Having had to debug customer reports that tempurl "does not work", I found it can be be useful to see exactly what they sent, vs what they thought they sent. So as debug aid, I suggest you have a way of switching this off with something like:
By only logging for specific accounts, you don't expose all users. You can advise the account owner to change their keys after the debug period is over.
[Even with logging, it can still be hard to debug because the proxy-logger URL-encodes before logging and this is often the area where signature-encoding is wrong to start with]
Having had to debug customer reports that tempurl "does not work", I found it can be be useful to see exactly what they sent, vs what they thought they sent. So as debug aid, I suggest you have a way of switching this off with something like:
[tempurl] signatures_ for_accounts: AUTH_test, AUTH_other
log_
By only logging for specific accounts, you don't expose all users. You can advise the account owner to change their keys after the debug period is over.
[Even with logging, it can still be hard to debug because the proxy-logger URL-encodes before logging and this is often the area where signature-encoding is wrong to start with]