From a7ed5d09f194e91813b7d65b2e563f7240979b28 Mon Sep 17 00:00:00 2001
From: garrettmills <shout@garrettmills.dev>
Date: Tue, 16 Mar 2021 15:24:21 -0500
Subject: [PATCH] Better IAM denial logging

---
 app/controllers/auth/Oauth2.controller.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/controllers/auth/Oauth2.controller.js b/app/controllers/auth/Oauth2.controller.js
index 0790af6..71056f5 100644
--- a/app/controllers/auth/Oauth2.controller.js
+++ b/app/controllers/auth/Oauth2.controller.js
@@ -23,13 +23,13 @@ class Oauth2 extends Oauth2Controller {
         const Policy = this.models.get('iam:Policy')
         const application = await Application.findOne({ oauth_client_ids: starship_client.id })
         if ( !application ) {
-            this.output.warn('IAM Denial!')
+            this.output.warn(`IAM Denial: OAuth client not associated with an application: ${starship_client.id}`)
             return this.Vue.auth_message(res, {
                 message: req.T('saml.no_access').replace('APP_NAME', application.name),
                 next_destination: '/dash',
             })
         } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
-            this.output.warn('IAM Denial!')
+            this.output.warn(`IAM Denial: User ${req.user.uid} not authorized to access application: ${application.id}`)
             return this.Vue.auth_message(res, {
                 message: req.T('saml.no_access').replace('APP_NAME', application.name),
                 next_destination: '/dash',
@@ -54,13 +54,13 @@ class Oauth2 extends Oauth2Controller {
         const Policy = this.models.get('iam:Policy')
         const application = await Application.findOne({ oauth_client_ids: starship_client.id })
         if ( !application ) {
-            this.output.warn('IAM Denial!')
+            this.output.warn(`IAM Denial: OAuth client not associated with an application: ${starship_client.id}`)
             return this.Vue.auth_message(res, {
                 message: req.T('saml.no_access').replace('APP_NAME', application.name),
                 next_destination: '/dash',
             })
         } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
-            this.output.warn('IAM Denial!')
+            this.output.warn(`IAM Denial: User ${req.user.uid} not authorized to access application: ${application.id}`)
             return this.Vue.auth_message(res, {
                 message: req.T('saml.no_access').replace('APP_NAME', application.name),
                 next_destination: '/dash',