webaccess: Log all authentication successes/failures

This loses some of the granularity of the default HTTP basic auth
(unknown username vs. bad password), but there is considerable value
in having logging that is consistent no matter what authentication
plugins are installed.
readonly-pad-export-tests
Richard Hansen 2020-08-27 21:41:31 -04:00 committed by John McLear
parent ea4b9bf7d7
commit 411b278881
1 changed files with 7 additions and 12 deletions

View File

@ -94,7 +94,10 @@ exports.checkAccess = (req, res, next) => {
} }
hooks.aCallFirst('authenticate', ctx, hookResultMangle((ok) => { hooks.aCallFirst('authenticate', ctx, hookResultMangle((ok) => {
if (!ok) { if (!ok) {
const failure = () => { // Fall back to HTTP basic auth.
if (!httpBasicAuth || !(ctx.username in settings.users) ||
settings.users[ctx.username].password !== ctx.password) {
httpLogger.info(`Failed authentication from IP ${req.ip}`);
return hooks.aCallFirst('authnFailure', {req, res}, hookResultMangle((ok) => { return hooks.aCallFirst('authnFailure', {req, res}, hookResultMangle((ok) => {
if (ok) return; if (ok) return;
return hooks.aCallFirst('authFailure', {req, res, next}, hookResultMangle((ok) => { return hooks.aCallFirst('authFailure', {req, res, next}, hookResultMangle((ok) => {
@ -107,18 +110,7 @@ exports.checkAccess = (req, res, next) => {
}, 1000); }, 1000);
})); }));
})); }));
};
// Fall back to HTTP basic auth.
if (!httpBasicAuth) return failure();
if (!(ctx.username in settings.users)) {
httpLogger.info(`Failed authentication from IP ${req.ip} - no such user`);
return failure();
} }
if (settings.users[ctx.username].password !== ctx.password) {
httpLogger.info(`Failed authentication from IP ${req.ip} for user ${ctx.username} - incorrect password`);
return failure();
}
httpLogger.info(`Successful authentication from IP ${req.ip} for user ${ctx.username}`);
settings.users[ctx.username].username = ctx.username; settings.users[ctx.username].username = ctx.username;
req.session.user = settings.users[ctx.username]; req.session.user = settings.users[ctx.username];
} }
@ -127,6 +119,9 @@ exports.checkAccess = (req, res, next) => {
res.status(500).send('Internal Server Error'); res.status(500).send('Internal Server Error');
return; return;
} }
let username = req.session.user.username;
username = (username != null) ? username : '<no username>';
httpLogger.info(`Successful authentication from IP ${req.ip} for username ${username}`);
step3Authorize(); step3Authorize();
})); }));
}; };