From 6dd84976de40d376b72b4f109666d14eb95d1952 Mon Sep 17 00:00:00 2001 From: mkelvers Date: Tue, 26 May 2026 16:14:31 +0200 Subject: [PATCH] feat: record audit events for api token creation and revocation --- internal/auth/service/service.go | 36 ++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/internal/auth/service/service.go b/internal/auth/service/service.go index f04caae..291857f 100644 --- a/internal/auth/service/service.go +++ b/internal/auth/service/service.go @@ -6,6 +6,7 @@ import ( "crypto/sha256" "encoding/base64" "encoding/hex" + "encoding/json" "errors" "fmt" "mal/internal/domain" @@ -17,11 +18,12 @@ import ( ) type authService struct { - repo domain.AuthRepository + repo domain.AuthRepository + auditSvc domain.AuditService } -func NewAuthService(repo domain.AuthRepository) domain.AuthService { - return &authService{repo: repo} +func NewAuthService(repo domain.AuthRepository, auditSvc domain.AuditService) domain.AuthService { + return &authService{repo: repo, auditSvc: auditSvc} } func (s *authService) Login(ctx context.Context, username, password string) (*domain.Session, error) { @@ -67,6 +69,24 @@ func (s *authService) LoginForAPIToken(ctx context.Context, username, password, return "", nil, err } + metadataBytes, err := json.Marshal(struct { + Name string `json:"name"` + }{Name: trimmedName}) + if err == nil { + _ = s.auditSvc.Record(ctx, domain.AuditEvent{ + UserID: user.ID, + Action: "api_token_created", + ResourceType: "api_token", + MetadataJSON: metadataBytes, + }) + } else { + _ = s.auditSvc.Record(ctx, domain.AuditEvent{ + UserID: user.ID, + Action: "api_token_created", + ResourceType: "api_token", + }) + } + return rawToken, user, nil } @@ -124,7 +144,15 @@ func (s *authService) RevokeAllAPITokensForUser(ctx context.Context, userID stri if strings.TrimSpace(userID) == "" { return errors.New("user id missing") } - return s.repo.RevokeAllAPITokensForUser(ctx, userID) + if err := s.repo.RevokeAllAPITokensForUser(ctx, userID); err != nil { + return err + } + _ = s.auditSvc.Record(ctx, domain.AuditEvent{ + UserID: userID, + Action: "api_token_revoked_all", + ResourceType: "api_token", + }) + return nil } func newOpaqueToken() (token string, tokenHash string, err error) {