calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-11 20:29:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Access logs working

Browse Source
This commit is contained in:
Owen
2025-10-22 17:42:27 -07:00
parent 7f981f05fb
commit 0211f75cb6
28 changed files with 1003 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
server/db/pg/schema/privateSchema.ts
View File

@@ -230,23 +230,22 @@ export const actionAuditLog = pgTable("actionAuditLog", {
index("idx_actionAuditLog_org_timestamp").on(table.orgId, table.timestamp)
]));
export const identityAuditLog = pgTable("identityAuditLog", {
export const accessAuditLog = pgTable("accessAuditLog", {
id: serial("id").primaryKey(),
timestamp: bigint("timestamp", { mode: "number" }).notNull(), // this is EPOCH time in seconds
orgId: varchar("orgId")
.notNull()
.references(() => orgs.orgId, { onDelete: "cascade" }),
actorType: varchar("actorType", { length: 50 }).notNull(),
actor: varchar("actor", { length: 255 }).notNull(),
actorId: varchar("actorId", { length: 255 }).notNull(),
actorType: varchar("actorType", { length: 50 }),
actor: varchar("actor", { length: 255 }),
actorId: varchar("actorId", { length: 255 }),
resourceId: integer("resourceId"),
ip: varchar("ip", { length: 45 }).notNull(),
ip: varchar("ip", { length: 45 }),
type: varchar("type", { length: 100 }).notNull(),
action: varchar("action", { length: 100 }).notNull(),
action: boolean("action").notNull(),
location: text("location"),
path: text("path"),
userAgent: text("userAgent"),
metadata: text("details")
metadata: text("metadata")
}, (table) => ([
index("idx_identityAuditLog_timestamp").on(table.timestamp),
index("idx_identityAuditLog_org_timestamp").on(table.orgId, table.timestamp)
@@ -270,4 +269,4 @@ export type RemoteExitNodeSession = InferSelectModel<
export type ExitNodeOrg = InferSelectModel<typeof exitNodeOrgs>;
export type LoginPage = InferSelectModel<typeof loginPage>;
export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
export type IdentityAuditLog = InferSelectModel<typeof identityAuditLog>;
export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;

2
server/db/pg/schema/schema.ts
View File

@@ -688,7 +688,7 @@ export const requestAuditLog = pgTable(
ip: text("ip"),
location: text("location"),
userAgent: text("userAgent"),
metadata: text("details"),
metadata: text("metadata"),
headers: text("headers"), // JSON blob
query: text("query"), // JSON blob
originalRequestURL: text("originalRequestURL"),

20
server/db/sqlite/schema/privateSchema.ts
View File

@@ -225,23 +225,22 @@ export const actionAuditLog = sqliteTable("actionAuditLog", {
index("idx_actionAuditLog_org_timestamp").on(table.orgId, table.timestamp)
]));
export const identityAuditLog = sqliteTable("identityAuditLog", {
export const accessAuditLog = sqliteTable("accessAuditLog", {
id: integer("id").primaryKey({ autoIncrement: true }),
timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
orgId: text("orgId")
.notNull()
.references(() => orgs.orgId, { onDelete: "cascade" }),
actorType: text("actorType").notNull(),
actor: text("actor").notNull(),
actorId: text("actorId").notNull(),
actorType: text("actorType"),
actor: text("actor"),
actorId: text("actorId"),
resourceId: integer("resourceId"),
ip: text("ip").notNull(),
type: text("type").notNull(),
action: text("action").notNull(),
ip: text("ip"),
location: text("location"),
path: text("path"),
type: text("type").notNull(),
action: integer("action", { mode: "boolean" }).notNull(),
userAgent: text("userAgent"),
metadata: text("details")
metadata: text("metadata")
}, (table) => ([
index("idx_identityAuditLog_timestamp").on(table.timestamp),
index("idx_identityAuditLog_org_timestamp").on(table.orgId, table.timestamp)
@@ -264,4 +263,5 @@ export type RemoteExitNodeSession = InferSelectModel<
>;
export type ExitNodeOrg = InferSelectModel<typeof exitNodeOrgs>;
export type LoginPage = InferSelectModel<typeof loginPage>;
export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;

2
server/db/sqlite/schema/schema.ts
View File

@@ -733,7 +733,7 @@ export const requestAuditLog = sqliteTable(
ip: text("ip"),
location: text("location"),
userAgent: text("userAgent"),
metadata: text("details"),
metadata: text("metadata"),
headers: text("headers"), // JSON blob
query: text("query"), // JSON blob
originalRequestURL: text("originalRequestURL"),

102
server/private/lib/logAccessAudit.ts Normal file
View File

@@ -0,0 +1,102 @@
import { accessAuditLog, db } from "@server/db";
import { getCountryCodeForIp } from "@server/lib/geoip";
import logger from "@server/logger";
import NodeCache from "node-cache";
const cache = new NodeCache({
stdTTL: 5 // seconds
});
export async function logAccessAudit(data: {
action: boolean;
type: string;
orgId: string;
resourceId?: number;
user?: { username: string; userId: string };
apiKey?: { name: string | null; apiKeyId: string };
metadata?: any;
userAgent?: string;
requestIp?: string;
}) {
try {
let actorType: string | undefined;
let actor: string | undefined;
let actorId: string | undefined;
const user = data.user;
if (user) {
actorType = "user";
actor = user.username;
actorId = user.userId;
}
const apiKey = data.apiKey;
if (apiKey) {
actorType = "apiKey";
actor = apiKey.name || apiKey.apiKeyId;
actorId = apiKey.apiKeyId;
}
// if (!actorType || !actor || !actorId) {
// logger.warn("logRequestAudit: Incomplete actor information");
// return;
// }
const timestamp = Math.floor(Date.now() / 1000);
let metadata = null;
if (metadata) {
metadata = JSON.stringify(metadata);
}
const clientIp = data.requestIp
? (() => {
if (
data.requestIp.startsWith("[") &&
data.requestIp.includes("]")
) {
// if brackets are found, extract the IPv6 address from between the brackets
const ipv6Match = data.requestIp.match(/\[(.*?)\]/);
if (ipv6Match) {
return ipv6Match[1];
}
}
return data.requestIp;
})()
: undefined;
const countryCode = data.requestIp
? await getCountryCodeFromIp(data.requestIp)
: undefined;
await db.insert(accessAuditLog).values({
timestamp: timestamp,
orgId: data.orgId,
actorType,
actor,
actorId,
action: data.action,
type: data.type,
metadata,
resourceId: data.resourceId,
userAgent: data.userAgent,
ip: clientIp,
location: countryCode
});
} catch (error) {
logger.error(error);
}
}
async function getCountryCodeFromIp(ip: string): Promise<string | undefined> {
const geoIpCacheKey = `geoip_access:${ip}`;
let cachedCountryCode: string | undefined = cache.get(geoIpCacheKey);
if (!cachedCountryCode) {
cachedCountryCode = await getCountryCodeForIp(ip); // do it locally
// Cache for longer since IP geolocation doesn't change frequently
cache.set(geoIpCacheKey, cachedCountryCode, 300); // 5 minutes
}
return cachedCountryCode;
}

81
server/private/routers/auditLogs/exportAccessAuditLog.ts Normal file
View File

@@ -0,0 +1,81 @@
/*
* This file is part of a proprietary work.
*
* Copyright (c) 2025 Fossorial, Inc.
* All rights reserved.
*
* This file is licensed under the Fossorial Commercial License.
* You may not use this file except in compliance with the License.
* Unauthorized use, copying, modification, or distribution is strictly prohibited.
*
* This file is not licensed under the AGPLv3.
*/
import { registry } from "@server/openApi";
import { NextFunction } from "express";
import { Request, Response } from "express";
import { OpenAPITags } from "@server/openApi";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import { fromError } from "zod-validation-error";
import logger from "@server/logger";
import { queryAccessAuditLogsParams, queryAccessAuditLogsQuery, queryAccess } from "./queryAccessAuditLog";
import { generateCSV } from "@server/routers/auditLogs/generateCSV";
registry.registerPath({
method: "get",
path: "/org/{orgId}/logs/access/export",
description: "Export the access audit log for an organization as CSV",
tags: [OpenAPITags.Org],
request: {
query: queryAccessAuditLogsQuery,
params: queryAccessAuditLogsParams
},
responses: {}
});
export async function exportAccessAuditLogs(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedQuery = queryAccessAuditLogsQuery.safeParse(req.query);
if (!parsedQuery.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedQuery.error)
)
);
}
const { timeStart, timeEnd, limit, offset } = parsedQuery.data;
const parsedParams = queryAccessAuditLogsParams.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error)
)
);
}
const { orgId } = parsedParams.data;
const baseQuery = queryAccess(timeStart, timeEnd, orgId);
const log = await baseQuery.limit(limit).offset(offset);
const csvData = generateCSV(log);
res.setHeader('Content-Type', 'text/csv');
res.setHeader('Content-Disposition', `attachment; filename="access-audit-logs-${orgId}-${Date.now()}.csv"`);
return res.send(csvData);
} catch (error) {
logger.error(error);
return next(
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}

11
server/private/routers/auditLogs/exportActionAuditLog.ts
View File

@@ -11,25 +11,20 @@
* This file is not licensed under the AGPLv3.
*/
import { actionAuditLog, db } from "@server/db";
import { registry } from "@server/openApi";
import { NextFunction } from "express";
import { Request, Response } from "express";
import { eq, gt, lt, and, count } from "drizzle-orm";
import { OpenAPITags } from "@server/openApi";
import { z } from "zod";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import { fromError } from "zod-validation-error";
import { QueryActionAuditLogResponse } from "@server/routers/auditLogs/types";
import response from "@server/lib/response";
import logger from "@server/logger";
import { queryActionAuditLogsParams, queryActionAuditLogsQuery, querySites } from "./queryActionAuditLog";
import { queryActionAuditLogsParams, queryActionAuditLogsQuery, queryAction } from "./queryActionAuditLog";
import { generateCSV } from "@server/routers/auditLogs/generateCSV";
registry.registerPath({
method: "get",
path: "/org/{orgId}/logs/actionk/export",
path: "/org/{orgId}/logs/action/export",
description: "Export the action audit log for an organization as CSV",
tags: [OpenAPITags.Org],
request: {
@@ -67,7 +62,7 @@ export async function exportActionAuditLogs(
}
const { orgId } = parsedParams.data;
const baseQuery = querySites(timeStart, timeEnd, orgId);
const baseQuery = queryAction(timeStart, timeEnd, orgId);
const log = await baseQuery.limit(limit).offset(offset);

4
server/private/routers/auditLogs/index.ts
View File

@@ -12,4 +12,6 @@
*/
export * from "./queryActionAuditLog";
export * from "./exportActionAuditLog";
export * from "./exportActionAuditLog";
export * from "./queryAccessAuditLog";
export * from "./exportAccessAuditLog";

173
server/private/routers/auditLogs/queryAccessAuditLog.ts Normal file
View File

@@ -0,0 +1,173 @@
/*
* This file is part of a proprietary work.
*
* Copyright (c) 2025 Fossorial, Inc.
* All rights reserved.
*
* This file is licensed under the Fossorial Commercial License.
* You may not use this file except in compliance with the License.
* Unauthorized use, copying, modification, or distribution is strictly prohibited.
*
* This file is not licensed under the AGPLv3.
*/
import { accessAuditLog, db, resources } from "@server/db";
import { registry } from "@server/openApi";
import { NextFunction } from "express";
import { Request, Response } from "express";
import { eq, gt, lt, and, count } from "drizzle-orm";
import { OpenAPITags } from "@server/openApi";
import { z } from "zod";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import { fromError } from "zod-validation-error";
import { QueryAccessAuditLogResponse } from "@server/routers/auditLogs/types";
import response from "@server/lib/response";
import logger from "@server/logger";
export const queryAccessAuditLogsQuery = z.object({
// iso string just validate its a parseable date
timeStart: z
.string()
.refine((val) => !isNaN(Date.parse(val)), {
message: "timeStart must be a valid ISO date string"
})
.transform((val) => Math.floor(new Date(val).getTime() / 1000)),
timeEnd: z
.string()
.refine((val) => !isNaN(Date.parse(val)), {
message: "timeEnd must be a valid ISO date string"
})
.transform((val) => Math.floor(new Date(val).getTime() / 1000))
.optional()
.default(new Date().toISOString()),
limit: z
.string()
.optional()
.default("1000")
.transform(Number)
.pipe(z.number().int().positive()),
offset: z
.string()
.optional()
.default("0")
.transform(Number)
.pipe(z.number().int().nonnegative())
});
export const queryAccessAuditLogsParams = z.object({
orgId: z.string()
});
export function queryAccess(timeStart: number, timeEnd: number, orgId: string) {
return db
.select({
orgId: accessAuditLog.orgId,
action: accessAuditLog.action,
actorType: accessAuditLog.actorType,
actorId: accessAuditLog.actorId,
resourceId: accessAuditLog.resourceId,
resourceName: resources.name,
resourceNiceId: resources.niceId,
ip: accessAuditLog.ip,
location: accessAuditLog.location,
userAgent: accessAuditLog.userAgent,
metadata: accessAuditLog.metadata,
type: accessAuditLog.type,
timestamp: accessAuditLog.timestamp,
actor: accessAuditLog.actor
})
.from(accessAuditLog)
.leftJoin(resources, eq(accessAuditLog.resourceId, resources.resourceId))
.where(
and(
gt(accessAuditLog.timestamp, timeStart),
lt(accessAuditLog.timestamp, timeEnd),
eq(accessAuditLog.orgId, orgId)
)
)
.orderBy(accessAuditLog.timestamp);
}
export function countAccessQuery(timeStart: number, timeEnd: number, orgId: string) {
const countQuery = db
.select({ count: count() })
.from(accessAuditLog)
.where(
and(
gt(accessAuditLog.timestamp, timeStart),
lt(accessAuditLog.timestamp, timeEnd),
eq(accessAuditLog.orgId, orgId)
)
);
return countQuery;
}
registry.registerPath({
method: "get",
path: "/org/{orgId}/logs/access",
description: "Query the access audit log for an organization",
tags: [OpenAPITags.Org],
request: {
query: queryAccessAuditLogsQuery,
params: queryAccessAuditLogsParams
},
responses: {}
});
export async function queryAccessAuditLogs(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedQuery = queryAccessAuditLogsQuery.safeParse(req.query);
if (!parsedQuery.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedQuery.error)
)
);
}
const { timeStart, timeEnd, limit, offset } = parsedQuery.data;
const parsedParams = queryAccessAuditLogsParams.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error)
)
);
}
const { orgId } = parsedParams.data;
const baseQuery = queryAccess(timeStart, timeEnd, orgId);
const log = await baseQuery.limit(limit).offset(offset);
const totalCountResult = await countAccessQuery(timeStart, timeEnd, orgId);
const totalCount = totalCountResult[0].count;
return response<QueryAccessAuditLogResponse>(res, {
data: {
log: log,
pagination: {
total: totalCount,
limit,
offset
}
},
success: true,
error: false,
message: "Access audit logs retrieved successfully",
status: HttpCode.OK
});
} catch (error) {
logger.error(error);
return next(
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}

8
server/private/routers/auditLogs/queryActionAuditLog.ts
View File

@@ -59,7 +59,7 @@ export const queryActionAuditLogsParams = z.object({
orgId: z.string()
});
export function querySites(timeStart: number, timeEnd: number, orgId: string) {
export function queryAction(timeStart: number, timeEnd: number, orgId: string) {
return db
.select({
orgId: actionAuditLog.orgId,
@@ -80,7 +80,7 @@ export function querySites(timeStart: number, timeEnd: number, orgId: string) {
.orderBy(actionAuditLog.timestamp);
}
export function countQuery(timeStart: number, timeEnd: number, orgId: string) {
export function countActionQuery(timeStart: number, timeEnd: number, orgId: string) {
const countQuery = db
.select({ count: count() })
.from(actionAuditLog)
@@ -134,11 +134,11 @@ export async function queryActionAuditLogs(
}
const { orgId } = parsedParams.data;
const baseQuery = querySites(timeStart, timeEnd, orgId);
const baseQuery = queryAction(timeStart, timeEnd, orgId);
const log = await baseQuery.limit(limit).offset(offset);
const totalCountResult = await countQuery(timeStart, timeEnd, orgId);
const totalCountResult = await countActionQuery(timeStart, timeEnd, orgId);
const totalCount = totalCountResult[0].count;
return response<QueryActionAuditLogResponse>(res, {

11
server/private/routers/external.ts
View File

@@ -351,8 +351,17 @@ authenticated.get(
logs.queryActionAuditLogs
)
authenticated.get(
"/org/:orgId/logs/action/export",
logs.exportActionAuditLogs
)
authenticated.get(
"/org/:orgId/logs/access",
logs.queryAccessAuditLogs
)
authenticated.get(
"/org/:orgId/logs/access/export",
logs.exportAccessAuditLogs
)

4
server/routers/auditLogs/exportRequstAuditLog.ts
View File

@@ -11,7 +11,7 @@ import { fromError } from "zod-validation-error";
import { QueryRequestAuditLogResponse } from "@server/routers/auditLogs/types";
import response from "@server/lib/response";
import logger from "@server/logger";
import { queryAccessAuditLogsQuery, queryRequestAuditLogsParams, querySites } from "./queryRequstAuditLog";
import { queryAccessAuditLogsQuery, queryRequestAuditLogsParams, queryRequest } from "./queryRequstAuditLog";
import { generateCSV } from "./generateCSV";
registry.registerPath({
@@ -54,7 +54,7 @@ export async function exportRequestAuditLogs(
}
const { orgId } = parsedParams.data;
const baseQuery = querySites(timeStart, timeEnd, orgId);
const baseQuery = queryRequest(timeStart, timeEnd, orgId);
const log = await baseQuery.limit(limit).offset(offset);

8
server/routers/auditLogs/queryRequstAuditLog.ts
View File

@@ -46,7 +46,7 @@ export const queryRequestAuditLogsParams = z.object({
orgId: z.string()
});
export function querySites(timeStart: number, timeEnd: number, orgId: string) {
export function queryRequest(timeStart: number, timeEnd: number, orgId: string) {
return db
.select({
timestamp: requestAuditLog.timestamp,
@@ -84,7 +84,7 @@ export function querySites(timeStart: number, timeEnd: number, orgId: string) {
.orderBy(requestAuditLog.timestamp);
}
export function countQuery(timeStart: number, timeEnd: number, orgId: string) {
export function countRequestQuery(timeStart: number, timeEnd: number, orgId: string) {
const countQuery = db
.select({ count: count() })
.from(requestAuditLog)
@@ -138,11 +138,11 @@ export async function queryRequestAuditLogs(
}
const { orgId } = parsedParams.data;
const baseQuery = querySites(timeStart, timeEnd, orgId);
const baseQuery = queryRequest(timeStart, timeEnd, orgId);
const log = await baseQuery.limit(limit).offset(offset);
const totalCountResult = await countQuery(timeStart, timeEnd, orgId);
const totalCountResult = await countRequestQuery(timeStart, timeEnd, orgId);
const totalCount = totalCountResult[0].count;
return response<QueryRequestAuditLogResponse>(res, {

26
server/routers/auditLogs/types.ts
View File

@@ -44,4 +44,28 @@ export type QueryRequestAuditLogResponse = {
limit: number;
offset: number;
};
};
};
export type QueryAccessAuditLogResponse = {
log: {
orgId: string;
action: string;
type: string;
resourceId: number | null;
resourceName: string | null;
resourceNiceId: string | null;
ip: string | null;
location: string | null;
userAgent: string | null;
metadata: string | null;
actorType: string;
actorId: string;
timestamp: number;
actor: string;
}[];
pagination: {
total: number;
limit: number;
offset: number;
};
};

66
server/routers/auth/login.ts
View File

@@ -3,7 +3,7 @@ import {
generateSessionToken,
serializeSessionCookie
} from "@server/auth/sessions/app";
import { db } from "@server/db";
import { db, resources } from "@server/db";
import { users, securityKeys } from "@server/db";
import HttpCode from "@server/types/HttpCode";
import response from "@server/lib/response";
@@ -18,12 +18,14 @@ import logger from "@server/logger";
import { verifyPassword } from "@server/auth/password";
import { verifySession } from "@server/auth/sessions/verifySession";
import { UserType } from "@server/types/UserTypes";
import { logAccessAudit } from "@server/private/lib/logAccessAudit";
export const loginBodySchema = z
.object({
email: z.string().toLowerCase().email(),
password: z.string(),
code: z.string().optional()
code: z.string().optional(),
resourceGuid: z.string().optional()
})
.strict();
@@ -52,7 +54,7 @@ export async function login(
);
}
const { email, password, code } = parsedBody.data;
const { email, password, code, resourceGuid } = parsedBody.data;
try {
const { session: existingSession } = await verifySession(req);
@@ -66,6 +68,28 @@ export async function login(
});
}
let resourceId: number | null = null;
let orgId: string | null = null;
if (resourceGuid) {
const [resource] = await db
.select()
.from(resources)
.where(eq(resources.resourceGuid, resourceGuid))
.limit(1);
if (!resource) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Resource with GUID ${resourceGuid} not found`
)
);
}
resourceId = resource.resourceId;
orgId = resource.orgId;
}
const existingUserRes = await db
.select()
.from(users)
@@ -78,6 +102,18 @@ export async function login(
`Username or password incorrect. Email: ${email}. IP: ${req.ip}.`
);
}
if (resourceId && orgId) {
logAccessAudit({
orgId: orgId,
resourceId: resourceId,
action: false,
type: "login",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
}
return next(
createHttpError(
HttpCode.UNAUTHORIZED,
@@ -98,6 +134,18 @@ export async function login(
`Username or password incorrect. Email: ${email}. IP: ${req.ip}.`
);
}
if (resourceId && orgId) {
logAccessAudit({
orgId: orgId,
resourceId: resourceId,
action: false,
type: "login",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
}
return next(
createHttpError(
HttpCode.UNAUTHORIZED,
@@ -158,6 +206,18 @@ export async function login(
`Two-factor code incorrect. Email: ${email}. IP: ${req.ip}.`
);
}
if (resourceId && orgId) {
logAccessAudit({
orgId: orgId,
resourceId: resourceId,
action: false,
type: "login",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
}
return next(
createHttpError(
HttpCode.UNAUTHORIZED,

24
server/routers/resource/authWithAccessToken.ts
View File

@@ -10,11 +10,10 @@ import { z } from "zod";
import { fromError } from "zod-validation-error";
import { createResourceSession } from "@server/auth/sessions/resource";
import logger from "@server/logger";
import {
verifyResourceAccessToken
} from "@server/auth/verifyResourceAccessToken";
import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
import config from "@server/lib/config";
import stoi from "@server/lib/stoi";
import { logAccessAudit } from "@server/private/lib/logAccessAudit";
const authWithAccessTokenBodySchema = z
.object({
@@ -131,6 +130,16 @@ export async function authWithAccessToken(
`Resource access token invalid. Resource ID: ${resource.resourceId}. IP: ${req.ip}.`
);
}
logAccessAudit({
orgId: resource.orgId,
resourceId: resource.resourceId,
action: false,
type: "accessToken",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
return next(
createHttpError(
HttpCode.UNAUTHORIZED,
@@ -150,6 +159,15 @@ export async function authWithAccessToken(
doNotExtend: true
});
logAccessAudit({
orgId: resource.orgId,
resourceId: resource.resourceId,
action: true,
type: "accessToken",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
return response<AuthWithAccessTokenResponse>(res, {
data: {
session: token,

20
server/routers/resource/authWithPassword.ts
View File

@@ -13,6 +13,7 @@ import { createResourceSession } from "@server/auth/sessions/resource";
import logger from "@server/logger";
import { verifyPassword } from "@server/auth/password";
import config from "@server/lib/config";
import { logAccessAudit } from "@server/private/lib/logAccessAudit";
export const authWithPasswordBodySchema = z
.object({
@@ -113,6 +114,16 @@ export async function authWithPassword(
`Resource password incorrect. Resource ID: ${resource.resourceId}. IP: ${req.ip}.`
);
}
logAccessAudit({
orgId: org.orgId,
resourceId: resource.resourceId,
action: false,
type: "password",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
return next(
createHttpError(HttpCode.UNAUTHORIZED, "Incorrect password")
);
@@ -129,6 +140,15 @@ export async function authWithPassword(
doNotExtend: true
});
logAccessAudit({
orgId: org.orgId,
resourceId: resource.resourceId,
action: true,
type: "password",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
return response<AuthWithPasswordResponse>(res, {
data: {
session: token

20
server/routers/resource/authWithPincode.ts
View File

@@ -12,6 +12,7 @@ import { createResourceSession } from "@server/auth/sessions/resource";
import logger from "@server/logger";
import { verifyPassword } from "@server/auth/password";
import config from "@server/lib/config";
import { logAccessAudit } from "@server/private/lib/logAccessAudit";
export const authWithPincodeBodySchema = z
.object({
@@ -112,6 +113,16 @@ export async function authWithPincode(
`Resource pin code incorrect. Resource ID: ${resource.resourceId}. IP: ${req.ip}.`
);
}
logAccessAudit({
orgId: org.orgId,
resourceId: resource.resourceId,
action: false,
type: "pincode",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
return next(
createHttpError(HttpCode.UNAUTHORIZED, "Incorrect PIN")
);
@@ -128,6 +139,15 @@ export async function authWithPincode(
doNotExtend: true
});
logAccessAudit({
orgId: org.orgId,
resourceId: resource.resourceId,
action: true,
type: "pincode",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
return response<AuthWithPincodeResponse>(res, {
data: {
session: token

36
server/routers/resource/authWithWhitelist.ts
View File

@@ -1,11 +1,6 @@
import { generateSessionToken } from "@server/auth/sessions/app";
import { db } from "@server/db";
import {
orgs,
resourceOtp,
resources,
resourceWhitelist
} from "@server/db";
import { orgs, resourceOtp, resources, resourceWhitelist } from "@server/db";
import HttpCode from "@server/types/HttpCode";
import response from "@server/lib/response";
import { eq, and } from "drizzle-orm";
@@ -17,13 +12,11 @@ import { createResourceSession } from "@server/auth/sessions/resource";
import { isValidOtp, sendResourceOtpEmail } from "@server/auth/resourceOtp";
import logger from "@server/logger";
import config from "@server/lib/config";
import { logAccessAudit } from "@server/private/lib/logAccessAudit";
const authWithWhitelistBodySchema = z
.object({
email: z
.string()
.toLowerCase()
.email(),
email: z.string().toLowerCase().email(),
otp: z.string().optional()
})
.strict();
@@ -126,6 +119,19 @@ export async function authWithWhitelist(
`Email is not whitelisted. Email: ${email}. IP: ${req.ip}.`
);
}
if (org && resource) {
logAccessAudit({
orgId: org.orgId,
resourceId: resource.resourceId,
action: false,
type: "whitelistedEmail",
metadata: { email },
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
}
return next(
createHttpError(
HttpCode.UNAUTHORIZED,
@@ -219,6 +225,16 @@ export async function authWithWhitelist(
doNotExtend: true
});
logAccessAudit({
orgId: org.orgId,
resourceId: resource.resourceId,
action: true,
metadata: { email },
type: "whitelistedEmail",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
return response<AuthWithWhitelistResponse>(res, {
data: {
session: token

24
server/routers/resource/getExchangeToken.ts
View File

@@ -10,11 +10,10 @@ import { fromError } from "zod-validation-error";
import logger from "@server/logger";
import { generateSessionToken } from "@server/auth/sessions/app";
import config from "@server/lib/config";
import {
encodeHexLowerCase
} from "@oslojs/encoding";
import { encodeHexLowerCase } from "@oslojs/encoding";
import { sha256 } from "@oslojs/crypto/sha2";
import { response } from "@server/lib/response";
import { logAccessAudit } from "@server/private/lib/logAccessAudit";
const getExchangeTokenParams = z
.object({
@@ -47,13 +46,13 @@ export async function getExchangeToken(
const { resourceId } = parsedParams.data;
const resource = await db
const [resource] = await db
.select()
.from(resources)
.where(eq(resources.resourceId, resourceId))
.limit(1);
if (resource.length === 0) {
if (!resource) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
@@ -89,6 +88,21 @@ export async function getExchangeToken(
doNotExtend: true
});
if (req.user) {
logAccessAudit({
orgId: resource.orgId,
resourceId: resourceId,
user: {
username: req.user.username,
userId: req.user.userId
},
action: true,
type: "login",
userAgent: req.headers["user-agent"],
requestIp: req.ip
});
}
logger.debug("Request token created successfully");
return response<GetExchangeTokenResponse>(res, {