pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-18 10:56:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add logging for all auth

Browse Source
This commit is contained in:
Owen
2025-10-21 21:22:56 -07:00
parent 1142d6ac48
commit d392fb371e
4 changed files with 377 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
server/routers/badger/logRequestAudit.ts Normal file
View File

@@ -0,0 +1,114 @@
import { db, requestAuditLog } from "@server/db";
import logger from "@server/logger";
/**
Reasons:
100 - Allowed by Rule
101 - Allowed No Auth
102 - Valid Access Token
103 - Valid header auth
104 - Valid Pincode
105 - Valid Password
106 - Valid email
107 - Valid SSO
201 - Resource Not Found
202 - Resource Blocked
203 - Dropped by Rule
204 - No Sessions
205 - Temporary Request Token
299 - No More Auth Methods
*/
export async function logRequestAudit(
data: {
action: boolean;
reason: number;
user?: { username: string; userId: string; orgId: string };
apiKey?: { name: string; apiKeyId: string; orgId: string };
metadata?: any;
resouceId?: number;
type?: string;
location?: string;
// userAgent?: string;
},
body: {
path: string;
originalRequestURL: string;
scheme: string;
host: string;
method: string;
tls: boolean;
sessions?: Record<string, string> | undefined;
headers?: Record<string, string> | undefined;
query?: Record<string, string> | undefined;
requestIp?: string | undefined;
}
) {
try {
let orgId: string | undefined;
let actorType: string | undefined;
let actor: string | undefined;
let actorId: string | undefined;
const user = data.user;
if (user) {
orgId = user.orgId;
actorType = "user";
actor = user.username;
actorId = user.userId;
}
const apiKey = data.apiKey;
if (apiKey) {
orgId = apiKey.orgId;
actorType = "apiKey";
actor = apiKey.name;
actorId = apiKey.apiKeyId;
}
if (!orgId) {
logger.warn("logRequestAudit: No organization context found");
return;
}
// if (!actorType || !actor || !actorId) {
// logger.warn("logRequestAudit: Incomplete actor information");
// return;
// }
const timestamp = Math.floor(Date.now() / 1000);
let metadata = null;
if (metadata) {
metadata = JSON.stringify(metadata);
}
await db.insert(requestAuditLog).values({
timestamp,
orgId,
actorType,
actor,
actorId,
metadata,
action: data.action,
resourceId: data.resouceId,
type: data.type,
reason: data.reason,
location: data.location,
// userAgent: data.userAgent, // TODO: add this
// headers: data.body.headers,
// query: data.body.query,
originalRequestURL: body.originalRequestURL,
scheme: body.scheme,
host: body.host,
path: body.path,
method: body.method,
ip: body.requestIp,
tls: body.tls
});
} catch (error) {
logger.error(error);
}
}

180
server/routers/badger/verifySession.ts
View File

@@ -37,6 +37,7 @@ import { getCountryCodeForIp } from "@server/lib/geoip";
import { getOrgTierData } from "#dynamic/lib/billing";
import { TierId } from "@server/lib/billing/tiers";
import { verifyPassword } from "@server/auth/password";
import { logRequestAudit } from "./logRequestAudit";
// We'll see if this speeds anything up
const cache = new NodeCache({
@@ -149,6 +150,15 @@ export async function verifyResourceSession(
if (!result) {
logger.debug(`Resource not found ${cleanHost}`);
logRequestAudit(
{
action: false,
reason: 201 //resource not found
},
parsedBody.data
);
return notAllowed(res);
}
@@ -160,6 +170,15 @@ export async function verifyResourceSession(
if (!resource) {
logger.debug(`Resource not found ${cleanHost}`);
logRequestAudit(
{
action: false,
reason: 201 //resource not found
},
parsedBody.data
);
return notAllowed(res);
}
@@ -167,6 +186,15 @@ export async function verifyResourceSession(
if (blockAccess) {
logger.debug("Resource blocked", host);
logRequestAudit(
{
action: false,
reason: 202 //resource blocked
},
parsedBody.data
);
return notAllowed(res);
}
@@ -180,9 +208,28 @@ export async function verifyResourceSession(
if (action == "ACCEPT") {
logger.debug("Resource allowed by rule");
logRequestAudit(
{
action: true,
reason: 100 // allowed by rule
},
parsedBody.data
);
return allowed(res);
} else if (action == "DROP") {
logger.debug("Resource denied by rule");
// TODO: add rules type
logRequestAudit(
{
action: false,
reason: 203 // dropped by rules
},
parsedBody.data
);
return notAllowed(res);
} else if (action == "PASS") {
logger.debug(
@@ -203,6 +250,15 @@ export async function verifyResourceSession(
!headerAuth
) {
logger.debug("Resource allowed because no auth");
logRequestAudit(
{
action: true,
reason: 101 // allowed no auth
},
parsedBody.data
);
return allowed(res);
}
@@ -254,6 +310,14 @@ export async function verifyResourceSession(
}
if (valid && tokenItem) {
logRequestAudit(
{
action: true,
reason: 102 // valid access token
},
parsedBody.data
);
return allowed(res);
}
}
@@ -290,6 +354,14 @@ export async function verifyResourceSession(
}
if (valid && tokenItem) {
logRequestAudit(
{
action: true,
reason: 102 // valid access token
},
parsedBody.data
);
return allowed(res);
}
}
@@ -301,6 +373,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because header auth is valid (cached)"
);
logRequestAudit(
{
action: true,
reason: 103 // valid header auth
},
parsedBody.data
);
return allowed(res);
} else if (
await verifyPassword(
@@ -310,15 +391,33 @@ export async function verifyResourceSession(
) {
cache.set(clientHeaderAuthKey, clientHeaderAuth);
logger.debug("Resource allowed because header auth is valid");
logRequestAudit(
{
action: true,
reason: 103 // valid header auth
},
parsedBody.data
);
return allowed(res);
}
if ( // we dont want to redirect if this is the only auth method and we did not pass here
if (
// we dont want to redirect if this is the only auth method and we did not pass here
!sso &&
!pincode &&
!password &&
!resource.emailWhitelistEnabled
) {
logRequestAudit(
{
action: false,
reason: 299 // no more auth methods
},
parsedBody.data
);
return notAllowed(res);
}
} else if (headerAuth) {
@@ -329,6 +428,14 @@ export async function verifyResourceSession(
!password &&
!resource.emailWhitelistEnabled
) {
logRequestAudit(
{
action: false,
reason: 299 // no more auth methods
},
parsedBody.data
);
return notAllowed(res);
}
}
@@ -341,6 +448,15 @@ export async function verifyResourceSession(
}. IP: ${clientIp}.`
);
}
logRequestAudit(
{
action: false,
reason: 204 // no sessions
},
parsedBody.data
);
return notAllowed(res);
}
@@ -374,6 +490,15 @@ export async function verifyResourceSession(
}. IP: ${clientIp}.`
);
}
logRequestAudit(
{
action: false,
reason: 205 // temporary request token
},
parsedBody.data
);
return notAllowed(res);
}
@@ -382,6 +507,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because pincode session is valid"
);
logRequestAudit(
{
action: true,
reason: 104 // valid pincode
},
parsedBody.data
);
return allowed(res);
}
@@ -389,6 +523,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because password session is valid"
);
logRequestAudit(
{
action: true,
reason: 105 // valid password
},
parsedBody.data
);
return allowed(res);
}
@@ -399,6 +542,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because whitelist session is valid"
);
logRequestAudit(
{
action: true,
reason: 106 // valid email
},
parsedBody.data
);
return allowed(res);
}
@@ -406,6 +558,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because access token session is valid"
);
logRequestAudit(
{
action: true,
reason: 102 // valid access token
},
parsedBody.data
);
return allowed(res);
}
@@ -433,6 +594,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because user session is valid"
);
logRequestAudit(
{
action: true,
reason: 107 // valid sso
},
parsedBody.data
);
return allowed(res, allowedUserData);
}
}
@@ -451,6 +621,14 @@ export async function verifyResourceSession(
logger.debug(`Redirecting to login at ${redirectPath}`);
logRequestAudit(
{
action: false,
reason: 299 // no more auth methods
},
parsedBody.data
);
return notAllowed(res, redirectPath, resource.orgId);
} catch (e) {
console.error(e);