feat(audit): Q2 Chunk 3 — 审计日志补全
- 登录成功/失败均写入审计日志(含 IP、User-Agent) - 登出、密码修改添加审计日志 - 用户/角色 update 记录变更前后值(old_value/new_value) - 插件数据 CRUD(create/update/delete)添加审计日志 - auth handler 提取 X-Forwarded-For/X-Real-IP/User-Agent
This commit is contained in:
iven
@@ -1,5 +1,6 @@
|
||||
use axum::Extension;
|
||||
use axum::extract::{FromRef, State};
|
||||
use axum::http::HeaderMap;
|
||||
use axum::response::Json;
|
||||
use validator::Validate;
|
||||
|
||||
@@ -8,7 +9,21 @@ use erp_core::types::{ApiResponse, TenantContext};
|
||||
|
||||
use crate::auth_state::AuthState;
|
||||
use crate::dto::{ChangePasswordReq, LoginReq, LoginResp, RefreshReq};
|
||||
use crate::service::auth_service::{AuthService, JwtConfig};
|
||||
use crate::service::auth_service::{AuthService, JwtConfig, RequestInfo};
|
||||
|
||||
/// 从请求头中提取客户端信息。
|
||||
fn extract_request_info(headers: &HeaderMap) -> RequestInfo {
|
||||
let ip = headers
|
||||
.get("x-forwarded-for")
|
||||
.or_else(|| headers.get("x-real-ip"))
|
||||
.and_then(|v| v.to_str().ok())
|
||||
.map(|s| s.split(',').next().unwrap_or(s).trim().to_string());
|
||||
let user_agent = headers
|
||||
.get("user-agent")
|
||||
.and_then(|v| v.to_str().ok())
|
||||
.map(|s| s.to_string());
|
||||
RequestInfo { ip, user_agent }
|
||||
}
|
||||
|
||||
#[utoipa::path(
|
||||
post,
|
||||
@@ -29,6 +44,7 @@ use crate::service::auth_service::{AuthService, JwtConfig};
|
||||
/// In production, this will come from a tenant-resolution middleware.
|
||||
pub async fn login<S>(
|
||||
State(state): State<AuthState>,
|
||||
headers: HeaderMap,
|
||||
Json(req): Json<LoginReq>,
|
||||
) -> Result<Json<ApiResponse<LoginResp>>, AppError>
|
||||
where
|
||||
@@ -38,6 +54,7 @@ where
|
||||
req.validate()
|
||||
.map_err(|e| AppError::Validation(e.to_string()))?;
|
||||
|
||||
let req_info = extract_request_info(&headers);
|
||||
let tenant_id = state.default_tenant_id;
|
||||
|
||||
let jwt_config = JwtConfig {
|
||||
@@ -53,6 +70,7 @@ where
|
||||
&state.db,
|
||||
&jwt_config,
|
||||
&state.event_bus,
|
||||
Some(&req_info),
|
||||
)
|
||||
.await?;
|
||||
|
||||
@@ -108,13 +126,15 @@ where
|
||||
/// logging them out on all devices.
|
||||
pub async fn logout<S>(
|
||||
State(state): State<AuthState>,
|
||||
headers: HeaderMap,
|
||||
Extension(ctx): Extension<TenantContext>,
|
||||
) -> Result<Json<ApiResponse<()>>, AppError>
|
||||
where
|
||||
AuthState: FromRef<S>,
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
AuthService::logout(ctx.user_id, ctx.tenant_id, &state.db).await?;
|
||||
let req_info = extract_request_info(&headers);
|
||||
AuthService::logout(ctx.user_id, ctx.tenant_id, &state.db, Some(&req_info)).await?;
|
||||
|
||||
Ok(Json(ApiResponse {
|
||||
success: true,
|
||||
@@ -141,6 +161,7 @@ where
|
||||
/// 用户需要在所有设备上重新登录。
|
||||
pub async fn change_password<S>(
|
||||
State(state): State<AuthState>,
|
||||
headers: HeaderMap,
|
||||
Extension(ctx): Extension<TenantContext>,
|
||||
Json(req): Json<ChangePasswordReq>,
|
||||
) -> Result<Json<ApiResponse<()>>, AppError>
|
||||
@@ -151,12 +172,14 @@ where
|
||||
req.validate()
|
||||
.map_err(|e| AppError::Validation(e.to_string()))?;
|
||||
|
||||
let req_info = extract_request_info(&headers);
|
||||
AuthService::change_password(
|
||||
ctx.user_id,
|
||||
ctx.tenant_id,
|
||||
&req.current_password,
|
||||
&req.new_password,
|
||||
&state.db,
|
||||
Some(&req_info),
|
||||
)
|
||||
.await?;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user