Merge #2818

2818: Improve auth-related logging r=mergify[bot] a=nextgens ## What type of PR? enhancement ## What does this PR do? Improve auth-related logging ### Related issue(s) - closes #2803 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org> Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
2025-11-01 10:37:49 +00:00 · 2023-05-30 09:01:42 +00:00
parent b6c093dfd6 c68f4d93cf
commit 589c426601
11 changed files with 53 additions and 23 deletions
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -28,23 +28,26 @@ STATUSES = {

 WEBMAIL_PORTS = ['14190', '10143', '10025']

-def check_credentials(user, password, ip, protocol=None, auth_port=None):
+def check_credentials(user, password, ip, protocol=None, auth_port=None, source_port=None):
    if not user or not user.enabled or (protocol == "imap" and not user.enable_imap and not auth_port in WEBMAIL_PORTS) or (protocol == "pop3" and not user.enable_pop):
+        app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: account disabled')
        return False
-    is_ok = False
    # webmails
    if auth_port in WEBMAIL_PORTS and password.startswith('token-'):
        if utils.verify_temp_token(user.get_id(), password):
-            is_ok = True
-    if not is_ok and utils.is_app_token(password):
+            app.logger.debug(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: webmail-token')
+            return True
+    if utils.is_app_token(password):
        for token in user.tokens:
            if (token.check_password(password) and
                (not token.ip or token.ip == ip)):
-                    is_ok = True
-                    break
-    if not is_ok and user.check_password(password):
-        is_ok = True
-    return is_ok
+                    app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: token-{token.id}: {token.comment or ""!r}')
+                    return True
+    if user.check_password(password):
+        app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: password')
+        return True
+    app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badauth: {utils.truncated_pw_hash(password)}')
+    return False

 def handle_authentication(headers):
    """ Handle an HTTP nginx authentication request
@@ -101,7 +104,7 @@ def handle_authentication(headers):
            else:
                is_valid_user = user is not None
                ip = urllib.parse.unquote(headers["Client-Ip"])
-                if check_credentials(user, password, ip, protocol, headers["Auth-Port"]):
+                if check_credentials(user, password, ip, protocol, headers["Auth-Port"], headers['Client-Port']):
                    server, port = get_server(headers["Auth-Protocol"], True)
                    return {
                        "Auth-Status": "OK",