From cfeb15fe2ab38bcd188873568b18b7bfdc5264f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zolt=C3=A1n=20Papp?= <zoltan.pmail@gmail.com>
Date: Tue, 19 May 2026 14:55:22 +0200
Subject: [PATCH] add UserExtendedPeerSession activity event

ExtendAuthSession previously reused UserLoggedInPeer for its audit
record, which conflated two distinct user actions: a full interactive
SSO login (tunnel re-established, network map resync) versus an
in-place deadline refresh (tunnel untouched). Auditors reading the log
couldn't tell which one happened, and downstream dashboards/alerts on
"login" volume were polluted by routine extends.

Adds a dedicated UserExtendedPeerSession Activity (code 125,
"user.peer.session.extend") and switches ExtendPeerSession over to it.
The peer-extend audit trail is now distinguishable from interactive
logins.
---
 management/server/activity/codes.go | 6 ++++++
 management/server/peer.go           | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/management/server/activity/codes.go b/management/server/activity/codes.go
index 6c781a952..852193a3b 100644
--- a/management/server/activity/codes.go
+++ b/management/server/activity/codes.go
@@ -240,6 +240,10 @@ const (
 	AccountLocalMfaEnabled Activity = 123
 	// AccountLocalMfaDisabled indicates that a user disabled TOTP MFA for local users
 	AccountLocalMfaDisabled Activity = 124
+	// UserExtendedPeerSession indicates that a user refreshed their peer's
+	// SSO session deadline via ExtendAuthSession without re-establishing the
+	// tunnel. Distinct from UserLoggedInPeer (full interactive login).
+	UserExtendedPeerSession Activity = 125
 
 	AccountDeleted Activity = 99999
 )
@@ -394,6 +398,8 @@ var activityMap = map[Activity]Code{
 	AccountLocalMfaEnabled:  {"Account local MFA enabled", "account.setting.local.mfa.enable"},
 	AccountLocalMfaDisabled: {"Account local MFA disabled", "account.setting.local.mfa.disable"},
 
+	UserExtendedPeerSession: {"User extended peer session", "user.peer.session.extend"},
+
 	DomainAdded:     {"Domain added", "domain.add"},
 	DomainDeleted:   {"Domain deleted", "domain.delete"},
 	DomainValidated: {"Domain validated", "domain.validate"},
diff --git a/management/server/peer.go b/management/server/peer.go
index 86e731b20..4160972a2 100644
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -1183,7 +1183,7 @@ func (am *DefaultAccountManager) ExtendPeerSession(ctx context.Context, peerPubK
 			log.WithContext(ctx).Debugf("failed to update user last login during session extend: %v", err)
 		}
 
-		am.StoreEvent(ctx, userID, peer.ID, accountID, activity.UserLoggedInPeer, peer.EventMeta(am.networkMapController.GetDNSDomain(settings)))
+		am.StoreEvent(ctx, userID, peer.ID, accountID, activity.UserExtendedPeerSession, peer.EventMeta(am.networkMapController.GetDNSDomain(settings)))
 		refreshed = peer
 		return nil
 	})