Add api authorization logging
This commit is contained in:
parent
7c8a05aa4f
commit
fac3431375
@ -8,23 +8,30 @@ class PermissionMiddleware extends Middleware {
|
|||||||
async test(req, res, next, { check }) {
|
async test(req, res, next, { check }) {
|
||||||
const Policy = this.models.get('iam:Policy')
|
const Policy = this.models.get('iam:Policy')
|
||||||
|
|
||||||
|
req.additional_api_log_data.permission_check = check
|
||||||
|
|
||||||
// If the request was authorized using an OAuth2 bearer token,
|
// If the request was authorized using an OAuth2 bearer token,
|
||||||
// make sure the associated client has permission to access this endpoint.
|
// make sure the associated client has permission to access this endpoint.
|
||||||
if ( req?.oauth?.client ) {
|
if ( req?.oauth?.client ) {
|
||||||
if ( !req.oauth.client.can(check) ) {
|
if ( !req.oauth.client.can(check) ) {
|
||||||
const reason = 'oauth-permission-fail'
|
const reason = 'oauth-permission-fail'
|
||||||
await this.activity.api_access_denial({
|
const fail_activity = await this.activity.api_access_denial({
|
||||||
req,
|
req,
|
||||||
reason,
|
reason,
|
||||||
check,
|
check,
|
||||||
oauth_client_id: req.oauth.client.uuid,
|
oauth_client_id: req.oauth.client.uuid,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
req.additional_api_log_data.permission_check_succeeded = false
|
||||||
|
req.additional_api_log_data.permission_check_activity_id = fail_activity.id
|
||||||
|
|
||||||
return res.status(401)
|
return res.status(401)
|
||||||
.message('Insufficient permissions (OAuth2 Client).')
|
.message('Insufficient permissions (OAuth2 Client).')
|
||||||
.api()
|
.api()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
req.additional_api_log_data.permission_check_succeeded = true
|
||||||
|
|
||||||
// If the oauth2 client has this permission, then allow the request to continue,
|
// If the oauth2 client has this permission, then allow the request to continue,
|
||||||
// even if the user does not.
|
// even if the user does not.
|
||||||
// OAuth2Clients need to be able to query users via the API.
|
// OAuth2Clients need to be able to query users via the API.
|
||||||
@ -38,13 +45,18 @@ class PermissionMiddleware extends Middleware {
|
|||||||
if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
|
if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
|
||||||
// Record the failed API access
|
// Record the failed API access
|
||||||
const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
|
const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
|
||||||
await this.activity.api_access_denial({ req, reason, check })
|
const fail_activity = await this.activity.api_access_denial({ req, reason, check })
|
||||||
|
|
||||||
|
req.additional_api_log_data.permission_check_succeeded = false
|
||||||
|
req.additional_api_log_data.permission_check_reason = reason
|
||||||
|
req.additional_api_log_data.permission_check_activity_id = fail_activity.id
|
||||||
|
|
||||||
return res.status(401)
|
return res.status(401)
|
||||||
.message('Insufficient permissions.')
|
.message('Insufficient permissions.')
|
||||||
.api()
|
.api()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
req.additional_api_log_data.permission_check_succeeded = true
|
||||||
return next()
|
return next()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -6,14 +6,21 @@ class APIRouteMiddleware extends Middleware {
|
|||||||
}
|
}
|
||||||
|
|
||||||
async test(req, res, next, { allow_token = true, allow_user = true }) {
|
async test(req, res, next, { allow_token = true, allow_user = true }) {
|
||||||
|
if ( !req.additional_api_log_data ) req.additional_api_log_data = {}
|
||||||
|
|
||||||
// First, check if there is a user in the session.
|
// First, check if there is a user in the session.
|
||||||
if ( allow_user && req.user ) {
|
if ( allow_user && req.user ) {
|
||||||
|
req.additional_api_log_data.authorized_by = 'user'
|
||||||
return next()
|
return next()
|
||||||
} else if ( allow_token ) {
|
} else if ( allow_token ) {
|
||||||
if ( !req.oauth ) req.oauth = {}
|
if ( !req.oauth ) req.oauth = {}
|
||||||
|
req.additional_api_log_data.attempted_token_auth = true
|
||||||
|
|
||||||
return req.app.oauth2.authorise()(req, res, async e => {
|
return req.app.oauth2.authorise()(req, res, async e => {
|
||||||
if ( e ) return next(e)
|
if ( e ) return next(e)
|
||||||
|
|
||||||
|
req.additional_api_log_data.authorized_by = 'token'
|
||||||
|
|
||||||
// Look up the OAuth2 client an inject it into the route
|
// Look up the OAuth2 client an inject it into the route
|
||||||
if ( req.user && req.user.id ) {
|
if ( req.user && req.user.id ) {
|
||||||
const User = this.models.get('auth:User')
|
const User = this.models.get('auth:User')
|
||||||
@ -44,6 +51,9 @@ class APIRouteMiddleware extends Middleware {
|
|||||||
.message('This OAuth2 client is no longer authorized.')
|
.message('This OAuth2 client is no longer authorized.')
|
||||||
.api()
|
.api()
|
||||||
|
|
||||||
|
req.additional_api_log_data.token_client_id = client.uuid
|
||||||
|
req.additional_api_log_data.token = bearer
|
||||||
|
|
||||||
req.oauth.token = token
|
req.oauth.token = token
|
||||||
req.oauth.client = client
|
req.oauth.client = client
|
||||||
} else
|
} else
|
||||||
|
@ -36,6 +36,7 @@ class ActivityService extends Service {
|
|||||||
}
|
}
|
||||||
|
|
||||||
await activity.save()
|
await activity.save()
|
||||||
|
return activity
|
||||||
}
|
}
|
||||||
|
|
||||||
async mfa_enable({ req }) {
|
async mfa_enable({ req }) {
|
||||||
|
Loading…
Reference in New Issue
Block a user