Enable logging of user logins to usermetadb

server/authserver.go

@@ -286,6 +286,8 @@ func (c *Config) compile() error {
 			}
 		}
 
+		// Enabling device tracking also enables user activity
+		// logging.
 		if sc.EnableDeviceTracking {
 			if c.UserMetaDBConfig == nil {
 				return errors.New("usermetadb config is missing")
@@ -295,6 +297,13 @@ func (c *Config) compile() error {
 				return err
 			}
 			sc.filters = append(sc.filters, dt)
+
+			// The logger conveniently comes last.
+			lf, err := newUserActivityLogFilter(c.UserMetaDBConfig)
+			if err != nil {
+				return err
+			}
+			sc.filters = append(sc.filters, lf)
 		}
 	}
 
@@ -527,6 +536,12 @@ func (s *Server) authenticateUser(req *auth.Request, serviceConfig *ServiceConfi
 
 	// Process the response through filters (device info checks,
 	// etc) that may or may not change the response itself.
+	//
+	// TODO: it's unclear why we'd want to bail on errors, it
+	// makes it quite confusing for StatusInsufficientCredentials.
+	//
+	// Perhaps it would be easier to just run filters only on
+	// StatusOK?
 	for _, f := range serviceConfig.filters {
 		if resp.Status == auth.StatusError {
 			break

server/devices.go

@@ -36,6 +36,11 @@ func (f *deviceFilter) Filter(user *User, req *auth.Request, resp *auth.Response
 		return resp
 	}
 
+	// If the status is != OK, skip.
+	if resp.Status != auth.StatusOK {
+		return resp
+	}
+
 	// Check if the device is known already, in which case we're
 	// OK and don't need to do anything else.
 	ctx, cancel := context.WithTimeout(context.Background(), usermetadbTimeout)

server/userlog.go

+package server
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"git.autistici.org/ai3/go-common/clientutil"
+	"git.autistici.org/id/auth"
+	"git.autistici.org/id/usermetadb"
+	"git.autistici.org/id/usermetadb/client"
+)
+
+type addLogClient interface {
+	AddLog(context.Context, string, *usermetadb.LogEntry) error
+}
+
+type logFilter struct {
+	client addLogClient
+}
+
+func newUserActivityLogFilter(config *clientutil.BackendConfig) (*logFilter, error) {
+	c, err := client.New(config)
+	if err != nil {
+		return nil, err
+	}
+	return &logFilter{c}, nil
+}
+
+func (f *logFilter) Filter(user *User, req *auth.Request, resp *auth.Response) *auth.Response {
+	if resp.Status != auth.StatusOK {
+		return resp
+	}
+
+	entry := usermetadb.LogEntry{
+		Timestamp:   time.Now(),
+		Username:    user.Name,
+		Type:        usermetadb.LogTypeLogin,
+		Message:     "successful login",
+		Service:     req.Service,
+		LoginMethod: "web",
+		DeviceInfo:  req.DeviceInfo,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), usermetadbTimeout)
+	defer cancel()
+	if err := f.client.AddLog(ctx, user.Shard, &entry); err != nil {
+		log.Printf("usermetadb.AddLog error for %s: %v", user.Name, err)
+	}
+
+	return resp
+}