feat(mcp): persist login audit for OAuth and API key
All checks were successful
Secrets MCP — Build & Release / 版本 & Release (push) Successful in 3s
Secrets MCP — Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 3m16s
Secrets MCP — Build & Release / Build Linux (secrets-mcp, musl) (push) Successful in 4m32s
Secrets MCP — Build & Release / 发布草稿 Release (push) Successful in 3s
Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 4m33s
All checks were successful
Secrets MCP — Build & Release / 版本 & Release (push) Successful in 3s
Secrets MCP — Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 3m16s
Secrets MCP — Build & Release / Build Linux (secrets-mcp, musl) (push) Successful in 4m32s
Secrets MCP — Build & Release / 发布草稿 Release (push) Successful in 3s
Secrets MCP — Build & Release / 部署 secrets-mcp (push) Successful in 4m33s
- Add audit::log_login in secrets-core (audit_log detail: user_id, provider, client_ip, user_agent) - Log web Google OAuth success after session established - Log MCP Bearer API key auth success in middleware - Bump secrets-mcp to 0.1.6 (tag 0.1.5 existed) Made-with: Cursor
This commit is contained in:
voson
@@ -1,11 +1,60 @@
|
||||
use serde_json::Value;
|
||||
use sqlx::{Postgres, Transaction};
|
||||
use serde_json::{Value, json};
|
||||
use sqlx::{PgPool, Postgres, Transaction};
|
||||
use uuid::Uuid;
|
||||
|
||||
pub const ACTION_LOGIN: &str = "login";
|
||||
pub const NAMESPACE_AUTH: &str = "auth";
|
||||
|
||||
/// Return the current OS user as the audit actor (falls back to empty string).
|
||||
pub fn current_actor() -> String {
|
||||
std::env::var("USER").unwrap_or_default()
|
||||
}
|
||||
|
||||
fn login_detail(
|
||||
user_id: Uuid,
|
||||
provider: &str,
|
||||
client_ip: Option<&str>,
|
||||
user_agent: Option<&str>,
|
||||
) -> Value {
|
||||
json!({
|
||||
"user_id": user_id,
|
||||
"provider": provider,
|
||||
"client_ip": client_ip,
|
||||
"user_agent": user_agent,
|
||||
})
|
||||
}
|
||||
|
||||
/// Write a login audit entry without requiring an explicit transaction.
|
||||
pub async fn log_login(
|
||||
pool: &PgPool,
|
||||
kind: &str,
|
||||
provider: &str,
|
||||
user_id: Uuid,
|
||||
client_ip: Option<&str>,
|
||||
user_agent: Option<&str>,
|
||||
) {
|
||||
let actor = current_actor();
|
||||
let detail = login_detail(user_id, provider, client_ip, user_agent);
|
||||
let result: Result<_, sqlx::Error> = sqlx::query(
|
||||
"INSERT INTO audit_log (action, namespace, kind, name, detail, actor) \
|
||||
VALUES ($1, $2, $3, $4, $5, $6)",
|
||||
)
|
||||
.bind(ACTION_LOGIN)
|
||||
.bind(NAMESPACE_AUTH)
|
||||
.bind(kind)
|
||||
.bind(provider)
|
||||
.bind(&detail)
|
||||
.bind(&actor)
|
||||
.execute(pool)
|
||||
.await;
|
||||
|
||||
if let Err(e) = result {
|
||||
tracing::warn!(error = %e, kind, provider, "failed to write login audit log");
|
||||
} else {
|
||||
tracing::debug!(kind, provider, ?user_id, actor, "login audit logged");
|
||||
}
|
||||
}
|
||||
|
||||
/// Write an audit entry within an existing transaction.
|
||||
pub async fn log_tx(
|
||||
tx: &mut Transaction<'_, Postgres>,
|
||||
@@ -35,3 +84,19 @@ pub async fn log_tx(
|
||||
tracing::debug!(action, namespace, kind, name, actor, "audit logged");
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
fn login_detail_includes_expected_fields() {
|
||||
let user_id = Uuid::nil();
|
||||
let detail = login_detail(user_id, "google", Some("127.0.0.1"), Some("Mozilla/5.0"));
|
||||
|
||||
assert_eq!(detail["user_id"], json!(user_id));
|
||||
assert_eq!(detail["provider"], "google");
|
||||
assert_eq!(detail["client_ip"], "127.0.0.1");
|
||||
assert_eq!(detail["user_agent"], "Mozilla/5.0");
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user