diff --git a/backend/src/app/auth/oidc.clj b/backend/src/app/auth/oidc.clj index a8434a23a..69f7eb7d0 100644 --- a/backend/src/app/auth/oidc.clj +++ b/backend/src/app/auth/oidc.clj @@ -32,6 +32,7 @@ [clojure.spec.alpha :as s] [cuerdas.core :as str] [integrant.core :as ig] + [ring.request :as rreq] [ring.response :as-alias rres])) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; @@ -470,6 +471,9 @@ (some? (:invitation-token state)) (assoc :invitation-token (:invitation-token state)) + (some? (:external-session-id state)) + (assoc :external-session-id (:external-session-id state)) + ;; If state token comes with props, merge them. The state token ;; props can contain pm_ and utm_ prefixed query params. (map? (:props state)) @@ -554,19 +558,22 @@ (redirect-to-register cfg info request)) :else - (let [sxf (session/create-fn cfg (:id profile)) - token (or (:invitation-token info) - (tokens/generate (::setup/props cfg) - {:iss :auth - :exp (dt/in-future "15m") - :props (:props info) - :profile-id (:id profile)}))] + (let [sxf (session/create-fn cfg (:id profile)) + token (or (:invitation-token info) + (tokens/generate (::setup/props cfg) + {:iss :auth + :exp (dt/in-future "15m") + :props (:props info) + :profile-id (:id profile)})) + props (audit/profile->props profile) + context (d/without-nils {:external-session-id (:external-session-id info)})] (audit/submit! cfg {::audit/type "command" ::audit/name "login-with-oidc" ::audit/profile-id (:id profile) ::audit/ip-addr (audit/parse-client-ip request) - ::audit/props (audit/profile->props profile)}) + ::audit/props props + ::audit/context context}) (->> (redirect-to-verify-token token) (sxf request)))) @@ -588,9 +595,11 @@ (defn- auth-handler [cfg {:keys [params] :as request}] (let [props (audit/extract-utm-params params) + esid (rreq/get-header request "x-external-session-id") state (tokens/generate (::setup/props cfg) {:iss :oauth :invitation-token (:invitation-token params) + :external-session-id esid :props props :exp (dt/in-future "4h")}) uri (build-auth-uri cfg state)] diff --git a/backend/src/app/loggers/audit.clj b/backend/src/app/loggers/audit.clj index d66620e53..08167da87 100644 --- a/backend/src/app/loggers/audit.clj +++ b/backend/src/app/loggers/audit.clj @@ -86,6 +86,13 @@ (remove #(contains? reserved-props (key %)))) props)) +(defn params->context + "Extract default context properties from RPC params object" + [params] + (d/without-nils + {:external-session-id (::rpc/external-session-id params) + :triggered-by (::rpc/handler-name params)})) + ;; --- SPECS diff --git a/backend/src/app/rpc.clj b/backend/src/app/rpc.clj index 2ea8e8f14..b4acb2ea3 100644 --- a/backend/src/app/rpc.clj +++ b/backend/src/app/rpc.clj @@ -82,6 +82,7 @@ session-id (rreq/get-header request "x-external-session-id") data (-> params + (assoc ::handler-name handler-name) (assoc ::request-at (dt/now)) (assoc ::external-session-id session-id) (assoc ::session/id (::session/id request)) diff --git a/backend/src/app/rpc/commands/management.clj b/backend/src/app/rpc/commands/management.clj index ef36b85d5..bf7883175 100644 --- a/backend/src/app/rpc/commands/management.clj +++ b/backend/src/app/rpc/commands/management.clj @@ -398,7 +398,7 @@ ;; --- COMMAND: Clone Template (defn- clone-template - [cfg {:keys [project-id ::rpc/profile-id ::rpc/external-session-id] :as params} template] + [cfg {:keys [project-id ::rpc/profile-id] :as params} template] (db/tx-run! cfg (fn [{:keys [::db/conn ::wrk/executor] :as cfg}] ;; NOTE: the importation process performs some operations that ;; are not very friendly with virtual threads, and for avoid @@ -413,9 +413,8 @@ {:modified-at (dt/now)} {:id project-id}) - (let [props (-> (audit/clean-props params) - (assoc :triggered-by "clone-template")) - context {:external-session-id external-session-id}] + (let [props (audit/clean-props params) + context (audit/params->context params)] (doseq [file-id result] (audit/submit! cfg {::audit/type "action" diff --git a/backend/src/app/rpc/commands/teams.clj b/backend/src/app/rpc/commands/teams.clj index 8eb41386f..ed018fa8e 100644 --- a/backend/src/app/rpc/commands/teams.clj +++ b/backend/src/app/rpc/commands/teams.clj @@ -763,6 +763,7 @@ {:id (:id member)})) nil) + (let [id (uuid/next) expire (dt/in-future "168h") ;; 7 days invitation (db/exec-one! conn [sql:upsert-team-invitation id @@ -783,14 +784,19 @@ (when (contains? cf/flags :log-invitation-tokens) (l/info :hint "invitation token" :token itoken)) - (audit/submit! cfg - {::audit/type "action" - ::audit/name (if updated? - "update-team-invitation" - "create-team-invitation") - ::audit/profile-id (:id profile) - ::audit/props (-> (dissoc tprops :profile-id) - (d/without-nils))}) + + (let [props (-> (dissoc tprops :profile-id) + (audit/clean-props)) + context (audit/params->context params)] + + (audit/submit! cfg + {::audit/type "action" + ::audit/name (if updated? + "update-team-invitation" + "create-team-invitation") + ::audit/profile-id (:id profile) + ::audit/props props + ::audit/context context})) (eml/send! {::eml/conn conn ::eml/factory eml/invite-to-team @@ -850,10 +856,11 @@ ;; We don't re-send inviation to already existing members (remove (partial contains? members)) (map (fn [email] - {:email email - :team team - :profile profile - :role role})) + (-> params + (assoc :email email) + (assoc :team team) + (assoc :profile profile) + (assoc :role role)))) (keep (partial create-invitation cfg))) emails)] (with-meta {:total (count invitations) @@ -879,9 +886,11 @@ (let [features (-> (cfeat/get-enabled-features cf/flags) (cfeat/check-client-features! (:features params))) - params (assoc params - :profile-id profile-id - :features features) + + params (-> params + (assoc :profile-id profile-id) + (assoc :features features)) + cfg (assoc cfg ::db/conn conn) team (create-team cfg params) profile (db/get-by-id conn :profile profile-id) @@ -890,10 +899,11 @@ ;; Create invitations for all provided emails. (->> emails (map (fn [email] - {:team team - :profile profile - :email email - :role role})) + (-> params + (assoc :team team) + (assoc :profile profile) + (assoc :email email) + (assoc :role role)))) (run! (partial create-invitation cfg))) (run! (partial quotes/check-quote! conn) diff --git a/frontend/src/app/main/repo.cljs b/frontend/src/app/main/repo.cljs index b6ff8dc1e..7d9bee599 100644 --- a/frontend/src/app/main/repo.cljs +++ b/frontend/src/app/main/repo.cljs @@ -137,6 +137,7 @@ (->> (http/send! {:method :post :uri uri :credentials "include" + :headers {"x-external-session-id" (cf/external-session-id)} :query params}) (rx/map http/conditional-decode-transit) (rx/mapcat handle-response)))) @@ -146,6 +147,7 @@ (->> (http/send! {:method :post :uri (u/join cf/public-uri "api/export") :body (http/transit-data (dissoc params :blob?)) + :headers {"x-external-session-id" (cf/external-session-id)} :credentials "include" :response-type (if blob? :blob :text)}) (rx/map http/conditional-decode-transit) @@ -165,6 +167,7 @@ (->> (http/send! {:method :post :uri (u/join cf/public-uri "api/rpc/command/" (name id)) :credentials "include" + :headers {"x-external-session-id" (cf/external-session-id)} :body (http/form-data params)}) (rx/map http/conditional-decode-transit) (rx/mapcat handle-response)))