Expand activity tracking and add PasswordResetAlert job

app/routing/middleware/api/Permission.middleware.js

@@ -2,7 +2,7 @@ const { Middleware } = require('libflitter')
 
 class PermissionMiddleware extends Middleware {
     static get services() {
-        return [...super.services, 'models']
+        return [...super.services, 'models', 'activity']
     }
 
     async test(req, res, next, { check }) {
@@ -11,20 +11,34 @@ class PermissionMiddleware extends Middleware {
         // If the request was authorized using an OAuth2 bearer token,
         // make sure the associated client has permission to access this endpoint.
         if ( req?.oauth?.client ) {
-            if ( !req.oauth.client.can(check) )
+            if ( !req.oauth.client.can(check) ) {
+                const reason = 'oauth-permission-fail'
+                await this.activity.api_access_denial({
+                    req,
+                    reason,
+                    check,
+                    oauth_client_id: req.oauth.client.id,
+                })
+
                 return res.status(401)
                     .message('Insufficient permissions (OAuth2 Client).')
                     .api()
+            }
         }
 
         const policy_denied = await Policy.check_user_denied(req.user, check)
         const policy_access = await Policy.check_user_access(req.user, check)
 
         // Make sure the user has permission
-        if ( policy_denied || (!req.user.can(check) && !policy_access) )
+        if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
+            // Record the failed API access
+            const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
+            await this.activity.api_access_denial({ req, reason, check })
+
             return res.status(401)
                 .message('Insufficient permissions.')
                 .api()
+        }
 
         return next()
     }