refactor: consolidate login audit logging and add superadmin user audit endpoints
This commit is contained in:
Ubuntu
@@ -121,6 +121,21 @@ def login():
|
||||
|
||||
user_session = AuthService.create_session(user, duration_seconds=duration, is_compliance_only=is_compliance_only)
|
||||
|
||||
# Log successful login (after MFA complete, if applicable)
|
||||
login_org_id = None
|
||||
if policy_result.compliance_summary and policy_result.compliance_summary.orgs:
|
||||
login_org_id = policy_result.compliance_summary.orgs[0].organization_id
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.USER_LOGIN,
|
||||
user_id=user.id,
|
||||
organization_id=login_org_id,
|
||||
ip_address=request.remote_addr,
|
||||
user_agent=request.headers.get("User-Agent"),
|
||||
description="User logged in (password)",
|
||||
success=True,
|
||||
)
|
||||
|
||||
response_data = {
|
||||
"user": user.to_dict(),
|
||||
"token": user_session.token,
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
"""TOTP authentication endpoints."""
|
||||
import logging
|
||||
from flask import request, session, g, current_app
|
||||
from marshmallow import ValidationError
|
||||
from gatehouse_app.api.v1 import api_v1_bp
|
||||
@@ -12,6 +13,7 @@ from gatehouse_app.schemas.auth_schema import (
|
||||
)
|
||||
from gatehouse_app.services.auth_service import AuthService
|
||||
from gatehouse_app.services.mfa_policy_service import MfaPolicyService
|
||||
from gatehouse_app.utils.constants import AuditAction
|
||||
from gatehouse_app.utils.decorators import login_required
|
||||
from gatehouse_app.exceptions.auth_exceptions import InvalidCredentialsError
|
||||
from gatehouse_app.exceptions.validation_exceptions import ConflictError
|
||||
@@ -78,6 +80,21 @@ def verify_totp():
|
||||
is_compliance_only = policy_result.create_compliance_only_session
|
||||
user_session = AuthService.create_session(user, is_compliance_only=is_compliance_only)
|
||||
|
||||
# Log successful login (after MFA complete)
|
||||
login_org_id = None
|
||||
if policy_result.compliance_summary and policy_result.compliance_summary.orgs:
|
||||
login_org_id = policy_result.compliance_summary.orgs[0].organization_id
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.USER_LOGIN,
|
||||
user_id=user.id,
|
||||
organization_id=login_org_id,
|
||||
ip_address=request.remote_addr,
|
||||
user_agent=request.headers.get("User-Agent"),
|
||||
description="User logged in (TOTP)",
|
||||
success=True,
|
||||
)
|
||||
|
||||
session.pop("totp_pending_user_id", None)
|
||||
session.pop("webauthn_pending_user_id", None)
|
||||
|
||||
@@ -112,6 +129,16 @@ def verify_totp():
|
||||
except ValidationError as e:
|
||||
return api_response(success=False, message="Validation failed", status=400, error_type="VALIDATION_ERROR", error_details=e.messages)
|
||||
except InvalidCredentialsError as e:
|
||||
# Log failed TOTP verification
|
||||
AuditService.log_action(
|
||||
action=AuditAction.TOTP_VERIFY_FAILED,
|
||||
user_id=user.id,
|
||||
ip_address=request.remote_addr,
|
||||
user_agent=request.headers.get("User-Agent"),
|
||||
description="TOTP verification failed",
|
||||
success=False,
|
||||
error_message=e.message,
|
||||
)
|
||||
return api_response(success=False, message=e.message, status=e.status_code, error_type=e.error_type)
|
||||
|
||||
|
||||
|
||||
@@ -16,6 +16,7 @@ from gatehouse_app.schemas.webauthn_schema import (
|
||||
from gatehouse_app.services.auth_service import AuthService
|
||||
from gatehouse_app.services.webauthn_service import WebAuthnService
|
||||
from gatehouse_app.services.mfa_policy_service import MfaPolicyService
|
||||
from gatehouse_app.utils.constants import AuditAction
|
||||
from gatehouse_app.utils.decorators import login_required
|
||||
from gatehouse_app.exceptions.auth_exceptions import InvalidCredentialsError
|
||||
|
||||
@@ -128,6 +129,21 @@ def complete_webauthn_login():
|
||||
user_session = AuthService.create_session(user, is_compliance_only=is_compliance_only)
|
||||
session.pop("webauthn_pending_user_id", None)
|
||||
|
||||
# Log successful login (after MFA complete)
|
||||
login_org_id = None
|
||||
if policy_result.compliance_summary and policy_result.compliance_summary.orgs:
|
||||
login_org_id = policy_result.compliance_summary.orgs[0].organization_id
|
||||
|
||||
AuditService.log_action(
|
||||
action=AuditAction.USER_LOGIN,
|
||||
user_id=user.id,
|
||||
organization_id=login_org_id,
|
||||
ip_address=request.remote_addr,
|
||||
user_agent=request.headers.get("User-Agent"),
|
||||
description="User logged in (WebAuthn)",
|
||||
success=True,
|
||||
)
|
||||
|
||||
logger.info(f"WebAuthn login completed successfully for user: {user.email}")
|
||||
|
||||
response_data = {
|
||||
@@ -161,6 +177,16 @@ def complete_webauthn_login():
|
||||
except ValidationError as e:
|
||||
return api_response(success=False, message="Validation failed", status=400, error_type="VALIDATION_ERROR", error_details=e.messages)
|
||||
except InvalidCredentialsError as e:
|
||||
# Log failed WebAuthn verification
|
||||
AuditService.log_action(
|
||||
action=AuditAction.WEBAUTHN_LOGIN_FAILED,
|
||||
user_id=user.id,
|
||||
ip_address=request.remote_addr,
|
||||
user_agent=request.headers.get("User-Agent"),
|
||||
description="WebAuthn login failed",
|
||||
success=False,
|
||||
error_message=e.message,
|
||||
)
|
||||
return api_response(success=False, message=e.message, status=e.status_code, error_type=e.error_type)
|
||||
except Exception as e:
|
||||
logger.exception(f"WebAuthn login complete unexpected error: {e}")
|
||||
|
||||
Reference in New Issue
Block a user