audit tokens

Author: hummerdmag

model/server_settings.go

@@ -27,6 +27,7 @@ type ServerSettings struct {
 	KeyStorage     FileStorageSettings    `yaml:"keyStorage" json:"key_storage"`
 	Config         FileStorageSettings    `yaml:"-" json:"config"`
 	Logger         LoggerSettings         `yaml:"logger" json:"logger"`
+	Audit          AuditSettings          `yaml:"audit" json:"audit"`
 	AdminPanel     AdminPanelSettings     `yaml:"adminPanel" json:"admin_panel"`
 	LoginWebApp    FileStorageSettings    `yaml:"loginWebApp" json:"login_web_app"`
 	EmailTemplates FileStorageSettings    `yaml:"emailTemplates" json:"email_templates"`
@@ -388,6 +389,18 @@ func HTTPLogDetailing(dumpRequest bool, logType HTTPDetailing) HTTPDetailing {
 	return logType
 }
 
+type TokenRecording string
+
+const (
+	TokenRecordingNone       TokenRecording = "none"
+	TokenRecordingObfuscated TokenRecording = "obfuscated"
+	TokenRecordingFull       TokenRecording = "full"
+)
+
+type AuditSettings struct {
+	TokenRecording TokenRecording `yaml:"tokenRecording" json:"tokenRecording"`
+}
+
 type AdminPanelSettings struct {
 	Enabled bool `json:"enabled" yaml:"enabled"`
 }

web/api/2fa.go

@@ -306,8 +306,9 @@ func (ar *Router) FinalizeTFA() http.HandlerFunc {
 			}
 		}
 
-		ar.journal(JournalOperationLoginWith2FA,
-			user.ID, app.ID, r.UserAgent(), user.AccessRole, scopes.Scopes())
+		ar.audit(AuditOperationLoginWith2FA,
+			user.ID, app.ID, r.UserAgent(), user.AccessRole, scopes.Scopes(),
+			result.AccessToken, result.RefreshToken)
 
 		ar.server.Storages().User.UpdateLoginMetadata(user.ID)
 		ar.ServeJSON(w, locale, http.StatusOK, result)

web/api/federated_login.go

@@ -212,8 +212,9 @@ func (ar *Router) FederatedLoginComplete() http.HandlerFunc {
 		authResult.CallbackUrl = fsess.CallbackUrl
 		authResult.Scopes = fsess.Scopes
 
-		ar.journal(JournalOperationFederatedLogin,
-			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes())
+		ar.audit(AuditOperationFederatedLogin,
+			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes(),
+			authResult.AccessToken, authResult.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}

web/api/federated_oidc_login.go

@@ -249,8 +249,9 @@ func (ar *Router) OIDCLoginComplete(useSession bool) http.HandlerFunc {
 		authResult.Scopes = resultScopes.Scopes()
 		authResult.ProviderData = *providerData
 
-		ar.journal(JournalOperationOIDCLogin,
-			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes())
+		ar.audit(AuditOperationOIDCLogin,
+			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes(),
+			authResult.AccessToken, authResult.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}

web/api/impersonate_as.go

@@ -77,8 +77,9 @@ func (ar *Router) ImpersonateAs() http.HandlerFunc {
 		// do not allow refresh for impersonated user
 		authResult.RefreshToken = ""
 
-		ar.journal(JournalOperationImpersonatedAs,
-			userID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes())
+		ar.audit(AuditOperationImpersonatedAs,
+			userID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes(),
+			authResult.AccessToken, authResult.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}

web/api/journal.go

@@ -2,29 +2,36 @@ package api
 
 import (
 	"github.com/madappgang/identifo/v2/logging"
+	"github.com/madappgang/identifo/v2/model"
 )
 
-type JournalOperation string
+type AuditOperation string
 
 const (
-	JournalOperationLoginWithPassword JournalOperation = "login_with_password"
-	JournalOperationLoginWithPhone    JournalOperation = "login_with_phone"
-	JournalOperationLoginWith2FA      JournalOperation = "login_with_2fa"
-	JournalOperationRefreshToken      JournalOperation = "refresh_token"
-	JournalOperationOIDCLogin         JournalOperation = "oidc_login"
-	JournalOperationFederatedLogin    JournalOperation = "federated_login"
-	JournalOperationRegistration      JournalOperation = "registration"
-	JournalOperationLogout            JournalOperation = "logout"
-	JournalOperationImpersonatedAs    JournalOperation = "impersonated_as"
+	AuditOperationLoginWithPassword AuditOperation = "login_with_password"
+	AuditOperationLoginWithPhone    AuditOperation = "login_with_phone"
+	AuditOperationLoginWith2FA      AuditOperation = "login_with_2fa"
+	AuditOperationRefreshToken      AuditOperation = "refresh_token"
+	AuditOperationOIDCLogin         AuditOperation = "oidc_login"
+	AuditOperationFederatedLogin    AuditOperation = "federated_login"
+	AuditOperationRegistration      AuditOperation = "registration"
+	AuditOperationLogout            AuditOperation = "logout"
+	AuditOperationImpersonatedAs    AuditOperation = "impersonated_as"
 )
 
-func (ar *Router) journal(
-	op JournalOperation,
+func (ar *Router) audit(
+	op AuditOperation,
 	userID, appID, device, accessRole string,
 	scopes []string,
+	accessToken, refreshToken string,
 ) {
 	iss := ar.server.Services().Token.Issuer()
 
+	auditSettings := ar.server.Settings().Audit
+
+	accessToken = maskToken(accessToken, auditSettings.TokenRecording)
+	refreshToken = maskToken(refreshToken, auditSettings.TokenRecording)
+
 	// TODO: Create an interface for the audit log
 	// Implement it for logging to stdout, a database, or a remote service
 	ar.logger.Info("audit_record",
@@ -35,5 +42,24 @@ func (ar *Router) journal(
 		"issuer", iss,
 		"accessRole", accessRole,
 		"scopes", scopes,
+		"accessToken", accessToken,
+		"refreshToken", refreshToken,
 	)
 }
+
+func maskToken(token string, tokenRecording model.TokenRecording) string {
+	switch tokenRecording {
+	case model.TokenRecordingNone:
+		return "<redacted>"
+	case model.TokenRecordingObfuscated:
+		if len(token) < 32 {
+			return "<short>"
+		}
+
+		return token[:6] + "..." + token[len(token)-6:]
+	case model.TokenRecordingFull:
+		return token
+	default:
+		return "<redacted>"
+	}
+}

web/api/login.go

@@ -189,8 +189,9 @@ func (ar *Router) LoginWithPassword() http.HandlerFunc {
 			return
 		}
 
-		ar.journal(JournalOperationLoginWithPassword,
-			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes())
+		ar.audit(AuditOperationLoginWithPassword,
+			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes(),
+			authResult.AccessToken, authResult.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}

web/api/logout.go

@@ -64,8 +64,9 @@ func (ar *Router) Logout() http.HandlerFunc {
 			}
 		}
 
-		ar.journal(JournalOperationLogout,
-			accessToken.Subject(), accessToken.Audience(), r.UserAgent(), "", nil)
+		ar.audit(AuditOperationLogout,
+			accessToken.Subject(), accessToken.Audience(), r.UserAgent(), "", nil,
+			accessTokenString, d.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, result)
 	}

web/api/phone_login.go

@@ -169,8 +169,9 @@ func (ar *Router) PhoneLogin() http.HandlerFunc {
 			User:         user,
 		}
 
-		ar.journal(JournalOperationLoginWithPhone,
-			user.ID, app.ID, r.UserAgent(), user.AccessRole, scopes.Scopes())
+		ar.audit(AuditOperationLoginWithPhone,
+			user.ID, app.ID, r.UserAgent(), user.AccessRole, scopes.Scopes(),
+			result.AccessToken, result.RefreshToken)
 
 		ar.server.Storages().User.UpdateLoginMetadata(user.ID)
 
@@ -208,7 +209,7 @@ func (l *PhoneLogin) validateCodeAndPhone() error {
 
 func (l *PhoneLogin) validatePhone() error {
 	if !model.PhoneRegexp.MatchString(l.PhoneNumber) {
-		return errors.New("ohone number is not valid")
+		return errors.New("phone number is not valid")
 	}
 	return nil
 }

web/api/refresh_token.go

@@ -89,8 +89,9 @@ func (ar *Router) RefreshTokens() http.HandlerFunc {
 		}
 
 		resultScopes := strings.Split(accessToken.Scopes(), " ")
-		ar.journal(JournalOperationRefreshToken,
-			oldRefreshToken.Subject(), app.ID, r.UserAgent(), "", resultScopes)
+		ar.audit(AuditOperationRefreshToken,
+			oldRefreshToken.Subject(), app.ID, r.UserAgent(), "", resultScopes,
+			result.AccessToken, result.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, result)
 	}