infisical icon indicating copy to clipboard operation
infisical copied to clipboard
verified publisher icon Infisical

Add user login and select organization audit logs

Open carlosmonastyrski opened this issue 1 month ago • 2 comments

Description 📣

This PR adds audit logging for organization selection and SSO login methods (SAML, OIDC, LDAP, OAuth) to improve security tracking and compliance monitoring

Type ✨

  • [ ] Bug fix
  • [ ] New feature
  • [ ] Improvement
  • [ ] Breaking change
  • [ ] Documentation

Tests 🛠️

# Here's some code block to paste some code snippets

carlosmonastyrski avatar Nov 14 '25 00:11 carlosmonastyrski

:white_check_mark: Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
:white_check_mark: Open Source Security 0 0 0 0 0 issues

:computer: Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

maidul98 avatar Nov 14 '25 00:11 maidul98

Greptile Overview

Greptile Summary

This PR adds audit logging for user authentication events to improve security tracking and compliance monitoring.

Key Changes:

  • Added USER_LOGIN event type to track SSO logins (SAML, OIDC, LDAP, OAuth) and email/password authentication
  • Added USER_SELECT_ORGANIZATION event type to track when users switch organizations
  • Implemented audit logging in three locations: login(), oauth2TokenExchange(), and selectOrganization() functions

Issues Found:

  • organizationName metadata field is inconsistent across events - included in USER_SELECT_ORGANIZATION but missing in some USER_LOGIN events despite having access to organizationId
  • The audit log records properly capture authentication attempts with relevant context (IP, user agent, auth method)

Confidence Score: 4/5

  • Safe to merge with minor metadata consistency improvements recommended
  • The implementation correctly adds audit logging for authentication events without introducing security vulnerabilities. The type definitions are well-structured and the audit logs capture critical security information (IP addresses, user agents, auth methods). Minor inconsistencies in metadata field population (organizationName) reduce the score from 5 to 4, but these don't affect functionality or security.
  • Pay attention to backend/src/services/auth/auth-login-service.ts - ensure metadata consistency by adding organizationName where organizationId is present

Important Files Changed

File Analysis

Filename Score Overview
backend/src/ee/services/audit-log/audit-log-types.ts 5/5 Added two new event types (USER_LOGIN, USER_SELECT_ORGANIZATION) with well-defined metadata interfaces
backend/src/services/auth/auth-login-service.ts 4/5 Implemented audit logging for login events in three locations (login, selectOrganization, oauth2TokenExchange), minor metadata inconsistencies noted

Sequence Diagram

sequenceDiagram
    participant User
    participant AuthService as Auth Login Service
    participant OrgDAL as Organization DAL
    participant AuditLogService as Audit Log Service
    
    alt Email/Password Login
        User->>AuthService: login(email, password, ip, userAgent)
        AuthService->>AuthService: validateCredentials()
        AuthService->>AuthService: generateUserTokens()
        opt organizationId present
            AuthService->>AuditLogService: createAuditLog(USER_LOGIN)
            Note over AuditLogService: Logs email, userAgent,<br/>ipAddress, authMethod
        end
        AuthService-->>User: return tokens
    end
    
    alt OAuth2 Token Exchange (SAML/OIDC/LDAP)
        User->>AuthService: oauth2TokenExchange(providerAuthToken)
        AuthService->>AuthService: validateProviderAuthToken()
        AuthService->>AuthService: generateUserTokens()
        opt organizationId present
            AuthService->>AuditLogService: createAuditLog(USER_LOGIN)
            Note over AuditLogService: Logs email, userAgent,<br/>ipAddress, authMethod,<br/>organizationId, authProvider
        end
        AuthService-->>User: return token
    end
    
    alt Organization Selection
        User->>AuthService: selectOrganization(organizationId)
        AuthService->>OrgDAL: findById(organizationId)
        OrgDAL-->>AuthService: return organization
        AuthService->>AuthService: generateNewTokens()
        AuthService->>AuditLogService: createAuditLog(USER_SELECT_ORGANIZATION)
        Note over AuditLogService: Logs email, userAgent,<br/>ipAddress, organizationId,<br/>organizationName, authMethod
        AuthService-->>User: return tokens with org context
    end

greptile-apps[bot] avatar Nov 14 '25 00:11 greptile-apps[bot]