auth: Log details of authentication attempts.

These details are useful to log. This only makes sense for some auth backends, namely email and ldap backends, because other backends are "external" in the sense that they happen at some external provider's server (Google, SAML IdP etc.) so the failure also happens there and we don't get useful information about what happened.
2021-09-01 20:17:33 +02:00 · 2021-09-01 20:17:33 +02:00 · a4e77d514b
parent 5d54cd1041
commit a4e77d514b
2 changed files with 27 additions and 0 deletions
--- a/zproject/backends.py
+++ b/zproject/backends.py
@ -294,6 +294,30 @@ def rate_limit_auth(auth_func: AuthFuncT, *args: Any, **kwargs: Any) -> Optional
    return result


+@decorator
+def log_auth_attempts(auth_func: AuthFuncT, *args: Any, **kwargs: Any) -> Optional[UserProfile]:
+    result = auth_func(*args, **kwargs)
+
+    backend_instance = args[0]
+    request = args[1]
+    username = kwargs["username"]
+    realm = kwargs["realm"]
+    return_data = kwargs["return_data"]
+
+    ip_addr = request.META.get("REMOTE_ADDR")
+    outcome = "success" if result is not None else "failed"
+    backend_instance.logger.info(
+        "Authentication attempt from %s: subdomain=%s;username=%s;outcome=%s;return_data=%s",
+        ip_addr,
+        realm.subdomain,
+        username,
+        outcome,
+        return_data,
+    )
+
+    return result
+
+
 class ZulipAuthMixin:
    """This common mixin is used to override Django's default behavior for
    looking up a logged-in user by ID to use a version that fetches
@ -371,6 +395,7 @@ class EmailAuthBackend(ZulipAuthMixin):
    name = "email"

    @rate_limit_auth
+    @log_auth_attempts
    def authenticate(
        self,
        request: HttpRequest,
@ -779,6 +804,7 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
    REALM_IS_NONE_ERROR = 1

    @rate_limit_auth
+    @log_auth_attempts
    def authenticate(
        self,
        request: Optional[HttpRequest] = None,
--- a/zproject/test_extra_settings.py
+++ b/zproject/test_extra_settings.py
@ -136,6 +136,7 @@ if not PUPPETEER_TESTS:

    set_loglevel("zulip.requests", "CRITICAL")
    set_loglevel("zulip.management", "CRITICAL")
+    set_loglevel("zulip.auth", "WARNING")
    set_loglevel("django.request", "ERROR")
    set_loglevel("django_auth_ldap", "WARNING")
    set_loglevel("fakeldap", "ERROR")