From 39d6ec96b7d30901e929bbcf75ea897424b1aded Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Fri, 2 Mar 2018 15:06:46 +0100
Subject: [PATCH] amend full user object to login action

---
 src/developer.js     | 9 +++++----
 src/ldap.js          | 6 +++---
 src/routes/oauth2.js | 4 ++--
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/developer.js b/src/developer.js
index 7e5c2d397..e2f3b5603 100644
--- a/src/developer.js
+++ b/src/developer.js
@@ -13,6 +13,7 @@ var assert = require('assert'),
     constants = require('./constants.js'),
     eventlog = require('./eventlog.js'),
     tokendb = require('./tokendb.js'),
+    user = require('./user.js'),
     util = require('util');
 
 function DeveloperError(reason, errorOrMessage) {
@@ -37,8 +38,8 @@ util.inherits(DeveloperError, Error);
 DeveloperError.INTERNAL_ERROR = 'Internal Error';
 DeveloperError.EXTERNAL_ERROR = 'External Error';
 
-function issueDeveloperToken(user, auditSource, callback) {
-    assert.strictEqual(typeof user, 'object');
+function issueDeveloperToken(userObject, auditSource, callback) {
+    assert.strictEqual(typeof userObject, 'object');
     assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -46,10 +47,10 @@ function issueDeveloperToken(user, auditSource, callback) {
     var expiresAt = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
     var scopes = '*,' + clients.SCOPE_ROLE_SDK;
 
-    tokendb.add(token, user.id, 'cid-cli', expiresAt, scopes, function (error) {
+    tokendb.add(token, userObject.id, 'cid-cli', expiresAt, scopes, function (error) {
         if (error) return callback(new DeveloperError(DeveloperError.INTERNAL_ERROR, error));
 
-        eventlog.add(eventlog.ACTION_USER_LOGIN, auditSource, { authType: 'cli', userId: user.id, username: user.username });
+        eventlog.add(eventlog.ACTION_USER_LOGIN, auditSource, { authType: 'cli', userId: userObject.id, user: user.removePrivateFields(userObject) });
 
         callback(null, { token: token, expiresAt: new Date(expiresAt).toISOString() });
     });
diff --git a/src/ldap.js b/src/ldap.js
index 32be085ce..2dc5490a0 100644
--- a/src/ldap.js
+++ b/src/ldap.js
@@ -410,7 +410,7 @@ function authorizeUserForApp(req, res, next) {
             // we return no such object, to avoid leakage of a users existence
             if (!result) return next(new ldap.NoSuchObjectError(req.dn.toString()));
 
-            eventlog.add(eventlog.ACTION_USER_LOGIN, { authType: 'ldap', appId: app.id }, { userId: req.user.id });
+            eventlog.add(eventlog.ACTION_USER_LOGIN, { authType: 'ldap', appId: app.id }, { userId: req.user.id, user: user.removePrivateFields(req.user) });
 
             res.end();
         });
@@ -451,12 +451,12 @@ function authenticateMailbox(req, res, next) {
             } else if (mailbox.ownerType === mailboxdb.TYPE_USER) {
                 if (!domain.enabled) return next(new ldap.NoSuchObjectError(req.dn.toString()));
 
-                user.verifyWithUsername(parts[0], req.credentials || '', function (error, user) {
+                user.verifyWithUsername(parts[0], req.credentials || '', function (error, result) {
                     if (error && error.reason === UserError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
                     if (error && error.reason === UserError.WRONG_PASSWORD) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
                     if (error) return next(new ldap.OperationsError(error.message));
 
-                    eventlog.add(eventlog.ACTION_USER_LOGIN, { authType: 'ldap', mailboxId: email }, { userId: user.username });
+                    eventlog.add(eventlog.ACTION_USER_LOGIN, { authType: 'ldap', mailboxId: email }, { userId: result.id, user: user.removePrivateFields(result) });
                     res.end();
                 });
             } else {
diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index 48a3caf9e..126bbc804 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -447,7 +447,7 @@ var authorization = [
         var type = req.oauth2.client.type;
 
         if (type === clients.TYPE_EXTERNAL || type === clients.TYPE_BUILT_IN) {
-            eventlog.add(eventlog.ACTION_USER_LOGIN, auditSource(req, req.oauth2.client.appId), { userId: req.oauth2.user.id });
+            eventlog.add(eventlog.ACTION_USER_LOGIN, auditSource(req, req.oauth2.client.appId), { userId: req.oauth2.user.id, user: user.removePrivateFields(req.oauth2.user) });
             return next();
         }
 
@@ -458,7 +458,7 @@ var authorization = [
                 if (error) return sendError(req, res, 'Internal error');
                 if (!access) return sendErrorPageOrRedirect(req, res, 'No access to this app.');
 
-                eventlog.add(eventlog.ACTION_USER_LOGIN, auditSource(req, appObject.id), { userId: req.oauth2.user.id });
+                eventlog.add(eventlog.ACTION_USER_LOGIN, auditSource(req, appObject.id), { userId: req.oauth2.user.id, user: user.removePrivateFields(req.oauth2.user) });
 
                 next();
             });