From 8fb823c30f7fd3086f4370c2dc6e4e3737ae6acf Mon Sep 17 00:00:00 2001
From: Osama Sayegh <asooomaasoooma90@gmail.com>
Date: Wed, 20 Oct 2021 17:20:39 +0300
Subject: [PATCH] FIX: Make the `verbose_auth_token_logging` setting off by
default (#14664)
The `generate`, `rotate` and `suspicious` auth token logs are now always logged regardless of the `verbose_auth_token_logging` setting because we rely no these to detect suspicious logins.
---
app/models/user_auth_token.rb | 68 ++++++++++++++++++++---------------
config/site_settings.yml | 2 +-
2 files changed, 41 insertions(+), 29 deletions(-)
diff --git a/app/models/user_auth_token.rb b/app/models/user_auth_token.rb
index 99dc33978ba..5cb107cf7ac 100644
--- a/app/models/user_auth_token.rb
+++ b/app/models/user_auth_token.rb
@@ -15,17 +15,23 @@ class UserAuthToken < ActiveRecord::Base
attr_accessor :unhashed_auth_token
before_destroy do
- UserAuthToken.log(action: 'destroy',
- user_auth_token_id: self.id,
- user_id: self.user_id,
- user_agent: self.user_agent,
- client_ip: self.client_ip,
- auth_token: self.auth_token)
+ UserAuthToken.log_verbose(
+ action: 'destroy',
+ user_auth_token_id: self.id,
+ user_id: self.user_id,
+ user_agent: self.user_agent,
+ client_ip: self.client_ip,
+ auth_token: self.auth_token,
+ )
end
def self.log(info)
+ UserAuthTokenLog.create!(info)
+ end
+
+ def self.log_verbose(info)
if SiteSetting.verbose_auth_token_logging
- UserAuthTokenLog.create!(info)
+ log(info)
end
end
@@ -78,13 +84,15 @@ class UserAuthToken < ActiveRecord::Base
)
user_auth_token.unhashed_auth_token = token
- log(action: 'generate',
- user_auth_token_id: user_auth_token.id,
- user_id: user_id,
- user_agent: user_agent,
- client_ip: client_ip,
- path: path,
- auth_token: hashed_token)
+ log(
+ action: 'generate',
+ user_auth_token_id: user_auth_token.id,
+ user_id: user_id,
+ user_agent: user_agent,
+ client_ip: client_ip,
+ path: path,
+ auth_token: hashed_token,
+ )
if staff && !impersonate
Jobs.enqueue(:suspicious_login,
@@ -108,12 +116,14 @@ class UserAuthToken < ActiveRecord::Base
if !user_token
- log(action: "miss token",
- user_id: user_token&.user_id,
- auth_token: token,
- user_agent: opts && opts[:user_agent],
- path: opts && opts[:path],
- client_ip: opts && opts[:client_ip])
+ log_verbose(
+ action: "miss token",
+ user_id: nil,
+ auth_token: token,
+ user_agent: opts && opts[:user_agent],
+ path: opts && opts[:path],
+ client_ip: opts && opts[:client_ip],
+ )
return nil
end
@@ -126,7 +136,7 @@ class UserAuthToken < ActiveRecord::Base
# not updating AR model cause we want to give it one more req
# with wrong cookie
- UserAuthToken.log(
+ UserAuthToken.log_verbose(
action: changed_rows == 0 ? "prev seen token unchanged" : "prev seen token",
user_auth_token_id: user_token.id,
user_id: user_token.user_id,
@@ -149,13 +159,15 @@ class UserAuthToken < ActiveRecord::Base
user_token.seen_at = Time.zone.now
end
- log(action: changed_rows == 0 ? "seen wrong token" : "seen token",
- user_auth_token_id: user_token.id,
- user_id: user_token.user_id,
- auth_token: user_token.auth_token,
- user_agent: opts && opts[:user_agent],
- path: opts && opts[:path],
- client_ip: opts && opts[:client_ip])
+ log_verbose(
+ action: changed_rows == 0 ? "seen wrong token" : "seen token",
+ user_auth_token_id: user_token.id,
+ user_id: user_token.user_id,
+ auth_token: user_token.auth_token,
+ user_agent: opts && opts[:user_agent],
+ path: opts && opts[:path],
+ client_ip: opts && opts[:client_ip],
+ )
end
user_token
diff --git a/config/site_settings.yml b/config/site_settings.yml
index 7fb7f101eb5..107c4b91d48 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -465,7 +465,7 @@ login:
default: false
verbose_auth_token_logging:
hidden: true
- default: true
+ default: false
max_suspicious_distance_km:
hidden: true
default: 500