feat: audit log logins

miquelvir · Feb 19, 2024 · cb0a4b8 · cb0a4b8
1 parent 1214db2
commit cb0a4b8
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -90,6 +90,7 @@ Create a .env on the root folder of the project with the following variables:
 12. SMTP_BULK_DOMAIN=newsletter.xamfra.net
 13. SMTP_DOMAIN=smtp.xamfra.net
 14. SMTP_USER=[email protected]
+15. DISCORD_LOGIN_NOTIFICATIONS
 
 ### FRONTEND
 

diff --git a/config.py b/config.py
@@ -58,6 +58,8 @@ class Config(object):
     DEBUGGING_MODE = bool(int(os.getenv("EMAIL_DEBUGGING_MODE", 0)))
     DEBUGGING_SEND_EMAILS = True
 
+    DISCORD_LOGIN_NOTIFICATIONS = os.getenv("DISCORD_LOGIN_NOTIFICATIONS")
+
 
 class DevelopmentConfig(Config):
     DEBUG = True

diff --git a/server/blueprints/auth/config.py b/server/blueprints/auth/config.py
@@ -4,7 +4,7 @@
 from flask import Blueprint, g, request, current_app, session, abort, jsonify
 from server.containers import Container
 from server.services.totp_service import TotpService
-
+import requests
 
 # initialise the blueprint
 from flask_login import login_user, logout_user, login_required, current_user
@@ -14,6 +14,19 @@
 auth_blueprint = Blueprint("auth", __name__)
 
 
+def audit_login(emoji: str, ip: str, username: str, result: str):
+    requests.post(current_app.config.DISCORD_LOGIN_NOTIFICATIONS, json={
+        "content": f"[{emoji}] [{username}] [{ip}] {result}"
+    })
+
+
+def get_ip():
+    if request.environ.get('HTTP_X_FORWARDED_FOR') is None:
+        return request.environ['REMOTE_ADDR']
+    else:
+        return request.environ['HTTP_X_FORWARDED_FOR'] # if behind a proxy
+
+
 def basic_http_auth_required(f):
     def verify_password(username: str, password: str) -> bool:
         """Given a username and optionally a password, verify its validity."""
@@ -39,13 +52,17 @@ def verify_totp(
     def wrapper(*args, **kwargs):
         auth = request.authorization  # first factor
         totp = request.args.get("totp", None)  # second factor (2FA)
-
         if not (totp and auth):  # missing fields
+            audit_login("⚠️", get_ip(), username, "Failed (missing totp or auth)")
             abort(401)
         if not verify_password(auth.username, auth.password):  # wrong first factor
+            audit_login("⚠️", get_ip(), username, "Failed (invalid password or username)")
             abort(401)
         if not verify_totp(totp, g.user):  # wrong second factor
+            audit_login("⚠️", get_ip(), username, "Failed (invalid totp)")
             abort(401)
+
+        audit_login("✅", get_ip(), username, "Successful")
         return f(*args, **kwargs)
 
     return wrapper