From bab09dff9539d53ea76ca58a6d1d2ac28f55302d Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 16 Mar 2026 15:33:21 -0700
Subject: [PATCH] Add better metadata to ssh

---
 server/private/routers/external.ts       |  2 +-
 server/private/routers/ssh/signSshKey.ts | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index bd4d232de..df8ea8cbb 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -515,6 +515,6 @@ authenticated.post(
     verifyOrgAccess,
     verifyLimits,
     verifyUserHasAction(ActionsEnum.signSshKey),
-    logActionAudit(ActionsEnum.signSshKey),
+    // logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata
     ssh.signSshKey
 );
diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts
index e70951812..5cffb4a34 100644
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -14,7 +14,9 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import {
+    actionAuditLog,
     db,
+    logsDb,
     newts,
     roles,
     roundTripMessageTracker,
@@ -34,6 +36,7 @@ import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResourc
 import { signPublicKey, getOrgCAKeys } from "@server/lib/sshCA";
 import config from "@server/lib/config";
 import { sendToClient } from "#private/routers/ws";
+import { ActionsEnum } from "@server/auth/actions";
 
 const paramsSchema = z.strictObject({
     orgId: z.string().nonempty()
@@ -446,6 +449,20 @@ export async function signSshKey(
             sshHost = resource.destination;
         }
 
+        await logsDb.insert(actionAuditLog).values({
+            timestamp: Math.floor(Date.now() / 1000),
+            orgId: orgId,
+            actorType: "user",
+            actor: req.user?.username ?? "",
+            actorId: req.user?.userId ?? "",
+            action: ActionsEnum.signSshKey,
+            metadata: JSON.stringify({
+                resourceId: resource.siteResourceId,
+                resource: resource.name,
+                siteId: resource.siteId,
+            })
+        });
+
         return response<SignSshKeyResponse>(res, {
             data: {
                 certificate: cert.certificate,