# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1749051139 -7200
# Node ID 7e4238d2989c5cc0eac1a42ef3fedf7fe47d2242
# Parent  b7eb7d25693962de779c9bb5e9fc02d4146d7db4
mod_http_oauth2: Fire authentication events in password grant

Allows for e.g. audit logging and rate limiting modules to catch login
attempts, successful or otherwise, that come through here.

diff -r b7eb7d256939 -r 7e4238d2989c mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Jun 03 17:20:52 2025 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Wed Jun 04 17:32:19 2025 +0200
@@ -433,10 +433,25 @@
 		return oauth_error("invalid_request", "missing 'password'");
 	end
 
+	local auth_event = {
+		session = {
+			type = "oauth2";
+			ip = "::";
+			username = request_username;
+			host = module.host;
+			log = module._log;
+			sasl_handler = { username = request_username; selected = "x-oauth2-password" };
+			client_id = client.client_name;
+		};
+	};
+
 	if not usermanager.test_password(request_username, module.host, request_password) then
+		module:fire_event("authentication-failure", auth_event);
 		return oauth_error("invalid_grant", "incorrect credentials");
 	end
 
+	module:fire_event("authentication-success", auth_event);
+
 	local granted_jid = jid.join(request_username, module.host);
 	local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
 	return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, client));