Update libflitte

app/ldap/controllers/Users.controller.js

@@ -299,6 +299,7 @@ class UsersController extends LDAPController {
 
                 // Make sure the user is of appropriate scope
                 if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) {
+                    this.output.debug(await user.to_ldap())
                     this.output.debug(`Matches sub scope. Matches filter? ${req.filter.matches(await user.to_ldap(iam_targets))}`)
 
                     // Check if filter matches

app/routing/middleware/api/Permission.middleware.js

@@ -8,23 +8,30 @@ class PermissionMiddleware extends Middleware {
     async test(req, res, next, { check }) {
         const Policy = this.models.get('iam:Policy')
 
+        req.additional_api_log_data.permission_check = check
+
         // If the request was authorized using an OAuth2 bearer token,
         // make sure the associated client has permission to access this endpoint.
         if ( req?.oauth?.client ) {
             if ( !req.oauth.client.can(check) ) {
                 const reason = 'oauth-permission-fail'
-                await this.activity.api_access_denial({
+                const fail_activity = await this.activity.api_access_denial({
                     req,
                     reason,
                     check,
                     oauth_client_id: req.oauth.client.uuid,
                 })
 
+                req.additional_api_log_data.permission_check_succeeded = false
+                req.additional_api_log_data.permission_check_activity_id = fail_activity.id
+
                 return res.status(401)
                     .message('Insufficient permissions (OAuth2 Client).')
                     .api()
             }
 
+            req.additional_api_log_data.permission_check_succeeded = true
+
             // If the oauth2 client has this permission, then allow the request to continue,
             // even if the user does not.
             // OAuth2Clients need to be able to query users via the API.
@@ -38,13 +45,18 @@ class PermissionMiddleware extends Middleware {
         if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
             // Record the failed API access
             const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
-            await this.activity.api_access_denial({ req, reason, check })
+            const fail_activity = await this.activity.api_access_denial({ req, reason, check })
+
+            req.additional_api_log_data.permission_check_succeeded = false
+            req.additional_api_log_data.permission_check_reason = reason
+            req.additional_api_log_data.permission_check_activity_id = fail_activity.id
 
             return res.status(401)
                 .message('Insufficient permissions.')
                 .api()
         }
 
+        req.additional_api_log_data.permission_check_succeeded = true
         return next()
     }
 }

app/routing/middleware/auth/APIRoute.middleware.js

@@ -6,14 +6,21 @@ class APIRouteMiddleware extends Middleware {
     }
 
     async test(req, res, next, { allow_token = true, allow_user = true }) {
+        if ( !req.additional_api_log_data ) req.additional_api_log_data = {}
+
         // First, check if there is a user in the session.
         if ( allow_user && req.user ) {
+            req.additional_api_log_data.authorized_by = 'user'
             return next()
         } else if ( allow_token ) {
             if ( !req.oauth ) req.oauth = {}
+            req.additional_api_log_data.attempted_token_auth = true
 
             return req.app.oauth2.authorise()(req, res, async e => {
                 if ( e ) return next(e)
+
+                req.additional_api_log_data.authorized_by = 'token'
+
                 // Look up the OAuth2 client an inject it into the route
                 if ( req.user && req.user.id ) {
                     const User = this.models.get('auth:User')
@@ -44,6 +51,9 @@ class APIRouteMiddleware extends Middleware {
                             .message('This OAuth2 client is no longer authorized.')
                             .api()
 
+                    req.additional_api_log_data.token_client_id = client.uuid
+                    req.additional_api_log_data.token = bearer
+
                     req.oauth.token = token
                     req.oauth.client = client
                 } else

app/services/activity.service.js

@@ -36,6 +36,7 @@ class ActivityService extends Service {
         }
 
         await activity.save()
+        return activity
     }
 
     async mfa_enable({ req }) {

app/unit/SettingsUnit.js

@@ -10,6 +10,7 @@ class SettingsUnit extends Unit {
     }
 
     async go(app) {
+        Error.stackTraceLimit = 50
         app.express.set('trust proxy', true)
 
         const Setting = this.models.get('Setting')

config/server.config.js

@@ -25,6 +25,8 @@ const server_config = {
         include_timestamp: env("LOGGING_TIMESTAMP", false),
 
         api_logging: env('LOG_API_RESPONSES', false),
+
+        error_logging: env('LOG_REQUEST_ERRORS', true),
     },
 
     session: {

package.json

@@ -33,7 +33,7 @@
     "ioredis": "^4.17.1",
     "is-absolute-url": "^3.0.3",
     "ldapjs": "^1.0.2",
-    "libflitter": "^0.55.0",
+    "libflitter": "^0.56.1",
     "moment": "^2.24.0",
     "mongodb": "^3.5.9",
     "nodemailer": "^6.4.6",

yarn.lock

@@ -3235,10 +3235,10 @@ leven@^1.0.2:
   resolved "https://registry.yarnpkg.com/leven/-/leven-1.0.2.tgz#9144b6eebca5f1d0680169f1a6770dcea60b75c3"
   integrity sha1-kUS27ryl8dBoAWnxpncNzqYLdcM=
 
-libflitter@^0.55.0:
-  version "0.55.0"
-  resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.55.0.tgz#9392f163950ceeda57a2a7c9cc7871672268b2f5"
-  integrity sha512-EM4wJbdS/5KCEPU+ylw/Z8GxseK8+HrbQNu8ooSNsDsEsmCzva8K0StK8NR50eJQQkqs6XwcuMm96Y5+X9CNTA==
+libflitter@^0.56.1:
+  version "0.56.1"
+  resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.56.1.tgz#250166027b9cab727c9deb6b1fa1865428b1eafb"
+  integrity sha512-QikFtFRa9okKOjOio5ehpQ6hyacCoMbtOlqcXt4I7uU3lntBeP5qSbz1q3x1wUY/AdBc2k70+Eg8BcpGmBEs4Q==
   dependencies:
     colors "^1.3.3"
     connect-mongodb-session "^2.2.0"