diff --git a/.gitignore b/.gitignore index 5ca81560..486ef6cc 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,6 @@ docker-compose.local.yml # SSO *.pem *.crt + +# Local Claude Code skills +.claude/commands/ diff --git a/server/mergin/app.py b/server/mergin/app.py index e5eb42d5..42308a73 100644 --- a/server/mergin/app.py +++ b/server/mergin/app.py @@ -154,6 +154,7 @@ def create_app(public_keys: List[str] = None) -> Flask: """Factory function to create Flask app instance""" from itsdangerous import BadTimeSignature, BadSignature + from .audit import register as register_audit from .auth import auth_required, decode_token, register as register_auth from .auth.models import User from .sync.app import register as register_sync @@ -180,6 +181,9 @@ def create_app(public_keys: List[str] = None) -> Flask: csrf.init_app(app.app) login_manager.init_app(app.app) + # register audit module (NullSink by default; custom sinks overrides app.audit_sink) + register_audit(app.app) + # register auth blueprint register_auth(app.app) diff --git a/server/mergin/audit/__init__.py b/server/mergin/audit/__init__.py new file mode 100644 index 00000000..145b1f84 --- /dev/null +++ b/server/mergin/audit/__init__.py @@ -0,0 +1,5 @@ +# Copyright (C) Lutra Consulting Limited +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial + +from .app import emit, register diff --git a/server/mergin/audit/app.py b/server/mergin/audit/app.py new file mode 100644 index 00000000..cba22b89 --- /dev/null +++ b/server/mergin/audit/app.py @@ -0,0 +1,51 @@ +# Copyright (C) Lutra Consulting Limited +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial + +import datetime + +from flask import Flask, current_app + +from .events import AuditEvent, EventType +from .sinks import NullSink + + +def register(app: Flask) -> None: + """Wire the audit module into a Flask app. + + Sets NullSink as the default. + """ + app.audit_sink = NullSink() + + +def emit( + event_type: EventType, + actor_id=None, + actor_email=None, + actor_user_agent=None, + actor_device_id=None, + ip_address=None, + user_id=None, + project_id=None, + workspace_id=None, + **detail, +) -> None: + """Emit one audit event to the configured sink. + + Set at least one of user_id, project_id, workspace_id to identify the target. + Extra keyword arguments become the context dict. + """ + event = AuditEvent( + event_type=event_type, + actor_id=actor_id, + actor_email=actor_email, + actor_user_agent=actor_user_agent, + actor_device_id=actor_device_id, + ip_address=ip_address, + happened_at=datetime.datetime.utcnow(), + user_id=user_id, + project_id=project_id, + workspace_id=workspace_id, + context=detail, + ) + current_app.audit_sink.write(event) diff --git a/server/mergin/audit/events.py b/server/mergin/audit/events.py new file mode 100644 index 00000000..81aeefde --- /dev/null +++ b/server/mergin/audit/events.py @@ -0,0 +1,29 @@ +# Copyright (C) Lutra Consulting Limited +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial + +import datetime +import uuid +from dataclasses import dataclass, field +from typing import Any, Dict, Optional + +# Noun.verb dot-notation string, e.g. "user.login.succeeded". +# Each module defines its own str enum; the sink stores the raw string. +EventType = str + + +@dataclass(frozen=True) +class AuditEvent: + event_type: EventType + ip_address: Optional[str] + happened_at: datetime.datetime + actor_id: Optional[int] + actor_email: Optional[str] + actor_user_agent: Optional[str] + actor_device_id: Optional[str] # X-Device-Id header; set by mobile/QGIS clients + user_id: Optional[int] # set when the target is a user + project_id: Optional[uuid.UUID] # set when the target is a project + workspace_id: Optional[ + int + ] # workspace the event belongs to; set for project and workspace events + context: Dict[str, Any] = field(default_factory=dict) diff --git a/server/mergin/audit/listeners.py b/server/mergin/audit/listeners.py new file mode 100644 index 00000000..fbf94e86 --- /dev/null +++ b/server/mergin/audit/listeners.py @@ -0,0 +1,76 @@ +# Copyright (C) Lutra Consulting Limited +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial + +""" +Utilities for writing SQLAlchemy-based audit listeners in any module. +""" + +import logging + +from sqlalchemy import inspect as sa_inspect +from flask import has_request_context, has_app_context, request, current_app +from flask_login import current_user + +from ..utils import get_ip, get_user_agent, get_device_id +from .app import emit + +logger = logging.getLogger(__name__) + + +def request_context(): + """Return the three request-derived actor kwargs: user_agent, device_id, ip. + + Use **request_context() in explicit emit() calls so adding a new request + field only requires changing this one function. + """ + if not has_request_context(): + return dict(actor_user_agent=None, actor_device_id=None, ip_address=None) + return dict( + actor_user_agent=get_user_agent(request), + actor_device_id=get_device_id(request), + ip_address=get_ip(request), + ) + + +def actor_context(): + """Return full actor kwargs for emit() drawn from the current request context. + + Used by SQLAlchemy listeners where current_user is the actor. + """ + actor_id = None + actor_email = None + if has_request_context() and current_user.is_authenticated: + actor_id = current_user.id + actor_email = current_user.email + return dict(actor_id=actor_id, actor_email=actor_email, **request_context()) + + +def field_changes(target, skip=frozenset()): + """Return flat old_/new_ context for all changed non-skipped fields.""" + ctx = {} + for attr in sa_inspect(target).attrs: + if attr.key in skip: + continue + hist = attr.history + if hist.has_changes(): + old = hist.deleted[0] if hist.deleted else None + new = hist.added[0] if hist.added else None + if old != new: + ctx[f"old_{attr.key}"] = old + ctx[f"new_{attr.key}"] = new + return ctx + + +def emit_safe(event_type, **kwargs): + """Emit without raising if outside app context or sink not yet configured. + + Works both inside HTTP requests (actor context populated) and Celery tasks + (actor fields are None, indicating a system-initiated action). + """ + if not has_app_context() or not hasattr(current_app, "audit_sink"): + return + try: + emit(event_type, **kwargs) + except Exception: + logger.warning("Failed to emit audit event %s", event_type, exc_info=True) diff --git a/server/mergin/audit/sinks.py b/server/mergin/audit/sinks.py new file mode 100644 index 00000000..14b85002 --- /dev/null +++ b/server/mergin/audit/sinks.py @@ -0,0 +1,21 @@ +# Copyright (C) Lutra Consulting Limited +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial + +from abc import ABC, abstractmethod + +from .events import AuditEvent + + +class AbstractSink(ABC): + """Interface all audit sinks must implement.""" + + @abstractmethod + def write(self, event: AuditEvent) -> None: ... + + +class NullSink(AbstractSink): + """Default sink — discards all events.""" + + def write(self, event: AuditEvent) -> None: + pass diff --git a/server/mergin/auth/app.py b/server/mergin/auth/app.py index acfccf43..585b1fa5 100644 --- a/server/mergin/auth/app.py +++ b/server/mergin/auth/app.py @@ -11,6 +11,7 @@ from .commands import add_commands from .config import Configuration +from .listeners import register_listeners from .models import User # signal for other versions to listen to @@ -37,6 +38,7 @@ def register(app): app.blueprints["/"].name = "auth" app.blueprints["auth"] = app.blueprints.pop("/") add_commands(app) + register_listeners() _permissions = {} diff --git a/server/mergin/auth/controller.py b/server/mergin/auth/controller.py index 06859255..aa4d9a82 100644 --- a/server/mergin/auth/controller.py +++ b/server/mergin/auth/controller.py @@ -37,6 +37,9 @@ ApiLoginForm, ) from ..app import db +from ..audit import emit +from ..audit.listeners import actor_context, request_context +from .events import AuthEventType from ..sync.models import Project from ..sync.utils import files_size @@ -157,8 +160,21 @@ def login_public(): # noqa: E501 data = user_profile(user) data["session"] = {"token": token, "expire": expire} LoginHistory.add_record(user.id, request) + emit( + AuthEventType.USER_LOGIN_SUCCEEDED, + actor_id=user.id, + actor_email=user.email, + **request_context(), + user_id=user.id, + ) return data else: + emit( + AuthEventType.USER_LOGIN_FAILED, + **request_context(), + login=form.login.data, + reason="account_inactive" if user else "invalid_credentials", + ) abort(401, "Invalid username or password") abort(400, _extract_first_error(form.errors)) @@ -169,6 +185,11 @@ def close_user_account(): Closing user account effectively means to inactivate user (will be removed by cron job) and remove explicitly shared projects as well clean references to created projects. """ + emit( + AuthEventType.USER_MARKED_FOR_DELETION, + **actor_context(), + user_id=current_user.id, + ) current_user.inactivate() # emit signal to be caught elsewhere user_account_closed.send(current_user) @@ -226,8 +247,21 @@ def login(): # pylint: disable=W0613,W0612 login_user(user) if not os.path.isfile(current_app.config["MAINTENANCE_FILE"]): LoginHistory.add_record(user.id, request) + emit( + AuthEventType.USER_LOGIN_SUCCEEDED, + actor_id=user.id, + actor_email=user.email, + **request_context(), + user_id=user.id, + ) return "", 200 else: + emit( + AuthEventType.USER_LOGIN_FAILED, + **request_context(), + login=form.login.data, + reason="account_inactive" if user else "invalid_credentials", + ) abort(401, "Invalid username or password") return jsonify(form.errors), 401 @@ -242,10 +276,23 @@ def admin_login(): # pylint: disable=W0613,W0612 if user: if user.active and user.is_admin: login_user(user) + emit( + AuthEventType.USER_LOGIN_SUCCEEDED, + actor_id=user.id, + actor_email=user.email, + **request_context(), + user_id=user.id, + ) return "", 200 else: abort(403, "You do not have permissions") else: + emit( + AuthEventType.USER_LOGIN_FAILED, + **request_context(), + login=form.login.data, + reason="invalid_credentials", + ) abort(401, "Invalid username or password") @@ -266,6 +313,11 @@ def change_password(): # pylint: disable=W0613,W0612 current_user.assign_password(form.password.data) db.session.add(current_user) db.session.commit() + emit( + AuthEventType.USER_PASSWORD_CHANGED, + **actor_context(), + user_id=current_user.id, + ) return "", 200 return jsonify(form.errors), 400 @@ -326,6 +378,12 @@ def confirm_new_password(token): # pylint: disable=W0613,W0612 user.assign_password(form.password.data) db.session.add(user) db.session.commit() + emit( + AuthEventType.USER_PASSWORD_RESET, + **request_context(), + user_id=user.id, + target_email=user.email, + ) return "", 200 return jsonify(form.errors), 400 @@ -441,22 +499,47 @@ def update_user(username): # pylint: disable=W0613,W0612 abort(400, "Unable to assign super admin role") user = User.query.filter_by(username=username).first_or_404("User not found") + old_active = user.active form.update_obj(user) - - # remove inactive since flag for ban or re-activation user.inactive_since = None - db.session.add(user) db.session.commit() + + if old_active and not user.active: + emit( + AuthEventType.USER_DEACTIVATED, + **actor_context(), + user_id=user.id, + target_email=user.email, + ) + elif not old_active and user.active: + emit( + AuthEventType.USER_RESTORED, + **actor_context(), + user_id=user.id, + target_email=user.email, + ) + return jsonify(UserSchema().dump(user)) @auth_required(permissions=["admin"]) def delete_user(username): # pylint: disable=W0613,W0612 user = User.query.filter_by(username=username).first_or_404("User not found") + emit( + AuthEventType.USER_MARKED_FOR_DELETION, + **actor_context(), + user_id=user.id, + target_email=user.email, + ) user.inactivate() user_account_closed.send(user) - # force 'delete' user + emit( + AuthEventType.USER_DELETED, + **actor_context(), + user_id=user.id, + target_email=user.email, + ) user.anonymize() return "", 204 diff --git a/server/mergin/auth/events.py b/server/mergin/auth/events.py new file mode 100644 index 00000000..f98d2e3b --- /dev/null +++ b/server/mergin/auth/events.py @@ -0,0 +1,25 @@ +# Copyright (C) Lutra Consulting Limited +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial + +from enum import Enum + + +class AuthEventType(str, Enum): + # authentication events + USER_LOGIN_SUCCEEDED = "user.login.succeeded" + USER_LOGIN_FAILED = "user.login.failed" + USER_PASSWORD_CHANGED = "user.password.changed" + USER_PASSWORD_RESET = "user.password.reset" # token-based reset (unauthenticated) + # general CRUD (SQLAlchemy listeners) + USER_CREATED = "user.created" + USER_UPDATED = "user.updated" + # lifecycle events (explicit emit only; active/inactive_since excluded from user.updated) + USER_MARKED_FOR_DELETION = ( + "user.marked_for_deletion" # user or admin triggers deletion flow + ) + USER_DEACTIVATED = "user.deactivated" # admin sets active=False without deletion + USER_RESTORED = ( + "user.restored" # admin re-activates after deactivation or marked_for_deletion + ) + USER_DELETED = "user.deleted" # personal data permanently erased diff --git a/server/mergin/auth/listeners.py b/server/mergin/auth/listeners.py new file mode 100644 index 00000000..f230a9e9 --- /dev/null +++ b/server/mergin/auth/listeners.py @@ -0,0 +1,50 @@ +# Copyright (C) Lutra Consulting Limited +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial + +from sqlalchemy import event +from sqlalchemy.orm import object_session + +from ..audit.listeners import actor_context, field_changes, emit_safe +from .events import AuthEventType +from .models import User + +# Fields excluded from user.updated audit events: +# - sensitive values that must never appear in logs (passwd) +# - high-frequency operational fields (last_signed_in, registration_date) +# - lifecycle state fields covered by dedicated events (active, inactive_since) +# frozenset prevents accidental mutation of module-level state. +_SKIP = frozenset( + {"passwd", "last_signed_in", "registration_date", "active", "inactive_since"} +) + + +def _on_user_created(_mapper, _connection, target): + emit_safe( + AuthEventType.USER_CREATED, + **actor_context(), + user_id=target.id, + target_email=target.email, + ) + + +def _on_user_updated(_mapper, _connection, target): + if object_session(target).info.get("audit_skip_user_update"): + return + changes = field_changes(target, _SKIP) + if not changes: + return + emit_safe( + AuthEventType.USER_UPDATED, + **actor_context(), + user_id=target.id, + target_email=target.email, + **changes, + ) + + +def register_listeners(): + if event.contains(User, "after_insert", _on_user_created): + return + event.listen(User, "after_insert", _on_user_created) + event.listen(User, "after_update", _on_user_updated) diff --git a/server/mergin/auth/models.py b/server/mergin/auth/models.py index 760ab740..db1e00ee 100644 --- a/server/mergin/auth/models.py +++ b/server/mergin/auth/models.py @@ -12,7 +12,8 @@ from ..app import db from ..sync.models import ProjectUser -from ..sync.utils import get_user_agent, get_ip, get_device_id, is_reserved_word +from ..sync.utils import is_reserved_word +from ..utils import get_ip, get_user_agent, get_device_id MAX_USERNAME_LENGTH = 50 @@ -185,12 +186,15 @@ def anonymize(self): """Anonymize user object in database - remove personal information""" ts = round(datetime.datetime.utcnow().timestamp() * 1000) del_str = f"deleted_{ts}" + # Suppress user.updated — these changes are covered by the USER_DELETED event. + db.session.info["audit_skip_user_update"] = True self.username = del_str self.email = None self.passwd = None self.first_name = None self.last_name = None db.session.commit() + db.session.info.pop("audit_skip_user_update", None) @classmethod def get_by_login(cls, login: str) -> Optional[User]: diff --git a/server/mergin/auth/tasks.py b/server/mergin/auth/tasks.py index 3c408d35..79fc8867 100644 --- a/server/mergin/auth/tasks.py +++ b/server/mergin/auth/tasks.py @@ -7,6 +7,8 @@ from ..celery import celery from ..app import db +from ..audit.listeners import emit_safe +from .events import AuthEventType from .models import User from .config import Configuration @@ -22,4 +24,9 @@ def anonymize_removed_users(): User.username.op("~")("^(?!deleted_\d{13})"), ).all() for user in users: + emit_safe( + AuthEventType.USER_DELETED, + user_id=user.id, + target_email=user.email, + ) user.anonymize() diff --git a/server/mergin/sync/app.py b/server/mergin/sync/app.py index e97f7cc3..1b6a923d 100644 --- a/server/mergin/sync/app.py +++ b/server/mergin/sync/app.py @@ -7,6 +7,7 @@ from .commands import add_commands from .config import Configuration from .db_events import register_events +from .listeners import register_listeners def register(app: Flask): @@ -40,3 +41,4 @@ def register(app: Flask): add_commands(app) register_events() + register_listeners() diff --git a/server/mergin/sync/db_events.py b/server/mergin/sync/db_events.py index 48a1756d..a303108c 100644 --- a/server/mergin/sync/db_events.py +++ b/server/mergin/sync/db_events.py @@ -29,4 +29,4 @@ def register_events(): def remove_events(): event.remove(db.session, "before_commit", check) - event.listen(ProjectVersion, "after_insert", optimize_gpgk_storage) + event.remove(ProjectVersion, "after_insert", optimize_gpgk_storage) diff --git a/server/mergin/sync/events.py b/server/mergin/sync/events.py new file mode 100644 index 00000000..16adf104 --- /dev/null +++ b/server/mergin/sync/events.py @@ -0,0 +1,25 @@ +# Copyright (C) Lutra Consulting Limited +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial + +from enum import Enum + + +class SyncEventType(str, Enum): + # automatic CRUD events (SQLAlchemy listeners) + PROJECT_CREATED = "project.created" # also emitted on clone + PROJECT_UPDATED = "project.updated" + # lifecycle events (explicit emit) + PROJECT_MARKED_FOR_DELETION = "project.marked_for_deletion" + PROJECT_RESTORED = "project.restored" + PROJECT_DELETED = "project.deleted" + # membership events (explicit emit) + PROJECT_MEMBER_ADDED = "project.member.added" + PROJECT_MEMBER_UPDATED = "project.member.updated" + PROJECT_MEMBER_DELETED = "project.member.deleted" + # access request events (explicit emit) + PROJECT_ACCESS_REQUEST_CREATED = "project.access_request.created" + PROJECT_ACCESS_REQUEST_ACCEPTED = "project.access_request.accepted" + PROJECT_ACCESS_REQUEST_REJECTED = "project.access_request.rejected" + # data events (explicit emit) + PROJECT_VERSION_CREATED = "project.version.created" diff --git a/server/mergin/sync/listeners.py b/server/mergin/sync/listeners.py new file mode 100644 index 00000000..ec5d3984 --- /dev/null +++ b/server/mergin/sync/listeners.py @@ -0,0 +1,61 @@ +# Copyright (C) Lutra Consulting Limited +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial + +from sqlalchemy import event +from sqlalchemy.orm import object_session + +from ..audit.listeners import actor_context, field_changes, emit_safe +from .events import SyncEventType +from .models import Project + +# Fields excluded from project.updated audit events — either auto-computed on every +# version push (disk_usage, latest_version, tags), operational metadata (updated, +# storage_params, locked_until), or covered by dedicated events with their own emit +# (removed_at/removed_by are suppressed via audit_skip_project_update instead). +# frozenset prevents accidental mutation of module-level state. +_SKIP = frozenset( + { + "disk_usage", + "latest_version", + "updated", + "storage_params", + "tags", + "locked_until", + } +) + + +def _on_project_created(_mapper, _connection, target): + if object_session(target).info.get("audit_skip_project_create"): + return + emit_safe( + SyncEventType.PROJECT_CREATED, + **actor_context(), + project_id=target.id, + workspace_id=target.workspace_id, + project_name=f"{target.workspace.name}/{target.name}", + ) + + +def _on_project_updated(_mapper, _connection, target): + if object_session(target).info.get("audit_skip_project_update"): + return + changes = field_changes(target, _SKIP) + if not changes: + return + emit_safe( + SyncEventType.PROJECT_UPDATED, + **actor_context(), + project_id=target.id, + workspace_id=target.workspace_id, + project_name=f"{target.workspace.name}/{target.name}", + **changes, + ) + + +def register_listeners(): + if event.contains(Project, "after_insert", _on_project_created): + return + event.listen(Project, "after_insert", _on_project_created) + event.listen(Project, "after_update", _on_project_updated) diff --git a/server/mergin/sync/private_api_controller.py b/server/mergin/sync/private_api_controller.py index fbe7b5cf..afb74773 100644 --- a/server/mergin/sync/private_api_controller.py +++ b/server/mergin/sync/private_api_controller.py @@ -11,8 +11,12 @@ from sqlalchemy import text from ..app import db +from ..audit import emit +from ..audit.listeners import actor_context from ..auth import auth_required +from ..auth.models import User from .forms import AccessPermissionForm +from .events import SyncEventType from .models import ( Project, AccessRequest, @@ -62,6 +66,13 @@ def create_project_access_request(namespace, project_name): # noqa: E501 access_request = AccessRequest(project, current_user.id) db.session.add(access_request) db.session.commit() + emit( + SyncEventType.PROJECT_ACCESS_REQUEST_CREATED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + project_name=f"{project.workspace.name}/{project.name}", + ) # notify project owners owners = current_app.project_handler.get_email_receivers(project) for owner in owners: @@ -99,8 +110,17 @@ def decline_project_access_request(request_id): # noqa: E501 project_role == ProjectRole.OWNER or current_user.id == access_request.requested_by ): + requester = User.query.get(access_request.requested_by) access_request.resolve(RequestStatus.DECLINED, current_user.id) db.session.commit() + emit( + SyncEventType.PROJECT_ACCESS_REQUEST_REJECTED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + target_email=requester.email if requester else None, + project_name=f"{project.workspace.name}/{project.name}", + ) return "", 200 abort(403, "You don't have permissions to remove project access request") @@ -124,7 +144,25 @@ def accept_project_access_request(request_id): project = access_request.project project_role = ProjectPermissions.get_user_project_role(project, current_user) if project_role == ProjectRole.OWNER: + requester = User.query.get(access_request.requested_by) access_request.accept(permission) + emit( + SyncEventType.PROJECT_ACCESS_REQUEST_ACCEPTED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + target_email=requester.email if requester else None, + project_name=f"{project.workspace.name}/{project.name}", + role=permission, + ) + emit( + SyncEventType.PROJECT_MEMBER_ADDED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + target_email=requester.email if requester else None, + role=permission, + ) return "", 200 abort(403, "You don't have permissions to accept project access request") @@ -228,6 +266,13 @@ def restore_project(id): # noqa: E501 project.removed_at = None project.removed_by = None db.session.commit() + emit( + SyncEventType.PROJECT_RESTORED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + project_name=f"{project.workspace.name}/{project.name}", + ) return "", 201 @@ -240,7 +285,16 @@ def force_project_delete(id): # noqa: E501 ) if not project.removed_at: abort(400, "Failed to remove: Project is still active") + emit( + SyncEventType.PROJECT_DELETED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + project_name=f"{project.workspace.name}/{project.name}", + ) + db.session.info["audit_skip_project_update"] = True project.delete() + db.session.info.pop("audit_skip_project_update", None) return "", 204 diff --git a/server/mergin/sync/public_api_controller.py b/server/mergin/sync/public_api_controller.py index 8dbe1237..1bebafb8 100644 --- a/server/mergin/sync/public_api_controller.py +++ b/server/mergin/sync/public_api_controller.py @@ -35,8 +35,11 @@ from mergin.sync.forms import project_name_validation from .interfaces import WorkspaceRole from ..app import db +from ..audit import emit +from ..audit.listeners import actor_context from ..auth import auth_required from ..auth.models import User +from .events import SyncEventType from .models import ( FileSyncErrorType, FileDiff, @@ -78,16 +81,13 @@ ) from .utils import ( generate_checksum, - get_ip, - get_user_agent, generate_location, is_valid_uuid, - get_device_id, is_versioned_file, prepare_download_response, - get_device_id, wkb2wkt, ) +from ..utils import get_ip, get_user_agent, get_device_id from .errors import StorageLimitHit, ProjectLocked from ..utils import format_time_delta @@ -224,6 +224,9 @@ def add_project(namespace): # noqa: E501 template_name = request.json.get("template", None) if template_name: + # Set flag before the template query — p is already in the session via the + # workspace backref, so any query triggers autoflush and fires after_insert. + db.session.info["audit_skip_project_create"] = True template = ( Project.query.filter(Project.creator.has(username="TEMPLATES")) .filter(Project.name == template_name) @@ -243,7 +246,6 @@ def add_project(namespace): # noqa: E501 change=PushChangeType.CREATE, ) ) - else: template = None version_name = 0 @@ -267,6 +269,16 @@ def add_project(namespace): # noqa: E501 db.session.add(p) db.session.add(version) db.session.commit() + if template_name: + db.session.info.pop("audit_skip_project_create", None) + emit( + SyncEventType.PROJECT_CREATED, + **actor_context(), + project_id=p.id, + workspace_id=p.workspace_id, + project_name=f"{workspace.name}/{p.name}", + created_from_template=template_name, + ) project_version_created.send(version) return NoContent, 200 @@ -1259,6 +1271,7 @@ def clone_project(namespace, project_name): # noqa: E501 ) p.updated = datetime.utcnow() db.session.add(p) + db.session.info["audit_skip_project_create"] = True files_to_exclude = current_app.config.get("EXCLUDED_CLONE_FILENAMES", []) try: @@ -1299,6 +1312,16 @@ def clone_project(namespace, project_name): # noqa: E501 ) db.session.add(project_version) db.session.commit() + db.session.info.pop("audit_skip_project_create", None) + emit( + SyncEventType.PROJECT_CREATED, + **actor_context(), + project_id=p.id, + workspace_id=p.workspace_id, + project_name=f"{ws.name}/{p.name}", + cloned_from_id=str(cloned_project.id), + cloned_from_name=f"{cp_workspace_name}/{cloned_project.name}", + ) project_version_created.send(project_version) return NoContent, 200 diff --git a/server/mergin/sync/public_api_v2_controller.py b/server/mergin/sync/public_api_v2_controller.py index ebd909ad..cb6c9238 100644 --- a/server/mergin/sync/public_api_v2_controller.py +++ b/server/mergin/sync/public_api_v2_controller.py @@ -33,6 +33,9 @@ UploadError, ) from .files import ChangesSchema, DeltaChangeRespSchema, ProjectFileSchema +from .events import SyncEventType +from ..audit import emit +from ..audit.listeners import actor_context from .forms import project_name_validation from .models import ( FileDiff, @@ -58,12 +61,10 @@ from .schemas_v2 import ProjectSchema as ProjectSchemaV2 from .storages.disk import move_to_tmp, save_to_file from .utils import ( - get_device_id, - get_ip, - get_user_agent, get_chunk_location, prepare_download_response, ) +from ..utils import get_ip, get_user_agent, get_device_id from .tasks import remove_transaction_chunks from .workspace import WorkspaceRole from ..utils import parse_order_params, get_schema_fields_map @@ -76,9 +77,18 @@ def schedule_delete_project(id): rest. """ project = require_project_by_uuid(id, ProjectPermissions.Delete) + emit( + SyncEventType.PROJECT_MARKED_FOR_DELETION, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + project_name=f"{project.workspace.name}/{project.name}", + ) + db.session.info["audit_skip_project_update"] = True project.removed_at = datetime.utcnow() project.removed_by = current_user.id db.session.commit() + db.session.info.pop("audit_skip_project_update", None) return NoContent, 204 @@ -87,7 +97,16 @@ def schedule_delete_project(id): def delete_project_now(id): """Delete the project immediately""" project = require_project_by_uuid(id, ProjectPermissions.Delete, scheduled=True) + emit( + SyncEventType.PROJECT_DELETED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + project_name=f"{project.workspace.name}/{project.name}", + ) + db.session.info["audit_skip_project_update"] = True project.delete() + db.session.info.pop("audit_skip_project_update", None) return NoContent, 204 @@ -152,6 +171,14 @@ def add_project_collaborator(id): project.set_role(user.id, ProjectRole(request.json["role"])) db.session.commit() + emit( + SyncEventType.PROJECT_MEMBER_ADDED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + target_email=user.email, + role=request.json["role"], + ) data = ProjectMemberSchema().dump(project.get_member(user.id)) return data, 201 @@ -161,11 +188,21 @@ def update_project_collaborator(id, user_id): """Update project collaborator""" project = require_project_by_uuid(id, ProjectPermissions.Update) user = User.query.filter_by(id=user_id, active=True).first_or_404() - if not project.get_role(user_id): + old_role = project.get_role(user_id) + if not old_role: abort(404) project.set_role(user.id, ProjectRole(request.json["role"])) db.session.commit() + emit( + SyncEventType.PROJECT_MEMBER_UPDATED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + target_email=user.email, + old_role=old_role.value, + new_role=request.json["role"], + ) data = ProjectMemberSchema().dump(project.get_member(user.id)) return data, 200 @@ -174,11 +211,21 @@ def update_project_collaborator(id, user_id): def remove_project_collaborator(id, user_id): """Remove project collaborator""" project = require_project_by_uuid(id, ProjectPermissions.Update) - if not project.get_role(user_id): + removed_role = project.get_role(user_id) + if not removed_role: abort(404) + user = User.query.get(user_id) project.unset_role(user_id) db.session.commit() + emit( + SyncEventType.PROJECT_MEMBER_DELETED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + target_email=user.email if user else None, + role=removed_role.value, + ) return NoContent, 204 @@ -342,6 +389,13 @@ def create_project_version(id): os.renames(temp_files_dir, version_dir) db.session.commit() + emit( + SyncEventType.PROJECT_VERSION_CREATED, + **actor_context(), + project_id=project.id, + workspace_id=project.workspace_id, + version=v_next_version, + ) # remove used chunks only after commit — chunks belong to the now-committed version if to_be_added_files or to_be_updated_files: diff --git a/server/mergin/sync/tasks.py b/server/mergin/sync/tasks.py index 480222e6..d726de2d 100644 --- a/server/mergin/sync/tasks.py +++ b/server/mergin/sync/tasks.py @@ -11,12 +11,14 @@ from zipfile import ZIP_DEFLATED, ZipFile from flask import current_app +from .events import SyncEventType from .models import Project, ProjectVersion, FileHistory from .storages.disk import move_to_tmp from .config import Configuration from .utils import get_chunk_location, remove_outdated_files from ..celery import celery from ..app import db +from ..audit.listeners import emit_safe @celery.task @@ -64,8 +66,16 @@ def remove_projects_backups(): if not len(projects): break + db.session.info["audit_skip_project_update"] = True for p in projects: + emit_safe( + SyncEventType.PROJECT_DELETED, + project_id=p.id, + workspace_id=p.workspace_id, + project_name=f"{p.workspace.name}/{p.name}", + ) p.delete() + db.session.info.pop("audit_skip_project_update", None) @celery.task diff --git a/server/mergin/sync/utils.py b/server/mergin/sync/utils.py index 48966457..30d20192 100644 --- a/server/mergin/sync/utils.py +++ b/server/mergin/sync/utils.py @@ -103,32 +103,6 @@ def get_blacklisted_files(blacklist): return [p for p in blacklist if not p.endswith("/")] -def get_user_agent(request): - """Return user agent from request headers - - In case of browser client a parsed version from werkzeug utils is returned else raw value of header. - """ - if request.user_agent.browser and request.user_agent.platform: - client = request.user_agent.browser.capitalize() - version = request.user_agent.version - system = request.user_agent.platform.capitalize() - return f"{client}/{version} ({system})" - else: - return request.user_agent.string - - -def get_ip(request): - """Returns request's IP address based on X_FORWARDED_FOR header - from proxy webserver (which should always be the case) - """ - forwarded_ips = request.environ.get( - "HTTP_X_FORWARDED_FOR", request.environ.get("REMOTE_ADDR", "untrackable") - ) - # seems like we get list of IP addresses from AWS infra (beginning with external IP address of client, followed by some internal IP) - ip = forwarded_ips.split(",")[0] - return ip - - def generate_location(): """Return random location where project is saved on disk @@ -257,11 +231,6 @@ def split_project_path(project_path): return workspace_name, project_name -def get_device_id(request: Request) -> Optional[str]: - """Get device uuid from http header X-Device-Id""" - return request.headers.get("X-Device-Id") - - def files_size(): """Get total size of all files""" from mergin.app import db diff --git a/server/mergin/tests/fixtures.py b/server/mergin/tests/fixtures.py index 5d719878..9d0aa240 100644 --- a/server/mergin/tests/fixtures.py +++ b/server/mergin/tests/fixtures.py @@ -17,7 +17,8 @@ from ..stats.app import register from ..stats.models import MerginInfo from . import test_project, test_workspace_id, test_project_dir, TMP_DIR -from .utils import login_as_admin, initialize, cleanup, file_info +from .utils import login_as_admin, initialize, cleanup, file_info, ListSink +from ..audit.sinks import NullSink from ..sync.files import files_changes_from_upload thisdir = os.path.dirname(os.path.realpath(__file__)) @@ -98,6 +99,15 @@ def client(app): return client +@pytest.fixture(scope="function") +def audit_capture(app): + """Replace the app's audit sink with an in-memory ListSink for the duration of the test.""" + sink = ListSink() + app.audit_sink = sink + yield sink + app.audit_sink = NullSink() + + @pytest.fixture(scope="function") def diff_project(app): """Modify testing project to contain some history with diffs. Geodiff lib is used to handle changes. diff --git a/server/mergin/tests/test_audit_events.py b/server/mergin/tests/test_audit_events.py new file mode 100644 index 00000000..24d3abf3 --- /dev/null +++ b/server/mergin/tests/test_audit_events.py @@ -0,0 +1,410 @@ +# Copyright (C) Lutra Consulting Limited +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-MerginMaps-Commercial + +"""Contract tests: one test per defined EventType to verify the event is emitted +with the required fields. Each test exercises the minimum code path needed to +trigger the event — it is not a functional test of that path.""" + +from ..app import db +from ..auth.app import generate_confirmation_token +from ..auth.events import AuthEventType +from ..auth.models import User +from ..sync.events import SyncEventType +from ..sync.models import AccessRequest, Project, ProjectRole +from . import DEFAULT_USER, test_project, test_workspace_id +from .utils import add_user, create_project, create_workspace, login + + +# --------------------------------------------------------------------------- +# Auth events +# --------------------------------------------------------------------------- + + +def test_user_login_succeeded(client, audit_capture): + login(client, DEFAULT_USER[0], DEFAULT_USER[1]) + + e = audit_capture.one(AuthEventType.USER_LOGIN_SUCCEEDED) + assert e.actor_email == f"{DEFAULT_USER[0]}@mergin.com" + assert e.user_id == e.actor_id # actor and target are the same person on login + + +def test_user_login_failed_invalid_credentials(client, audit_capture): + client.post( + "/app/auth/login", json={"login": "mergin", "password": "wrongpassword"} + ) + + e = audit_capture.one(AuthEventType.USER_LOGIN_FAILED) + assert e.context["reason"] == "invalid_credentials" + assert e.context["login"] == "mergin" + assert e.actor_id is None + + +def test_user_login_failed_account_inactive(client, audit_capture): + user = add_user("inactive_user", "pass123") + user.active = False + db.session.commit() + + client.post( + "/app/auth/login", json={"login": "inactive_user", "password": "pass123"} + ) + + assert ( + audit_capture.one(AuthEventType.USER_LOGIN_FAILED).context["reason"] + == "account_inactive" + ) + + +def test_user_password_changed(client, audit_capture): + user = add_user("pwduser", "oldpass123") + login(client, "pwduser", "oldpass123") + + client.post( + "/app/auth/change-password", + json={ + "old_password": "oldpass123", + "password": "New#pass456", + "confirm": "New#pass456", + }, + ) + + e = audit_capture.one(AuthEventType.USER_PASSWORD_CHANGED) + assert e.user_id == user.id + assert e.actor_id == user.id + + +def test_user_password_reset(app, client, audit_capture): + user = User.query.filter_by(username=DEFAULT_USER[0]).first() + token = generate_confirmation_token( + app, user.email, app.config["SECURITY_PASSWORD_SALT"] + ) + + client.post( + f"/app/auth/reset-password/{token}", + json={"password": "NewPass#123", "confirm": "NewPass#123"}, + ) + + e = audit_capture.one(AuthEventType.USER_PASSWORD_RESET) + assert e.user_id == user.id + assert e.context["target_email"] == user.email + + +def test_user_created(audit_capture): + user = add_user("newuser", "pass123") + + e = audit_capture.one(AuthEventType.USER_CREATED) + assert e.user_id == user.id + assert e.context["target_email"] == "newuser@mergin.com" + + +def test_user_updated(audit_capture): + user = add_user("editme", "pass123") + db.session.refresh(user) + user.email = "updated@mergin.com" + user.passwd = "newpassword" # in _SKIP — must never appear in audit + db.session.commit() + + e = audit_capture.one(AuthEventType.USER_UPDATED) + assert e.context["new_email"] == "updated@mergin.com" + assert e.context["old_email"] == "editme@mergin.com" + assert "new_passwd" not in e.context + assert "old_passwd" not in e.context + + +def test_listener_null_actor_outside_request(audit_capture): + """Listeners fired from a Celery-like context (no active request) emit null actor + fields — the event is recorded as a system action with no user attributed.""" + add_user(username="systemcreated", password="pass123") + + e = audit_capture.one(AuthEventType.USER_CREATED) + assert e.actor_id is None + assert e.actor_email is None + assert e.ip_address is None + + +def test_user_marked_for_deletion_by_user(client, audit_capture): + user = add_user("selfdelete", "pass123") + login(client, "selfdelete", "pass123") + + client.delete("/v1/user") + + e = audit_capture.one(AuthEventType.USER_MARKED_FOR_DELETION) + assert e.user_id == user.id + assert e.actor_id == user.id + + +def test_user_marked_for_deletion_by_admin(client, audit_capture): + user = add_user("admindelete", "pass123") + + client.delete(f"/app/admin/user/{user.username}") + + assert audit_capture.one(AuthEventType.USER_MARKED_FOR_DELETION).user_id == user.id + + +def test_user_deactivated(client, audit_capture): + user = add_user("todeactivate", "pass123") + + client.patch(f"/app/admin/user/{user.username}", json={"active": False}) + + assert audit_capture.one(AuthEventType.USER_DEACTIVATED).user_id == user.id + + +def test_user_restored(client, audit_capture): + user = add_user("torestore", "pass123") + user.active = False + db.session.commit() + + client.patch(f"/app/admin/user/{user.username}", json={"active": True}) + + assert audit_capture.one(AuthEventType.USER_RESTORED).user_id == user.id + + +def test_user_deleted(client, audit_capture): + user = add_user("todelete", "pass123") + + client.delete(f"/app/admin/user/{user.username}") + + e = audit_capture.one(AuthEventType.USER_DELETED) + assert e.user_id == user.id + assert e.context["target_email"] == "todelete@mergin.com" + + +# --------------------------------------------------------------------------- +# Sync / project events +# --------------------------------------------------------------------------- + + +def test_project_created(audit_capture): + user = add_user("projowner", "pass123") + ws = create_workspace() + project = create_project("myproject", ws, user) + + e = audit_capture.one(SyncEventType.PROJECT_CREATED) + assert e.project_id == project.id + assert e.workspace_id == test_workspace_id + assert e.context["project_name"] == "mergin/myproject" + + +def test_project_created_from_template(client, audit_capture): + # Re-assign test_project's creator to the reserved TEMPLATES user so it + # becomes a template project (this is how the app identifies templates). + template_user = add_user("TEMPLATES", "pass123") + template = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + template.creator = template_user + db.session.commit() + + client.post( + f"/v1/project/{template.workspace.name}", + json={"name": "from_template", "template": test_project}, + ) + + # filter to the new project only (template re-assignment fires project.updated) + new_project = Project.query.filter_by(name="from_template").first() + events = [ + e + for e in audit_capture.of_type(SyncEventType.PROJECT_CREATED) + if e.project_id == new_project.id + ] + assert len(events) == 1 + assert events[0].context.get("created_from_template") == test_project + + +def test_project_created_from_clone(client, audit_capture): + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + ws = project.workspace + + client.post( + f"/v1/project/clone/{ws.name}/{test_project}", + json={"namespace": ws.name, "project": "cloned_project"}, + ) + + e = audit_capture.one(SyncEventType.PROJECT_CREATED) + assert e.context.get("cloned_from_id") == str(project.id) + assert e.context.get("cloned_from_name") == f"{ws.name}/{test_project}" + + +def test_project_updated(audit_capture): + user = add_user("projupdater", "pass123") + ws = create_workspace() + project = create_project("updateme", ws, user) + db.session.refresh(project) + + project.public = True + db.session.commit() + + e = audit_capture.one(SyncEventType.PROJECT_UPDATED) + assert e.context["new_public"] is True + assert e.context["old_public"] is False + + +def test_project_marked_for_deletion(client, audit_capture): + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + + client.post(f"/v2/projects/{project.id}/scheduleDelete") + + e = audit_capture.one(SyncEventType.PROJECT_MARKED_FOR_DELETION) + assert e.project_id == project.id + assert e.workspace_id == project.workspace_id + + +def test_project_restored(client, audit_capture): + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + client.post(f"/v2/projects/{project.id}/scheduleDelete") + audit_capture.events.clear() + + client.post(f"/app/project/removed-project/restore/{project.id}") + + assert audit_capture.one(SyncEventType.PROJECT_RESTORED).project_id == project.id + + +def test_project_deleted(client, audit_capture): + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + + client.delete(f"/v2/projects/{project.id}") + + assert audit_capture.one(SyncEventType.PROJECT_DELETED).project_id == project.id + + +def test_project_member_added(client, audit_capture): + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + user = add_user("newmember", "pass123") + + client.post( + f"/v2/projects/{project.id}/collaborators", + json={"user": user.email, "role": ProjectRole.READER.value}, + ) + + e = audit_capture.one(SyncEventType.PROJECT_MEMBER_ADDED) + assert e.project_id == project.id + assert e.context["target_email"] == user.email + assert e.context["role"] == ProjectRole.READER.value + + +def test_project_member_updated(client, audit_capture): + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + user = add_user("updatemember", "pass123") + project.set_role(user.id, ProjectRole.READER) + db.session.commit() + + client.patch( + f"/v2/projects/{project.id}/collaborators/{user.id}", + json={"role": ProjectRole.EDITOR.value}, + ) + + e = audit_capture.one(SyncEventType.PROJECT_MEMBER_UPDATED) + assert e.context["old_role"] == ProjectRole.READER.value + assert e.context["new_role"] == ProjectRole.EDITOR.value + + +def test_project_member_deleted(client, audit_capture): + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + user = add_user("removemember", "pass123") + project.set_role(user.id, ProjectRole.READER) + db.session.commit() + + client.delete(f"/v2/projects/{project.id}/collaborators/{user.id}") + + assert ( + audit_capture.one(SyncEventType.PROJECT_MEMBER_DELETED).context["target_email"] + == user.email + ) + + +def test_project_access_request_created(client, audit_capture): + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + user = add_user("requester", "pass123") + login(client, "requester", "pass123") + + client.post(f"/app/project/access-request/{project.workspace.name}/{project.name}") + + e = audit_capture.one(SyncEventType.PROJECT_ACCESS_REQUEST_CREATED) + assert e.project_id == project.id + assert e.actor_id == user.id + + +def test_project_access_request_accepted(client, audit_capture): + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + requester = add_user("acceptrequester", "pass123") + access_request = AccessRequest(project, requester.id) + db.session.add(access_request) + db.session.commit() + + client.post( + f"/app/project/access-request/accept/{access_request.id}", + json={"permissions": "read"}, + ) + + assert ( + audit_capture.one(SyncEventType.PROJECT_ACCESS_REQUEST_ACCEPTED).context[ + "target_email" + ] + == requester.email + ) + # accepting also fires project.member.added + assert ( + audit_capture.one(SyncEventType.PROJECT_MEMBER_ADDED).context["target_email"] + == requester.email + ) + + +def test_project_access_request_rejected(client, audit_capture): + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + requester = add_user("rejectrequester", "pass123") + access_request = AccessRequest(project, requester.id) + db.session.add(access_request) + db.session.commit() + + client.delete(f"/app/project/access-request/{access_request.id}") + + assert ( + audit_capture.one(SyncEventType.PROJECT_ACCESS_REQUEST_REJECTED).context[ + "target_email" + ] + == requester.email + ) + + +def test_project_version_created(client, audit_capture): + from .utils import file_info + from . import test_project_dir + + project = Project.query.filter_by( + workspace_id=test_workspace_id, name=test_project + ).first() + # A remove-only push needs no chunk uploads so it's self-contained. + data = { + "version": "v1", + "changes": { + "added": [], + "updated": [], + "removed": [file_info(test_project_dir, "test3.txt")], + }, + } + resp = client.post(f"/v2/projects/{project.id}/versions", json=data) + assert resp.status_code == 201 + + e = audit_capture.one(SyncEventType.PROJECT_VERSION_CREATED) + assert e.project_id == project.id + assert e.context["version"] == "v2" diff --git a/server/mergin/tests/utils.py b/server/mergin/tests/utils.py index 57f67e80..576f7da5 100644 --- a/server/mergin/tests/utils.py +++ b/server/mergin/tests/utils.py @@ -4,6 +4,7 @@ import json import shutil +from typing import List import pysqlite3 import uuid import math @@ -405,3 +406,26 @@ def logout(client): """Test helper to log out the client""" resp = client.get(url_for("/.mergin_auth_controller_logout")) assert resp.status_code == 200 + + +class ListSink: + """In-memory audit sink for use in automated tests. + + Install via the audit_capture fixture; do not use in production code. + """ + + def __init__(self): + self.events: List = [] + + def write(self, event) -> None: + self.events.append(event) + + def of_type(self, event_type) -> List: + """Return all captured events matching event_type.""" + return [e for e in self.events if e.event_type == event_type] + + def one(self, event_type): + """Assert exactly one event of event_type was captured and return it.""" + events = self.of_type(event_type) + assert len(events) == 1, f"Expected 1 {event_type} event, got {len(events)}" + return events[0] diff --git a/server/mergin/utils.py b/server/mergin/utils.py index aa878ffe..550bd1ce 100644 --- a/server/mergin/utils.py +++ b/server/mergin/utils.py @@ -116,6 +116,33 @@ def parse_order_params( return order_by_params +def get_user_agent(request) -> str: + """Return user agent from request headers. + + For browser clients returns a parsed summary; otherwise the raw header value. + """ + if request.user_agent.browser and request.user_agent.platform: + client = request.user_agent.browser.capitalize() + version = request.user_agent.version + system = request.user_agent.platform.capitalize() + return f"{client}/{version} ({system})" + return request.user_agent.string + + +def get_ip(request) -> str: + """Return the client IP address, respecting X-Forwarded-For from a proxy.""" + forwarded_ips = request.environ.get( + "HTTP_X_FORWARDED_FOR", request.environ.get("REMOTE_ADDR", "untrackable") + ) + # AWS infra may send a comma-separated list; the first entry is the real client IP + return forwarded_ips.split(",")[0] + + +def get_device_id(request) -> Optional[str]: + """Return the device UUID from the X-Device-Id header, or None if absent.""" + return request.headers.get("X-Device-Id") + + def format_time_delta(delta: timedelta) -> str: """Format timedelta difference approximately in days or hours""" days = round(delta.total_seconds() / (24 * 3600))