From 65f5efb83f598da4ee48e6695ffd88c7317c1f67 Mon Sep 17 00:00:00 2001 From: Arnaud AMBROSELLI Date: Mon, 20 Nov 2023 16:38:15 +0100 Subject: [PATCH 1/2] feat: more user logs --- api/src/controllers/organisation.js | 8 +++++++ api/src/controllers/user.js | 37 ++++++++++++++++++++++++++++- 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/api/src/controllers/organisation.js b/api/src/controllers/organisation.js index 04b91b85c..d6cf23e5e 100644 --- a/api/src/controllers/organisation.js +++ b/api/src/controllers/organisation.js @@ -22,6 +22,7 @@ const { Report, User, TerritoryObservation, + UserLog, } = require("../db/sequelize"); const mailservice = require("../utils/mailservice"); const validateUser = require("../middleware/validateUser"); @@ -363,6 +364,13 @@ router.delete( error.status = 400; return next(error); } + UserLog.create({ + organisation: req.user.organisation, + user: req.user._id, + platform: req.headers.platform === "android" ? "app" : req.headers.platform === "dashboard" ? "dashboard" : "unknown", + action: `delete-organisation-${req.params._id}`, + }); + // Super admin can delete any organisation. Admin can delete only their organisation. const canDelete = req.user.role === "superadmin" || (req.user.role === "admin" && req.user.organisation === req.params._id); if (!canDelete) return res.status(403).send({ ok: false, error: "Forbidden" }); diff --git a/api/src/controllers/user.js b/api/src/controllers/user.js index 4383186b7..a185568a2 100644 --- a/api/src/controllers/user.js +++ b/api/src/controllers/user.js @@ -267,6 +267,13 @@ router.post( error.status = 400; return next(error); } + + UserLog.create({ + user: email, + platform: req.headers.platform === "android" ? "app" : req.headers.platform === "dashboard" ? "dashboard" : "unknown", + action: "forgot-password", + }); + if (!email) return res.status(403).send({ ok: false, error: "Veuillez fournir un email", code: EMAIL_OR_PASSWORD_INVALID }); const user = await User.findOne({ where: { email } }); @@ -314,7 +321,20 @@ router.post( if (!validatePassword(password)) return res.status(400).send({ ok: false, error: passwordCheckError, code: PASSWORD_NOT_VALIDATED }); const user = await User.findOne({ where: { forgotPasswordResetToken: token, forgotPasswordResetExpires: { [Op.gte]: new Date() } } }); - if (!user) return res.status(400).send({ ok: false, error: "Le lien est non valide ou expiré" }); + if (!user) { + UserLog.create({ + user: token, + platform: req.headers.platform === "android" ? "app" : req.headers.platform === "dashboard" ? "dashboard" : "unknown", + action: "forgot-password-reset-failed", + }); + return res.status(400).send({ ok: false, error: "Le lien est non valide ou expiré" }); + } + UserLog.create({ + organisation: user.organisation, + user: user.id, + platform: req.headers.platform === "android" ? "app" : req.headers.platform === "dashboard" ? "dashboard" : "unknown", + action: "forgot-password-reset", + }); user.set({ password: password, forgotPasswordResetToken: null, @@ -361,6 +381,13 @@ router.post( forgotPasswordResetExpires: new Date(Date.now() + 60 * 60 * 24 * 30 * 1000), // 30 days }; + UserLog.create({ + organisation: req.user.organisation, + user: req.user.id, + platform: req.headers.platform === "android" ? "app" : req.headers.platform === "dashboard" ? "dashboard" : "unknown", + action: `create-user-${sanitizeAll(email.trim().toLowerCase())}`, + }); + const prevUser = await User.findOne({ where: { email: newUser.email } }); if (prevUser) return res.status(400).send({ ok: false, error: "Un utilisateur existe déjà avec cet email" }); @@ -694,6 +721,14 @@ router.delete( } const userId = req.params._id; + + UserLog.create({ + organisation: req.user.organisation, + user: req.user._id, + platform: req.headers.platform === "android" ? "app" : req.headers.platform === "dashboard" ? "dashboard" : "unknown", + action: `delete-user-${userId}`, + }); + const query = { where: { _id: userId, organisation: req.user.organisation } }; let user = await User.findOne(query); From 3358e96486ea501d8f0b62716ec0cf85faacc5e5 Mon Sep 17 00:00:00 2001 From: Arnaud AMBROSELLI Date: Mon, 20 Nov 2023 17:14:07 +0100 Subject: [PATCH 2/2] fix: stuff --- api/src/controllers/user.js | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/api/src/controllers/user.js b/api/src/controllers/user.js index a185568a2..3ef42b8e9 100644 --- a/api/src/controllers/user.js +++ b/api/src/controllers/user.js @@ -257,7 +257,10 @@ router.get( router.post( "/forgot_password", - catchErrors(async ({ body: { email } }, res) => { + catchErrors(async (req, res) => { + const { + body: { email }, + } = req; try { z.string() .email() @@ -269,9 +272,8 @@ router.post( } UserLog.create({ - user: email, platform: req.headers.platform === "android" ? "app" : req.headers.platform === "dashboard" ? "dashboard" : "unknown", - action: "forgot-password", + action: `forgot-password-${email}`, }); if (!email) return res.status(403).send({ ok: false, error: "Veuillez fournir un email", code: EMAIL_OR_PASSWORD_INVALID }); @@ -323,9 +325,8 @@ router.post( if (!user) { UserLog.create({ - user: token, platform: req.headers.platform === "android" ? "app" : req.headers.platform === "dashboard" ? "dashboard" : "unknown", - action: "forgot-password-reset-failed", + action: `forgot-password-reset-failed-${token}`, }); return res.status(400).send({ ok: false, error: "Le lien est non valide ou expiré" }); }