feat: add auth fail logs

packages/lib/constants/auth.ts

@@ -18,6 +18,8 @@ export const USER_SECURITY_AUDIT_LOG_MAP: { [key in UserSecurityAuditLogType]: s
   [UserSecurityAuditLogType.AUTH_2FA_ENABLE]: '2FA Enabled',
   [UserSecurityAuditLogType.PASSWORD_RESET]: 'Password reset',
   [UserSecurityAuditLogType.PASSWORD_UPDATE]: 'Password updated',
-  [UserSecurityAuditLogType.SIGN_IN]: 'Signed In',
   [UserSecurityAuditLogType.SIGN_OUT]: 'Signed Out',
+  [UserSecurityAuditLogType.SIGN_IN]: 'Signed In',
+  [UserSecurityAuditLogType.SIGN_IN_FAIL]: 'Sign in attempt failed',
+  [UserSecurityAuditLogType.SIGN_IN_2FA_FAIL]: 'Sign in 2FA attempt failed',
 };

packages/lib/next-auth/auth-options.ts

@@ -9,11 +9,12 @@ import type { GoogleProfile } from 'next-auth/providers/google';
 import GoogleProvider from 'next-auth/providers/google';
 
 import { prisma } from '@documenso/prisma';
-import { IdentityProvider } from '@documenso/prisma/client';
+import { IdentityProvider, UserSecurityAuditLogType } from '@documenso/prisma/client';
 
 import { isTwoFactorAuthenticationEnabled } from '../server-only/2fa/is-2fa-availble';
 import { validateTwoFactorAuthentication } from '../server-only/2fa/validate-2fa';
 import { getUserByEmail } from '../server-only/user/get-user-by-email';
+import { extractNextAuthRequestMetadata } from '../universal/extract-request-metadata';
 import { ErrorCode } from './error-codes';
 
 export const NEXT_AUTH_OPTIONS: AuthOptions = {
@@ -35,7 +36,7 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
         },
         backupCode: { label: 'Backup Code', type: 'input', placeholder: 'Two-factor backup code' },
       },
-      authorize: async (credentials, _req) => {
+      authorize: async (credentials, req) => {
         if (!credentials) {
           throw new Error(ErrorCode.CREDENTIALS_NOT_FOUND);
         }
@@ -51,8 +52,18 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
         }
 
         const isPasswordsSame = await compare(password, user.password);
+        const requestMetadata = extractNextAuthRequestMetadata(req);
 
         if (!isPasswordsSame) {
+          await prisma.userSecurityAuditLog.create({
+            data: {
+              userId: user.id,
+              ipAddress: requestMetadata.ipAddress,
+              userAgent: requestMetadata.userAgent,
+              type: UserSecurityAuditLogType.SIGN_IN_FAIL,
+            },
+          });
+
           throw new Error(ErrorCode.INCORRECT_EMAIL_PASSWORD);
         }
 
@@ -62,6 +73,15 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
           const isValid = await validateTwoFactorAuthentication({ backupCode, totpCode, user });
 
           if (!isValid) {
+            await prisma.userSecurityAuditLog.create({
+              data: {
+                userId: user.id,
+                ipAddress: requestMetadata.ipAddress,
+                userAgent: requestMetadata.userAgent,
+                type: UserSecurityAuditLogType.SIGN_IN_2FA_FAIL,
+              },
+            });
+
             throw new Error(
               totpCode
                 ? ErrorCode.INCORRECT_TWO_FACTOR_CODE

packages/lib/universal/extract-request-metadata.ts

@@ -1,5 +1,6 @@
 import type { NextApiRequest } from 'next';
 
+import type { RequestInternal } from 'next-auth';
 import { z } from 'zod';
 
 const ZIpSchema = z.string().ip();
@@ -9,7 +10,7 @@ export type RequestMetadata = {
   userAgent?: string;
 };
 
-export const extractRequestMetadata = (req: NextApiRequest): RequestMetadata => {
+export const extractNextApiRequestMetadata = (req: NextApiRequest): RequestMetadata => {
   const parsedIp = ZIpSchema.safeParse(req.headers['x-forwarded-for'] || req.socket.remoteAddress);
 
   const ipAddress = parsedIp.success ? parsedIp.data : undefined;
@@ -20,3 +21,17 @@ export const extractRequestMetadata = (req: NextApiRequest): RequestMetadata =>
     userAgent,
   };
 };
+
+export const extractNextAuthRequestMetadata = (
+  req: Pick<RequestInternal, 'body' | 'query' | 'headers' | 'method'>,
+): RequestMetadata => {
+  const parsedIp = ZIpSchema.safeParse(req.headers?.['x-forwarded-for']);
+
+  const ipAddress = parsedIp.success ? parsedIp.data : undefined;
+  const userAgent = req.headers?.['user-agent'];
+
+  return {
+    ipAddress,
+    userAgent,
+  };
+};