feat: record audit events for api token creation and revocation

This commit is contained in:
2026-05-26 16:14:31 +02:00
parent a303c131f1
commit 6dd84976de

View File

@@ -6,6 +6,7 @@ import (
"crypto/sha256" "crypto/sha256"
"encoding/base64" "encoding/base64"
"encoding/hex" "encoding/hex"
"encoding/json"
"errors" "errors"
"fmt" "fmt"
"mal/internal/domain" "mal/internal/domain"
@@ -17,11 +18,12 @@ import (
) )
type authService struct { type authService struct {
repo domain.AuthRepository repo domain.AuthRepository
auditSvc domain.AuditService
} }
func NewAuthService(repo domain.AuthRepository) domain.AuthService { func NewAuthService(repo domain.AuthRepository, auditSvc domain.AuditService) domain.AuthService {
return &authService{repo: repo} return &authService{repo: repo, auditSvc: auditSvc}
} }
func (s *authService) Login(ctx context.Context, username, password string) (*domain.Session, error) { func (s *authService) Login(ctx context.Context, username, password string) (*domain.Session, error) {
@@ -67,6 +69,24 @@ func (s *authService) LoginForAPIToken(ctx context.Context, username, password,
return "", nil, err return "", nil, err
} }
metadataBytes, err := json.Marshal(struct {
Name string `json:"name"`
}{Name: trimmedName})
if err == nil {
_ = s.auditSvc.Record(ctx, domain.AuditEvent{
UserID: user.ID,
Action: "api_token_created",
ResourceType: "api_token",
MetadataJSON: metadataBytes,
})
} else {
_ = s.auditSvc.Record(ctx, domain.AuditEvent{
UserID: user.ID,
Action: "api_token_created",
ResourceType: "api_token",
})
}
return rawToken, user, nil return rawToken, user, nil
} }
@@ -124,7 +144,15 @@ func (s *authService) RevokeAllAPITokensForUser(ctx context.Context, userID stri
if strings.TrimSpace(userID) == "" { if strings.TrimSpace(userID) == "" {
return errors.New("user id missing") return errors.New("user id missing")
} }
return s.repo.RevokeAllAPITokensForUser(ctx, userID) if err := s.repo.RevokeAllAPITokensForUser(ctx, userID); err != nil {
return err
}
_ = s.auditSvc.Record(ctx, domain.AuditEvent{
UserID: userID,
Action: "api_token_revoked_all",
ResourceType: "api_token",
})
return nil
} }
func newOpaqueToken() (token string, tokenHash string, err error) { func newOpaqueToken() (token string, tokenHash string, err error) {