audit logs for failed login attempts (#4564)

* audit logs for failed login attempts * updating ee ref
windmill-labs · Oct 22, 2024 · 18fc0e4 · 18fc0e4
1 parent ae3961e
commit 18fc0e4
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 6 deletions.
diff --git a/backend/ee-repo-ref.txt b/backend/ee-repo-ref.txt
@@ -1 +1 @@
-ce38a7f85ca257c48471c46e3811a1281d9e2f27
+d61c163e0a311ecd86d1398aff883eaea8d0b09a
diff --git a/backend/windmill-api/openapi.yaml b/backend/windmill-api/openapi.yaml
@@ -10735,6 +10735,7 @@ components:
             - "users.delete"
             - "users.update"
             - "users.login"
+            - "users.login_failure"
             - "users.logout"
             - "users.accept_invite"
             - "users.decline_invite"

diff --git a/backend/windmill-api/src/users.rs b/backend/windmill-api/src/users.rs
@@ -2290,6 +2290,8 @@ async fn login(
 ) -> Result<String> {
     let mut tx = db.begin().await?;
     let email = email.to_lowercase();
+    let audit_author =
+        AuditAuthor { email: email.clone(), username: email.clone(), username_override: None };
     let email_w_h: Option<(String, String, bool, bool)> = sqlx::query_as(
         "SELECT email, password_hash, super_admin, first_time_user FROM password WHERE email = $1 AND login_type = \
          'password'",
@@ -2305,6 +2307,16 @@ async fn login(
             .verify_password(password.as_bytes(), &parsed_hash)
             .is_err()
         {
+            audit_log(
+                &mut *tx,
+                &audit_author,
+                "users.login_failure",
+                ActionKind::Create,
+                "global",
+                None,
+                None,
+            )
+            .await?;
             Err(Error::BadRequest("Invalid login".to_string()))
         } else {
             if first_time_user {
@@ -2330,11 +2342,7 @@ async fn login(
 
             audit_log(
                 &mut *tx,
-                &AuditAuthor {
-                    username: email.clone(),
-                    email: email.clone(),
-                    username_override: None,
-                },
+                &audit_author,
                 "users.login",
                 ActionKind::Create,
                 "global",
@@ -2347,6 +2355,16 @@ async fn login(
             Ok(token)
         }
     } else {
+        audit_log(
+            &mut *tx,
+            &audit_author,
+            "users.login_failure",
+            ActionKind::Create,
+            "global",
+            None,
+            None,
+        )
+        .await?;
         Err(Error::BadRequest("Invalid login".to_string()))
     }
 }

diff --git a/frontend/src/lib/components/auditLogs/AuditLogsFilters.svelte b/frontend/src/lib/components/auditLogs/AuditLogsFilters.svelte
@@ -241,6 +241,7 @@
 		USERS_SETPASSWORD: 'users.setpassword',
 		USERS_UPDATE: 'users.update',
 		USERS_LOGIN: 'users.login',
+		USERS_LOGIN_FAILURE: 'users.login_failure',
 		USERS_LOGOUT: 'users.logout',
 		USERS_ACCEPT_INVITE: 'users.accept_invite',
 		USERS_DECLINE_INVITE: 'users.decline_invite',