feat: enhance authentication auditing and IP handling

- Implemented client IP resolution in the authentication process, allowing for better tracking of user login attempts.
- Added auditing capabilities for authentication events, including success and failure logs with associated IP addresses.
- Updated the authentication service to validate client IP against allowed networks, enhancing security measures.
- Enhanced the audit schema to include IP information, providing more context for audit logs.
- Introduced new unit tests to ensure the reliability of the authentication auditing features and IP validation logic.

Author: tacxou

Makefile

@@ -12,6 +12,9 @@ IMG_NAME = "ghcr.io/libertech-fr/sesame-orchestrator"
 TEST_IMG_NAME = "sesame-orchestrator-test-local"
 BASE_NAME = "sesame"
 APP_NAME = "sesame-orchestrator"
+# Volume dédié : évite de monter les node_modules du mac (darwin) dans le conteneur Alpine (linux-*-musl),
+# ce qui casse les binaires optionnels (ex. oxc-parser / Nuxt). Nom sans guillemets (APP_NAME en contient).
+NODE_MODULES_VOLUME = sesame-orchestrator-node-modules
 PLATFORM = "linux/amd64"
 
 include .env
@@ -109,8 +112,9 @@ dev: ## Start development environment
 		-p $(APP_API_PORT):4000 \
 		-p $(APP_API_PORT_SECURE):4443 \
 		-v $(CURDIR):/data \
+		-v $(NODE_MODULES_VOLUME):/data/node_modules \
 		-v $(CURDIR)/etc/supervisor:/etc/supervisor \
-		$(IMG_NAME) yarn start:dev
+		$(IMG_NAME) sh -lc 'test -f node_modules/.yarn-integrity || yarn install --non-interactive; yarn start:dev'
 
 debug: ## Start debug environment
 	@docker run --rm -it \
@@ -131,7 +135,8 @@ debug: ## Start debug environment
 		-p $(APP_API_DEBUG_PORT):9229 \
 		-p $(APP_WEB_DEBUG_PORT):24678 \
 		-v $(CURDIR):/data \
-		$(IMG_NAME) yarn start:debug
+		-v $(NODE_MODULES_VOLUME):/data/node_modules \
+		$(IMG_NAME) sh -lc 'test -f node_modules/.yarn-integrity || yarn install --non-interactive; yarn start:debug'
 
 install: ## Install dependencies
 	@docker run -it --rm \
@@ -141,6 +146,7 @@ install: ## Install dependencies
 		--platform $(PLATFORM) \
 		--network dev \
 		-v $(CURDIR):/data \
+		-v $(NODE_MODULES_VOLUME):/data/node_modules \
 		$(IMG_NAME) yarn install
 
 exec: ## Run a shell in the container
@@ -152,6 +158,7 @@ exec: ## Run a shell in the container
 		--network dev \
 		-e SESAME_SENTRY_DSN=$(SESAME_SENTRY_DSN) \
 		-v $(CURDIR):/data \
+		-v $(NODE_MODULES_VOLUME):/data/node_modules \
 		$(IMG_NAME) bash
 
 build-test-image: ## Build local Docker image dedicated to tests

apps/api/package.json

@@ -57,6 +57,7 @@
     "helmet": "^7.1.0",
     "hibp": "^14.1.2",
     "ioredis": "^5.4.1",
+    "ip-range-check": "^0.2.0",
     "is-plain-object": "^5.0.0",
     "joi": "^18.0.1",
     "liquidjs": "^10.25.5",
@@ -107,6 +108,7 @@
     "@types/passport-http": "^0.3.11",
     "@types/passport-jwt": "^4.0.1",
     "@types/passport-local": "^1.0.38",
+    "@types/request-ip": "^0.0.41",
     "@types/supertest": "^6.0.2",
     "@typescript-eslint/eslint-plugin": "^8.15.0",
     "@typescript-eslint/parser": "^8.15.0",

apps/api/src/_common/functions/resolve-client-ip.ts

@@ -1,5 +1,4 @@
 import type { Request } from 'express';
-import requestIp from 'request-ip';
 
 /**
  * Lit une en-tête HTTP (string ou première entrée d'un tableau).
@@ -37,73 +36,11 @@ function normalizeIp(raw: string | undefined | null): string | null {
   return value.startsWith('::ffff:') ? value.slice(7) : value;
 }
 
-function isLoopbackIp(ip: string | null): boolean {
-  return ip === '127.0.0.1' || ip === '::1';
-}
-
-function isPrivateIpv4(ip: string): boolean {
-  const parts = ip.split('.').map((p): number => Number.parseInt(p, 10));
-  if (parts.length !== 4 || parts.some((n) => Number.isNaN(n) || n < 0 || n > 255)) {
-    return false;
-  }
-  const [a, b] = parts;
-  if (a === 10) {
-    return true;
-  }
-  if (a === 172 && b >= 16 && b <= 31) {
-    return true;
-  }
-  if (a === 192 && b === 168) {
-    return true;
-  }
-  return false;
-}
-
-function hasForwardingHeaders(req: Request): boolean {
-  const forwarded = ['x-forwarded-for', 'x-real-ip', 'cf-connecting-ip', 'true-client-ip'] as const;
-  return forwarded.some((name) => Boolean(normalizeIp(firstCsvSegment(headerString(req, name)) ?? headerString(req, name) ?? null)));
-}
-
-function hostLooksLocal(req: Request): boolean {
-  const host = headerString(req, 'host');
-  if (!host) {
-    return false;
-  }
-  const hostname = host.split(':')[0]?.trim().toLowerCase();
-  return hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1';
-}
-
-function localDevFallbackIp(req: Request, peerIp: string | null): string | null {
-  if (!hostLooksLocal(req) || hasForwardingHeaders(req) || !peerIp) {
-    return null;
-  }
-  if (isLoopbackIp(peerIp) || isPrivateIpv4(peerIp)) {
-    return null;
-  }
-  return '127.0.0.1';
-}
-
 /** Paire TCP (souvent le dernier proxy / relai), normalisée. */
 function tcpPeerIp(req: Request): string | null {
   return normalizeIp(req.socket?.remoteAddress ?? null);
 }
 
-/**
- * Nitro / certains proxies posent X-Forwarded-For = IP du pair TCP sans ajouter la vraie IP client.
- * Dans ce cas l’en-tête est trompeur : on l’ignore pour request-ip aussi.
- */
-function requestForIpResolution(req: Request): Request {
-  const peer = tcpPeerIp(req);
-  const xffRaw = headerString(req, 'x-forwarded-for');
-  const xffFirst = normalizeIp(firstCsvSegment(xffRaw) ?? (xffRaw?.trim() || null));
-  if (!peer || !xffFirst || xffFirst !== peer) {
-    return req;
-  }
-  const headers = { ...req.headers } as Request['headers'];
-  delete headers['x-forwarded-for'];
-  return { ...req, headers } as Request;
-}
-
 /**
  * Résout l'IP client réelle derrière CDN / reverse-proxy (Cloudflare, nginx, etc.).
  * À utiliser pour l'auth et les audits ; combiner avec `trust proxy` sur Express si besoin.
@@ -114,10 +51,6 @@ function requestForIpResolution(req: Request): Request {
  */
 export function resolveClientIp(req: Request): string | null {
   const peerIp = tcpPeerIp(req);
-  const forcedLocalIp = localDevFallbackIp(req, peerIp);
-  if (forcedLocalIp) {
-    return forcedLocalIp;
-  }
   const orderedHeaders = ['cf-connecting-ip', 'true-client-ip', 'x-real-ip', 'x-forwarded-for'] as const;
 
   for (const name of orderedHeaders) {
@@ -134,11 +67,6 @@ export function resolveClientIp(req: Request): string | null {
     return ip;
   }
 
-  const fromLib = normalizeIp(requestIp.getClientIp(requestForIpResolution(req)) ?? null);
-  if (fromLib) {
-    return fromLib;
-  }
-
   const expressIp = normalizeIp(req.ip ?? null);
   if (expressIp) {
     return expressIp;

apps/api/src/_common/plugins/mongoose/history.plugin.ts

@@ -4,6 +4,7 @@ import { Audits } from '~/core/audits/_schemas/audits.schema'
 import * as _ from 'radash'
 import { RequestContext } from "nestjs-request-context"
 import { Logger } from "@nestjs/common"
+import { resolveClientIp } from '~/_common/functions/resolve-client-ip'
 
 export const HISTORY_PLUGIN_BEFORE_KEY = '_auditBefore'
 
@@ -89,6 +90,12 @@ function resolveAgent(): any {
   }
 }
 
+function resolveIp(): string | null {
+  const req = RequestContext.currentContext?.req
+  if (!req) return null
+  return resolveClientIp(req)
+}
+
 export function historyPlugin(schema: Schema, options: HistoryPluginOptions) {
   const defaultOptions = {
     auditsModelName: Audits.name,
@@ -126,11 +133,13 @@ export function historyPlugin(schema: Schema, options: HistoryPluginOptions) {
 
     logger.log(`Creating audit log for ${mergedOptions.collectionName} ${after?._id ?? before?._id}`)
     const agent = resolveAgent()
+    const ip = resolveIp()
     const AuditsModel: Model<any> = this.model(mergedOptions.auditsModelName!)
     await AuditsModel.create({
       coll: mergedOptions.collectionName,
       documentId: after?._id ?? before?._id,
       op: before ? AuditOperation.UPDATE : AuditOperation.INSERT,
+      ip: ip ?? undefined,
       agent,
       data: after,
       changes,
@@ -159,11 +168,13 @@ export function historyPlugin(schema: Schema, options: HistoryPluginOptions) {
 
     logger.log(`Creating audit log for ${mergedOptions.collectionName} ${after?._id ?? before?._id}`)
     const agent = resolveAgent()
+    const ip = resolveIp()
     const AuditsModel: Model<any> = this.model.db.model(mergedOptions.auditsModelName!)
     await AuditsModel.create({
       coll: mergedOptions.collectionName,
       documentId: after?._id ?? before?._id,
       op: before ? AuditOperation.UPDATE : AuditOperation.INSERT,
+      ip: ip ?? undefined,
       agent,
       data: after,
       changes,

apps/api/src/config.ts

@@ -173,6 +173,15 @@ export const validationSchema = Joi.object({
   SESAME_IDENTITY_DOUBLON_SEARCH_ATTRIBUTES: Joi
     .string()
     .default(''),
+
+  /**
+   * Active trust proxy Express (1 hop) pour que req.ip / X-Forwarded-For reflètent le client derrière un reverse-proxy.
+   * @see https://expressjs.com/en/guide/behind-proxies.html
+   */
+  SESAME_TRUST_PROXY: Joi
+    .string()
+    .valid('0', '1', 'false', 'true', 'on', 'off', '')
+    .default('0'),
 });
 
 /**
@@ -201,6 +210,8 @@ export interface ConfigInstance {
     lang: string
     logLevel: string
     nameQueue: string
+    /** Si true, Express applique trust proxy (1 hop) pour les adresses IP client derrière un proxy. */
+    trustProxy: boolean
     bodyParser: {
       limit: string
     }
@@ -299,6 +310,7 @@ export default (): ConfigInstance => ({
     lang: process.env['LANG'] || 'en',
     logLevel: process.env['SESAME_LOG_LEVEL'] || 'info',
     nameQueue: process.env['SESAME_NAME_QUEUE'] || 'sesame',
+    trustProxy: /^(1|true|on|yes)$/i.test(process.env['SESAME_TRUST_PROXY'] || ''),
     bodyParser: {
       limit: '500mb',
     },

apps/api/src/core/audits/_schemas/audits.schema.ts

@@ -18,6 +18,8 @@ export enum AuditOperation {
   DELETE = 'delete',
   /** Remplacement complet d'un enregistrement */
   REPLACE = 'replace',
+  /** Tentative d'authentification */
+  AUTHENTICATION = 'authentication',
 }
 
 /**
@@ -98,15 +100,15 @@ export class Audits extends AbstractSchema {
    * Type d'opération effectuée sur le document.
    * Détermine la nature de la modification auditée.
    *
-   * @type {'insert' | 'update' | 'delete' | 'replace'}
+   * @type {'insert' | 'update' | 'delete' | 'replace' | 'authentication'}
    * @see {AuditOperation}
    */
   @Prop({
     type: String,
     required: true,
     enum: AuditOperation,
   })
-  public op!: 'insert' | 'update' | 'delete' | 'replace'
+  public op!: 'insert' | 'update' | 'delete' | 'replace' | 'authentication'
 
   /**
    * Agent (utilisateur ou système) qui a effectué l'opération.
@@ -142,6 +144,17 @@ export class Audits extends AbstractSchema {
    */
   @Prop({ type: Array, of: Object })
   public changes?: ChangesType[]
+
+  /**
+   * Adresse IP source associée à l'action auditée.
+   * Principalement utilisée pour les événements d'authentification,
+   * mais disponible globalement pour tous les audits.
+   *
+   * @type {string}
+   * @optional
+   */
+  @Prop({ type: String })
+  public ip?: string
 }
 
 /**

apps/api/src/core/audits/audits.controller.ts

@@ -37,6 +37,7 @@ export class AuditsController extends AbstractController {
     coll: 1,
     documentId: 1,
     op: 1,
+    ip: 1,
     agent: 1,
     'changes.path': 1,
     'changes.type': 1,
@@ -47,6 +48,7 @@ export class AuditsController extends AbstractController {
     coll: 1,
     documentId: 1,
     op: 1,
+    ip: 1,
     agent: 1,
     changes: 1,
     metadata: 1,
@@ -56,6 +58,7 @@ export class AuditsController extends AbstractController {
     coll: 1,
     documentId: 1,
     op: 1,
+    ip: 1,
     'agent.name': 1,
     'changes.path': 1,
     'changes.value': 1,

apps/api/src/core/audits/audits.service.ts

@@ -1,8 +1,9 @@
 import { Injectable } from '@nestjs/common'
 import { InjectModel } from '@nestjs/mongoose'
-import { Audits } from '~/core/audits/_schemas/audits.schema'
+import { Audits, AuditOperation } from '~/core/audits/_schemas/audits.schema'
 import { Model } from 'mongoose'
 import { AbstractServiceSchema } from '~/_common/abstracts/abstract.service.schema'
+import { Types } from 'mongoose'
 
 /**
  * Service de gestion des audits et de l'historique des enregistrements.
@@ -40,4 +41,44 @@ export class AuditsService extends AbstractServiceSchema<Audits> {
     const values = await this._model.distinct('coll', { coll: { $exists: true, $ne: null } })
     return values.filter((item): item is string => typeof item === 'string' && item.trim().length > 0).sort()
   }
+
+  public async createAuthenticationAudit(params: {
+    username: string
+    ip: string | null
+    result: 'success' | 'failure'
+    reason: string
+    agentId?: Types.ObjectId | string
+  }): Promise<Audits> {
+    const agentObjectId =
+      params.agentId instanceof Types.ObjectId
+        ? params.agentId
+        : typeof params.agentId === 'string' && Types.ObjectId.isValid(params.agentId)
+          ? new Types.ObjectId(params.agentId)
+          : new Types.ObjectId()
+
+    const createdAt = new Date()
+
+    return this._model.create({
+      coll: 'auth',
+      documentId: agentObjectId,
+      op: AuditOperation.AUTHENTICATION,
+      ip: params.ip ?? undefined,
+      agent: {
+        $ref: 'agents',
+        id: agentObjectId,
+        name: params.username,
+      },
+      data: {
+        event: 'authentication_attempt',
+        username: params.username,
+        ip: params.ip,
+        result: params.result,
+        reason: params.reason,
+      },
+      metadata: {
+        createdBy: params.username,
+        createdAt,
+      },
+    })
+  }
 }