pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-26 06:46:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add logging for all auth

Browse Source
This commit is contained in:
Owen
2025-10-21 21:22:56 -07:00
parent 1142d6ac48
commit d392fb371e
4 changed files with 377 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

180
server/routers/badger/verifySession.ts
View File

@@ -37,6 +37,7 @@ import { getCountryCodeForIp } from "@server/lib/geoip";
import { getOrgTierData } from "#dynamic/lib/billing";
import { TierId } from "@server/lib/billing/tiers";
import { verifyPassword } from "@server/auth/password";
import { logRequestAudit } from "./logRequestAudit";
// We'll see if this speeds anything up
const cache = new NodeCache({
@@ -149,6 +150,15 @@ export async function verifyResourceSession(
if (!result) {
logger.debug(`Resource not found ${cleanHost}`);
logRequestAudit(
{
action: false,
reason: 201 //resource not found
},
parsedBody.data
);
return notAllowed(res);
}
@@ -160,6 +170,15 @@ export async function verifyResourceSession(
if (!resource) {
logger.debug(`Resource not found ${cleanHost}`);
logRequestAudit(
{
action: false,
reason: 201 //resource not found
},
parsedBody.data
);
return notAllowed(res);
}
@@ -167,6 +186,15 @@ export async function verifyResourceSession(
if (blockAccess) {
logger.debug("Resource blocked", host);
logRequestAudit(
{
action: false,
reason: 202 //resource blocked
},
parsedBody.data
);
return notAllowed(res);
}
@@ -180,9 +208,28 @@ export async function verifyResourceSession(
if (action == "ACCEPT") {
logger.debug("Resource allowed by rule");
logRequestAudit(
{
action: true,
reason: 100 // allowed by rule
},
parsedBody.data
);
return allowed(res);
} else if (action == "DROP") {
logger.debug("Resource denied by rule");
// TODO: add rules type
logRequestAudit(
{
action: false,
reason: 203 // dropped by rules
},
parsedBody.data
);
return notAllowed(res);
} else if (action == "PASS") {
logger.debug(
@@ -203,6 +250,15 @@ export async function verifyResourceSession(
!headerAuth
) {
logger.debug("Resource allowed because no auth");
logRequestAudit(
{
action: true,
reason: 101 // allowed no auth
},
parsedBody.data
);
return allowed(res);
}
@@ -254,6 +310,14 @@ export async function verifyResourceSession(
}
if (valid && tokenItem) {
logRequestAudit(
{
action: true,
reason: 102 // valid access token
},
parsedBody.data
);
return allowed(res);
}
}
@@ -290,6 +354,14 @@ export async function verifyResourceSession(
}
if (valid && tokenItem) {
logRequestAudit(
{
action: true,
reason: 102 // valid access token
},
parsedBody.data
);
return allowed(res);
}
}
@@ -301,6 +373,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because header auth is valid (cached)"
);
logRequestAudit(
{
action: true,
reason: 103 // valid header auth
},
parsedBody.data
);
return allowed(res);
} else if (
await verifyPassword(
@@ -310,15 +391,33 @@ export async function verifyResourceSession(
) {
cache.set(clientHeaderAuthKey, clientHeaderAuth);
logger.debug("Resource allowed because header auth is valid");
logRequestAudit(
{
action: true,
reason: 103 // valid header auth
},
parsedBody.data
);
return allowed(res);
}
if ( // we dont want to redirect if this is the only auth method and we did not pass here
if (
// we dont want to redirect if this is the only auth method and we did not pass here
!sso &&
!pincode &&
!password &&
!resource.emailWhitelistEnabled
) {
logRequestAudit(
{
action: false,
reason: 299 // no more auth methods
},
parsedBody.data
);
return notAllowed(res);
}
} else if (headerAuth) {
@@ -329,6 +428,14 @@ export async function verifyResourceSession(
!password &&
!resource.emailWhitelistEnabled
) {
logRequestAudit(
{
action: false,
reason: 299 // no more auth methods
},
parsedBody.data
);
return notAllowed(res);
}
}
@@ -341,6 +448,15 @@ export async function verifyResourceSession(
}. IP: ${clientIp}.`
);
}
logRequestAudit(
{
action: false,
reason: 204 // no sessions
},
parsedBody.data
);
return notAllowed(res);
}
@@ -374,6 +490,15 @@ export async function verifyResourceSession(
}. IP: ${clientIp}.`
);
}
logRequestAudit(
{
action: false,
reason: 205 // temporary request token
},
parsedBody.data
);
return notAllowed(res);
}
@@ -382,6 +507,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because pincode session is valid"
);
logRequestAudit(
{
action: true,
reason: 104 // valid pincode
},
parsedBody.data
);
return allowed(res);
}
@@ -389,6 +523,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because password session is valid"
);
logRequestAudit(
{
action: true,
reason: 105 // valid password
},
parsedBody.data
);
return allowed(res);
}
@@ -399,6 +542,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because whitelist session is valid"
);
logRequestAudit(
{
action: true,
reason: 106 // valid email
},
parsedBody.data
);
return allowed(res);
}
@@ -406,6 +558,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because access token session is valid"
);
logRequestAudit(
{
action: true,
reason: 102 // valid access token
},
parsedBody.data
);
return allowed(res);
}
@@ -433,6 +594,15 @@ export async function verifyResourceSession(
logger.debug(
"Resource allowed because user session is valid"
);
logRequestAudit(
{
action: true,
reason: 107 // valid sso
},
parsedBody.data
);
return allowed(res, allowedUserData);
}
}
@@ -451,6 +621,14 @@ export async function verifyResourceSession(
logger.debug(`Redirecting to login at ${redirectPath}`);
logRequestAudit(
{
action: false,
reason: 299 // no more auth methods
},
parsedBody.data
);
return notAllowed(res, redirectPath, resource.orgId);
} catch (e) {
console.error(e);