--- a/mod_reqin_log.spec
+++ b/mod_reqin_log.spec
@@ -1,4 +1,4 @@
-%global spec_version 1.0.14
+%global spec_version 1.0.15
 
 Name:           mod_reqin_log
 Version:        %{spec_version}
@@ -37,6 +37,11 @@ install -m 644 %{_pkgroot}/%{_sysconfdir}/httpd/conf.d/mod_reqin_log.conf %{buil
 %doc %{_docdir}/%{name}
 
 %changelog
+* Thu Mar 05 2026 Developer <dev@example.com> - 1.0.15
+- FIX: timestamp field now uses r->request_time (request reception time) instead of apr_time_now()
+- DOC: Remove unparsed_uri and fragment fields from architecture.yml (not logged)
+- DOC: Update timestamp description and example_full in architecture.yml
+
 * Mon Mar 02 2026 Developer <dev@example.com> - 1.0.14
 - REFACTOR: Harmonize JSON field construction - all fields now end with comma
 - FIX: Remove duplicate comma between query and host fields
diff --git a/src/mod_reqin_log.c b/src/mod_reqin_log.c
index 1283879..1054d76 100644
--- a/src/mod_reqin_log.c
+++ b/src/mod_reqin_log.c
@@ -731,10 +731,9 @@ static void log_request(request_rec *r, reqin_log_config_t *cfg, reqin_log_child
     format_iso8601(&buf, r->request_time);
     dynbuf_append(&buf, "\",", 2);
 
-    /* timestamp (nanoseconds since epoch) */
+    /* timestamp (nanoseconds since epoch, from request reception time) */
     {
-        apr_time_t now = apr_time_now();
-        apr_uint64_t ns = ((apr_uint64_t)now) * APR_UINT64_C(1000);
+        apr_uint64_t ns = ((apr_uint64_t)r->request_time) * APR_UINT64_C(1000);
         char ts_buf[32];
         snprintf(ts_buf, sizeof(ts_buf), "%" APR_UINT64_T_FMT, ns);
         dynbuf_append(&buf, "\"timestamp\":", 12);