refactor: consolidate login audit logging and add superadmin user audit endpoints

2026-05-08 06:26:32 +00:00
parent 6d794106be
commit 81a221bd2b
6 changed files with 303 additions and 12 deletions
@@ -1,4 +1,5 @@
 """TOTP authentication endpoints."""
+import logging
 from flask import request, session, g, current_app
 from marshmallow import ValidationError
 from gatehouse_app.api.v1 import api_v1_bp
@@ -12,6 +13,7 @@ from gatehouse_app.schemas.auth_schema import (
 )
 from gatehouse_app.services.auth_service import AuthService
 from gatehouse_app.services.mfa_policy_service import MfaPolicyService
+from gatehouse_app.utils.constants import AuditAction
 from gatehouse_app.utils.decorators import login_required
 from gatehouse_app.exceptions.auth_exceptions import InvalidCredentialsError
 from gatehouse_app.exceptions.validation_exceptions import ConflictError
@@ -78,6 +80,21 @@ def verify_totp():
        is_compliance_only = policy_result.create_compliance_only_session
        user_session = AuthService.create_session(user, is_compliance_only=is_compliance_only)

+        # Log successful login (after MFA complete)
+        login_org_id = None
+        if policy_result.compliance_summary and policy_result.compliance_summary.orgs:
+            login_org_id = policy_result.compliance_summary.orgs[0].organization_id
+
+        AuditService.log_action(
+            action=AuditAction.USER_LOGIN,
+            user_id=user.id,
+            organization_id=login_org_id,
+            ip_address=request.remote_addr,
+            user_agent=request.headers.get("User-Agent"),
+            description="User logged in (TOTP)",
+            success=True,
+        )
+
        session.pop("totp_pending_user_id", None)
        session.pop("webauthn_pending_user_id", None)

@@ -112,6 +129,16 @@ def verify_totp():
    except ValidationError as e:
        return api_response(success=False, message="Validation failed", status=400, error_type="VALIDATION_ERROR", error_details=e.messages)
    except InvalidCredentialsError as e:
+        # Log failed TOTP verification
+        AuditService.log_action(
+            action=AuditAction.TOTP_VERIFY_FAILED,
+            user_id=user.id,
+            ip_address=request.remote_addr,
+            user_agent=request.headers.get("User-Agent"),
+            description="TOTP verification failed",
+            success=False,
+            error_message=e.message,
+        )
        return api_response(success=False, message=e.message, status=e.status_code, error_type=e.error_type)