From 76c3b6fe0cf64af951355a0f93fd36c76f10114d Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Wed, 24 Apr 2024 14:06:15 +0200
Subject: [PATCH] Add logging of auth proxy user

---
 app/Extensions/RemoteUserProvider.php               |  4 +++-
 app/Http/Middleware/LogUserLastSeen.php             |  3 +--
 .../Authentication/VisitedByProxyUserListener.php   | 13 ++++++++-----
 app/Providers/EventServiceProvider.php              |  7 ++++---
 app/Services/Auth/ReverseProxyGuard.php             | 13 +++++++++----
 resources/js/components/AccessLogViewer.vue         |  2 ++
 resources/js/views/admin/users/Manage.vue           | 12 +++++++++---
 resources/lang/en/admin.php                         |  1 +
 8 files changed, 37 insertions(+), 18 deletions(-)

diff --git a/app/Extensions/RemoteUserProvider.php b/app/Extensions/RemoteUserProvider.php
index e7ce6df9..e87fe421 100644
--- a/app/Extensions/RemoteUserProvider.php
+++ b/app/Extensions/RemoteUserProvider.php
@@ -16,6 +16,8 @@ use Illuminate\Validation\ValidationException;
 
 class RemoteUserProvider implements UserProvider
 {
+    const FAKE_REMOTE_DOMAIN = '@remote';
+    
     /**
      * The currently authenticated user.
      *
@@ -85,7 +87,7 @@ class RemoteUserProvider implements UserProvider
      */
     protected function fakeRemoteEmail(mixed $id)
     {
-        return substr($id, 0, 184) . '@remote';
+        return substr($id, 0, 184) . self::FAKE_REMOTE_DOMAIN;
     }
 
     /**
diff --git a/app/Http/Middleware/LogUserLastSeen.php b/app/Http/Middleware/LogUserLastSeen.php
index c5d5ce42..40d7cc97 100644
--- a/app/Http/Middleware/LogUserLastSeen.php
+++ b/app/Http/Middleware/LogUserLastSeen.php
@@ -23,8 +23,7 @@ class LogUserLastSeen
             // We do not track activity of:
             // - Guest
             // - User authenticated against a bearer token
-            // - User authenticated via a reverse-proxy
-            if (Auth::guard($guard)->check() && ! $request->bearerToken() && config('auth.defaults.guard') !== 'reverse-proxy-guard') {
+            if (Auth::guard($guard)->check() && ! $request->bearerToken()) {
                 Auth::guard($guard)->user()->last_seen_at = Carbon::now()->format('Y-m-d H:i:s');
                 Auth::guard($guard)->user()->save();
                 break;
diff --git a/app/Listeners/Authentication/VisitedByProxyUserListener.php b/app/Listeners/Authentication/VisitedByProxyUserListener.php
index e026ccf5..0595df6d 100644
--- a/app/Listeners/Authentication/VisitedByProxyUserListener.php
+++ b/app/Listeners/Authentication/VisitedByProxyUserListener.php
@@ -1,8 +1,9 @@
 <?php
 
-namespace App\Authentication\Listeners;
+namespace App\Listeners\Authentication;
 
 use App\Events\VisitedByProxyUser;
+use App\Extensions\RemoteUserProvider;
 use App\Listeners\Authentication\AbstractAccessListener;
 use App\Notifications\SignedInWithNewDevice;
 use Illuminate\Support\Carbon;
@@ -28,15 +29,17 @@ class VisitedByProxyUserListener extends AbstractAccessListener
         $userAgent = $this->request->userAgent();
         $known     = $user->authentications()->whereIpAddress($ip)->whereUserAgent($userAgent)->whereLoginSuccessful(true)->first();
         $newUser   = Carbon::parse($user->{$user->getCreatedAtColumn()})->diffInMinutes(Carbon::now()) < 1;
+        $guard     = config('auth.defaults.guard');
 
         $log = $user->authentications()->create([
-            'ip_address' => $ip,
-            'user_agent' => $userAgent,
-            'login_at' => now(),
+            'ip_address'       => $ip,
+            'user_agent'       => $userAgent,
+            'login_at'         => now(),
             'login_successful' => true,
+            'guard'            => $guard,
         ]);
 
-        if (! $known && ! $newUser && $user->preferences['notifyOnNewAuthDevice']) {
+        if (! $known && ! $newUser && ! str_ends_with($user->email, RemoteUserProvider::FAKE_REMOTE_DOMAIN) && $user->preferences['notifyOnNewAuthDevice']) {
             $user->notify(new SignedInWithNewDevice($log));
         }
     }
diff --git a/app/Providers/EventServiceProvider.php b/app/Providers/EventServiceProvider.php
index d241c6ea..16a08ed7 100644
--- a/app/Providers/EventServiceProvider.php
+++ b/app/Providers/EventServiceProvider.php
@@ -2,6 +2,7 @@
 
 namespace App\Providers;
 
+use App\Listeners\Authentication\VisitedByProxyUserListener;
 use App\Events\GroupDeleted;
 use App\Events\GroupDeleting;
 use App\Events\VisitedByProxyUser;
@@ -65,9 +66,9 @@ class EventServiceProvider extends ServiceProvider
         Logout::class => [
             LogoutListener::class,
         ],
-        // VisitedByProxyUser::class => [
-        //     ProxyUserAccessListener::class,
-        // ],
+        VisitedByProxyUser::class => [
+            VisitedByProxyUserListener::class,
+        ],
     ];
 
     /**
diff --git a/app/Services/Auth/ReverseProxyGuard.php b/app/Services/Auth/ReverseProxyGuard.php
index b4ab5221..61ff4afc 100644
--- a/app/Services/Auth/ReverseProxyGuard.php
+++ b/app/Services/Auth/ReverseProxyGuard.php
@@ -5,6 +5,7 @@
 
 namespace App\Services\Auth;
 
+use App\Events\VisitedByProxyUser;
 use Illuminate\Auth\GuardHelpers;
 use Illuminate\Contracts\Auth\Guard;
 use Illuminate\Contracts\Auth\UserProvider;
@@ -17,14 +18,12 @@ class ReverseProxyGuard implements Guard
     /**
      * The currently authenticated user.
      *
-     * @var \Illuminate\Contracts\Auth\Authenticatable|null
+     * @var \Illuminate\Contracts\Auth\Authenticatable|\App\Models\User|null
      */
     protected $user;
 
     /**
      * Create a new authentication guard.
-     *
-     * @return void
      */
     public function __construct(UserProvider $provider)
     {
@@ -76,7 +75,13 @@ class ReverseProxyGuard implements Guard
             }
         }
 
-        return $this->user = $this->provider->retrieveById($identifier);
+        if ($this->user = $this->provider->retrieveById($identifier)) {
+            if ($this->user->lastLoginAt() < now()->subMinutes(15)) {
+                event(new VisitedByProxyUser($this->user));
+            }
+        }
+
+        return $this->user;
     }
 
     /**
diff --git a/resources/js/components/AccessLogViewer.vue b/resources/js/components/AccessLogViewer.vue
index 57445fa2..c1f45182 100644
--- a/resources/js/components/AccessLogViewer.vue
+++ b/resources/js/components/AccessLogViewer.vue
@@ -7,6 +7,7 @@
     import { UseColorMode } from '@vueuse/components'
 
     const notify = useNotifyStore()
+    const $2fauth = inject('2fauth')
 
     const props = defineProps({
         userId: [Number, String],
@@ -171,6 +172,7 @@
                     <div>
                         <span v-if="isFailedEntry(authentication)" v-html="$t('admin.failed_login_on', { login_at: authentication.login_at })" />
                         <span v-else-if="isSuccessfulLogout(authentication)" v-html="$t('admin.successful_logout_on', { login_at: authentication.logout_at })" />
+                        <span v-else-if="$2fauth.config.proxyAuth" v-html="$t('admin.viewed_on', { login_at: authentication.login_at })" />
                         <span v-else v-html="$t('admin.successful_login_on', { login_at: authentication.login_at })" />
                     </div>
                     <div>
diff --git a/resources/js/views/admin/users/Manage.vue b/resources/js/views/admin/users/Manage.vue
index fd831af1..fdf11bcc 100644
--- a/resources/js/views/admin/users/Manage.vue
+++ b/resources/js/views/admin/users/Manage.vue
@@ -11,6 +11,7 @@
     const router = useRouter()
     const user = useUserStore()
     const bus = useBusStore()
+    const $2fauth = inject('2fauth')
 
     const isFetching = ref(false)
     const managedUser = ref(null)
@@ -212,12 +213,14 @@
             <div class="block is-size-6 is-size-7-mobile has-text-grey">
                 {{ $t('admin.registered_on_date', { date: managedUser.info.created_at }) }} - {{ $t('admin.last_seen_on_date', { date: managedUser.info.last_seen_at }) }}
             </div>
+            <!-- isAdmin option -->
             <div class="block">
-                <!-- otp as dot -->
                 <FormCheckbox v-model="managedUser.info.is_admin" @update:model-value="val => saveAdminRole(val === true)" fieldName="is_admin" label="admin.forms.is_admin.label" help="admin.forms.is_admin.help" />
             </div>
-            <h2 class="title is-4 has-text-grey-light">{{ $t('admin.access') }}</h2>
-            <div class="block">
+            <h2 v-if="!$2fauth.config.proxyAuth" class="title is-4 has-text-grey-light">{{ $t('admin.access') }}</h2>
+            <!-- access -->
+            <div v-if="!$2fauth.config.proxyAuth" class="block">
+                <!-- reset password -->
                 <div class="list-item is-size-6 is-size-6-mobile has-text-grey">
                     <div class="mb-3 is-flex is-justify-content-space-between">
                         <div>
@@ -245,6 +248,7 @@
                         <span v-html="$t('admin.reset_password_help')" class="is-block block"></span>
                     </div>
                 </div>
+                <!-- personal access tokens -->
                 <div class="list-item is-size-6 is-size-6-mobile has-text-grey is-flex is-justify-content-space-between">
                     <div>
                         <span class="has-text-weight-bold">{{ $t('settings.personal_access_tokens') }}</span>
@@ -263,6 +267,7 @@
                         </div>
                     </div>
                 </div>
+                <!-- webauthn devices -->
                 <div class="list-item is-size-6 is-size-6-mobile has-text-grey is-flex is-justify-content-space-between">
                     <div>
                         <span class="has-text-weight-bold">{{ $t('auth.webauthn.security_devices') }}</span>
@@ -282,6 +287,7 @@
                     </div>
                 </div>
             </div>
+            <!-- last access -->
             <div class="block">
                 <h3 class="title is-5 has-text-grey-light mb-2">{{ $t('admin.last_accesses') }}</h3>
                 <AccessLogViewer :userId="props.userId" :lastOnly="true" @has-more-entries="showFullLogLink = true"/>
diff --git a/resources/lang/en/admin.php b/resources/lang/en/admin.php
index c454cbdc..762175ec 100644
--- a/resources/lang/en/admin.php
+++ b/resources/lang/en/admin.php
@@ -71,6 +71,7 @@ return [
     'successful_login_on' => 'Successful login on <span class="light-or-darker">:login_at</span>',
     'successful_logout_on' => 'Successful logout on <span class="light-or-darker">:login_at</span>',
     'failed_login_on' => 'Failed login on <span class="light-or-darker">:login_at</span>',
+    'viewed_on' => 'Viewed on <span class="light-or-darker">:login_at</span>',
     'last_accesses' => 'Last accesses',
     'see_full_log' => 'See full log',
     'browser_on_platform' => ':browser on :platform',