Improve auth-related logging

2025-11-02 11:08:01 +00:00 · 2023-05-04 00:14:44 +02:00
parent f2435f6964
commit 6ee913502e
11 changed files with 52 additions and 22 deletions
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -27,23 +27,26 @@ STATUSES = {

 WEBMAIL_PORTS = ['10143', '10025']

-def check_credentials(user, password, ip, protocol=None, auth_port=None):
+def check_credentials(user, password, ip, protocol=None, auth_port=None, source_port=None):
    if not user or not user.enabled or (protocol == "imap" and not user.enable_imap and not auth_port in WEBMAIL_PORTS) or (protocol == "pop3" and not user.enable_pop):
+        app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: accound disabled')
        return False
-    is_ok = False
    # webmails
    if auth_port in WEBMAIL_PORTS and password.startswith('token-'):
        if utils.verify_temp_token(user.get_id(), password):
-            is_ok = True
-    if not is_ok and utils.is_app_token(password):
+            app.logger.debug(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: webmail-token')
+            return True
+    if utils.is_app_token(password):
        for token in user.tokens:
            if (token.check_password(password) and
                (not token.ip or token.ip == ip)):
-                    is_ok = True
-                    break
-    if not is_ok and user.check_password(password):
-        is_ok = True
-    return is_ok
+                    app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: token-{token.id}')
+                    return True
+    if user.check_password(password):
+        app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: password')
+        return True
+    app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badauth: {utils.truncated_pw_hash(password)}')
+    return False

 def handle_authentication(headers):
    """ Handle an HTTP nginx authentication request
@@ -100,7 +103,7 @@ def handle_authentication(headers):
            else:
                is_valid_user = user is not None
                ip = urllib.parse.unquote(headers["Client-Ip"])
-                if check_credentials(user, password, ip, protocol, headers["Auth-Port"]):
+                if check_credentials(user, password, ip, protocol, headers["Auth-Port"], headers['Client-Port']):
                    server, port = get_server(headers["Auth-Protocol"], True)
                    return {
                        "Auth-Status": "OK",