Software / code / prosody-modules
Annotate
mod_log_auth/mod_log_auth.lua @ 5425:3b30635d215c
mod_http_oauth2: Support granting zero role-scopes
It seems Very Bad that if you uncheck all roles on the consent page, you
get the default scopes, which seems the opposite of what you probably
intended. Currently, mod_tokenauth will do the same thing, so work is
needed there too to allow issuing tokens without roles.
A token without a role could be used for OIDC login, and not much else.
This seems like a valuable thing to support.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 07 May 2023 19:29:15 +0200 |
| parent | 3941:6d1ec8099315 |
| rev | line source |
|---|---|
|
1427
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
1 local mode = module:get_option_string("log_auth_ips", "failure"); |
|
2695
8b21f13b08c5
mod_log_auth: Split some long lines
Kim Alvefur <zash@zash.se>
parents:
2084
diff
changeset
|
2 assert(({ all = true, failure = true, success = true })[mode], |
|
8b21f13b08c5
mod_log_auth: Split some long lines
Kim Alvefur <zash@zash.se>
parents:
2084
diff
changeset
|
3 "Unknown log mode: "..tostring(mode).." - valid modes are 'all', 'failure', 'success'"); |
|
407
41feaf7fd8ac
mod_auth_log: New module (currently) to log failed auth attempts and their IP address, requires trunk
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
1427
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
5 if mode == "failure" or mode == "all" then |
|
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
6 module:hook("authentication-failure", function (event) |
|
2695
8b21f13b08c5
mod_log_auth: Split some long lines
Kim Alvefur <zash@zash.se>
parents:
2084
diff
changeset
|
7 local session = event.session; |
|
2698
88205b77e385
mod_log_auth: Handle missing sasl handler
Kim Alvefur <zash@zash.se>
parents:
2696
diff
changeset
|
8 local username = session.username or session.sasl_handler and session.sasl_handler.username or "?"; |
|
3941
6d1ec8099315
mod_log_auth: log hostname, too
tmolitor <thilo@eightysoft.de>
parents:
2699
diff
changeset
|
9 session.log("info", "Failed authentication attempt (%s) for user %s@%s from IP: %s", |
|
6d1ec8099315
mod_log_auth: log hostname, too
tmolitor <thilo@eightysoft.de>
parents:
2699
diff
changeset
|
10 event.condition or "unknown-condition", username, module.host, session.ip or "?"); |
|
1427
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
11 end); |
|
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
12 end |
|
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
13 |
|
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
14 if mode == "success" or mode == "all" then |
|
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
15 module:hook("authentication-success", function (event) |
|
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
16 local session = event.session; |
|
3941
6d1ec8099315
mod_log_auth: log hostname, too
tmolitor <thilo@eightysoft.de>
parents:
2699
diff
changeset
|
17 session.log("info", "Successful authentication as %s@%s from IP: %s", session.username, module.host, session.ip or "?"); |
|
1427
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
18 end); |
|
322a076f53e8
mod_log_auth: Add ability to log IPs of successful authentications too
Matthew Wild <mwild1@gmail.com>
parents:
1097
diff
changeset
|
19 end |
