Merge branch 'main' into feat/disable-access-unverified-users

2025-11-13 08:13:56 +10:00 · 2024-02-07 16:30:22 +11:00
parent 6053a4a40a bf26f2cb9d
commit cad48236a0
283 changed files with 14656 additions and 1399 deletions
--- a/packages/lib/next-auth/auth-options.ts
+++ b/packages/lib/next-auth/auth-options.ts
@ -9,12 +9,13 @@ import type { GoogleProfile } from 'next-auth/providers/google';
 import GoogleProvider from 'next-auth/providers/google';

 import { prisma } from '@documenso/prisma';
-import { IdentityProvider } from '@documenso/prisma/client';
+import { IdentityProvider, UserSecurityAuditLogType } from '@documenso/prisma/client';

 import { isTwoFactorAuthenticationEnabled } from '../server-only/2fa/is-2fa-availble';
 import { validateTwoFactorAuthentication } from '../server-only/2fa/validate-2fa';
 import { getUserByEmail } from '../server-only/user/get-user-by-email';
 import { sendConfirmationToken } from '../server-only/user/send-confirmation-token';
+import { extractNextAuthRequestMetadata } from '../universal/extract-request-metadata';
 import { ErrorCode } from './error-codes';

 export const NEXT_AUTH_OPTIONS: AuthOptions = {
@ -36,7 +37,7 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
        },
        backupCode: { label: 'Backup Code', type: 'input', placeholder: 'Two-factor backup code' },
      },
-      authorize: async (credentials, _req) => {
+      authorize: async (credentials, req) => {
        if (!credentials) {
          throw new Error(ErrorCode.CREDENTIALS_NOT_FOUND);
        }
@ -52,8 +53,18 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
        }

        const isPasswordsSame = await compare(password, user.password);
+        const requestMetadata = extractNextAuthRequestMetadata(req);

        if (!isPasswordsSame) {
+          await prisma.userSecurityAuditLog.create({
+            data: {
+              userId: user.id,
+              ipAddress: requestMetadata.ipAddress,
+              userAgent: requestMetadata.userAgent,
+              type: UserSecurityAuditLogType.SIGN_IN_FAIL,
+            },
+          });
+
          throw new Error(ErrorCode.INCORRECT_EMAIL_PASSWORD);
        }

@ -63,6 +74,15 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
          const isValid = await validateTwoFactorAuthentication({ backupCode, totpCode, user });

          if (!isValid) {
+            await prisma.userSecurityAuditLog.create({
+              data: {
+                userId: user.id,
+                ipAddress: requestMetadata.ipAddress,
+                userAgent: requestMetadata.userAgent,
+                type: UserSecurityAuditLogType.SIGN_IN_2FA_FAIL,
+              },
+            });
+
            throw new Error(
              totpCode
                ? ErrorCode.INCORRECT_TWO_FACTOR_CODE
@ -206,4 +226,5 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
      return true;
    },
  },
+  // Note: `events` are handled in `apps/web/src/pages/api/auth/[...nextauth].ts` to allow access to the request.
 };