add failed auth logging

2026-02-22 21:06:37 +00:00 · 2025-01-27 22:43:32 -05:00
parent fdb1ab4bd9
commit 0bd8217d9e
16 changed files with 175 additions and 25 deletions
--- a/server/routers/resource/authWithAccessToken.ts
+++ b/server/routers/resource/authWithAccessToken.ts
@@ -8,11 +8,10 @@ import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
-import {
-    createResourceSession,
-} from "@server/auth/sessions/resource";
+import { createResourceSession } from "@server/auth/sessions/resource";
 import logger from "@server/logger";
 import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
+import config from "@server/lib/config";

 const authWithAccessTokenBodySchema = z
    .object({
@@ -84,6 +83,11 @@ export async function authWithAccessToken(
        });

        if (!valid) {
+            if (config.getRawConfig().app.log_failed_attempts) {
+                logger.info(
+                    `Resource access token invalid. Resource ID: ${resource.resourceId}. IP: ${req.ip}.`
+                );
+            }
            return next(
                createHttpError(
                    HttpCode.UNAUTHORIZED,
--- a/server/routers/resource/authWithPassword.ts
+++ b/server/routers/resource/authWithPassword.ts
@@ -9,11 +9,10 @@ import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
-import {
-    createResourceSession,
-} from "@server/auth/sessions/resource";
+import { createResourceSession } from "@server/auth/sessions/resource";
 import logger from "@server/logger";
 import { verifyPassword } from "@server/auth/password";
+import config from "@server/lib/config";

 export const authWithPasswordBodySchema = z
    .object({
@@ -82,7 +81,7 @@ export async function authWithPassword(

        if (!org) {
            return next(
-                createHttpError(HttpCode.BAD_REQUEST, "Resource does not exist")
+                createHttpError(HttpCode.BAD_REQUEST, "Org does not exist")
            );
        }

@@ -109,6 +108,11 @@ export async function authWithPassword(
            definedPassword.passwordHash
        );
        if (!validPassword) {
+            if (config.getRawConfig().app.log_failed_attempts) {
+                logger.info(
+                    `Resource password incorrect. Resource ID: ${resource.resourceId}. IP: ${req.ip}.`
+                );
+            }
            return next(
                createHttpError(HttpCode.UNAUTHORIZED, "Incorrect password")
            );
--- a/server/routers/resource/authWithPincode.ts
+++ b/server/routers/resource/authWithPincode.ts
@@ -1,10 +1,6 @@
 import { generateSessionToken } from "@server/auth/sessions/app";
 import db from "@server/db";
-import {
-    orgs,
-    resourcePincode,
-    resources,
-} from "@server/db/schema";
+import { orgs, resourcePincode, resources } from "@server/db/schema";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
 import { eq } from "drizzle-orm";
@@ -12,11 +8,10 @@ import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
-import {
-    createResourceSession,
-} from "@server/auth/sessions/resource";
+import { createResourceSession } from "@server/auth/sessions/resource";
 import logger from "@server/logger";
 import { verifyPassword } from "@server/auth/password";
+import config from "@server/lib/config";

 export const authWithPincodeBodySchema = z
    .object({
@@ -112,6 +107,11 @@ export async function authWithPincode(
            definedPincode.pincodeHash
        );
        if (!validPincode) {
+            if (config.getRawConfig().app.log_failed_attempts) {
+                logger.info(
+                    `Resource pin code incorrect. Resource ID: ${resource.resourceId}. IP: ${req.ip}.`
+                );
+            }
            return next(
                createHttpError(HttpCode.UNAUTHORIZED, "Incorrect PIN")
            );
--- a/server/routers/resource/authWithWhitelist.ts
+++ b/server/routers/resource/authWithWhitelist.ts
@@ -16,6 +16,7 @@ import { fromError } from "zod-validation-error";
 import { createResourceSession } from "@server/auth/sessions/resource";
 import { isValidOtp, sendResourceOtpEmail } from "@server/auth/resourceOtp";
 import logger from "@server/logger";
+import config from "@server/lib/config";

 const authWithWhitelistBodySchema = z
    .object({
@@ -96,7 +97,7 @@ export async function authWithWhitelist(
            // if email is not found, check for wildcard email
            const wildcard = "*@" + email.split("@")[1];

-            logger.debug("Checking for wildcard email: " + wildcard)
+            logger.debug("Checking for wildcard email: " + wildcard);

            const [result] = await db
                .select()
@@ -120,6 +121,11 @@ export async function authWithWhitelist(

            // if wildcard is still not found, return unauthorized
            if (!whitelistedEmail) {
+                if (config.getRawConfig().app.log_failed_attempts) {
+                    logger.info(
+                        `Email is not whitelisted. Resource ID: ${resource?.resourceId}. Email: ${email}. IP: ${req.ip}.`
+                    );
+                }
                return next(
                    createHttpError(
                        HttpCode.UNAUTHORIZED,
@@ -151,6 +157,11 @@ export async function authWithWhitelist(
                otp
            );
            if (!isValidCode) {
+                if (config.getRawConfig().app.log_failed_attempts) {
+                    logger.info(
+                        `Resource email otp incorrect. Resource ID: ${resource.resourceId}. Email: ${email}. IP: ${req.ip}.`
+                    );
+                }
                return next(
                    createHttpError(HttpCode.UNAUTHORIZED, "Incorrect OTP")
                );