[TECH] Ajout de monitoring sur api/token (PIX-15565)

pix-service-auto-merge · web-flow · commit 92f524e4cfaf · 2024-12-04T16:36:40.000+01:00
#10716
diff --git a/api/src/identity-access-management/application/monitor-pre-handlers.js b/api/src/identity-access-management/application/monitor-pre-handlers.js
@@ -0,0 +1,20 @@
+import { logger } from '../../shared/infrastructure/utils/logger.js';
+import { generateHash } from '../infrastructure/utils/crypto.js';
+
+async function monitorApiTokenRoute(request, h, dependencies = { logger }) {
+  const { username, refresh_token, grant_type, scope } = request.payload;
+
+  if (grant_type === 'password') {
+    const hash = generateHash(username);
+    dependencies.logger.warn({ hash, grant_type, scope }, 'Authentication attempt');
+  } else if (grant_type === 'refresh_token') {
+    const hash = generateHash(refresh_token);
+    dependencies.logger.warn({ hash, grant_type, scope }, 'Authentication attempt');
+  } else {
+    dependencies.logger.warn(request.payload, 'Authentication attempt with unknown method');
+  }
+
+  return true;
+}
+
+export const monitorPreHandlers = { monitorApiTokenRoute };
diff --git a/api/src/identity-access-management/application/token/token.route.js b/api/src/identity-access-management/application/token/token.route.js
@@ -2,6 +2,7 @@ import Joi from 'joi';
 
 import { BadRequestError, sendJsonApiError } from '../../../shared/application/http-errors.js';
 import { securityPreHandlers } from '../../../shared/application/security-pre-handlers.js';
+import { monitorPreHandlers } from '../monitor-pre-handlers.js';
 import { tokenController } from './token.controller.js';
 
 export const tokenRoutes = [
@@ -28,7 +29,7 @@ export const tokenRoutes = [
           }),
         ),
       },
-      pre: [{ method: securityPreHandlers.checkIfUserIsBlocked }],
+      pre: [{ method: monitorPreHandlers.monitorApiTokenRoute }, { method: securityPreHandlers.checkIfUserIsBlocked }],
       handler: (request, h) => tokenController.createToken(request, h),
       tags: ['identity-access-management', 'api', 'token'],
       notes: [
diff --git a/api/src/identity-access-management/infrastructure/utils/crypto.js b/api/src/identity-access-management/infrastructure/utils/crypto.js
@@ -0,0 +1,9 @@
+import crypto from 'node:crypto';
+
+export function generateHash(data) {
+  if (!data) return null;
+
+  const hash = crypto.createHash('sha256');
+  hash.update(data);
+  return hash.digest('hex');
+}
diff --git a/api/tests/identity-access-management/unit/application/monitor-pre-handlers.test.js b/api/tests/identity-access-management/unit/application/monitor-pre-handlers.test.js
@@ -0,0 +1,52 @@
+import { monitorPreHandlers } from '../../../../src/identity-access-management/application/monitor-pre-handlers.js';
+import { generateHash } from '../../../../src/identity-access-management/infrastructure/utils/crypto.js';
+import { expect, hFake, sinon } from '../../../test-helper.js';
+
+describe('Unit | Identity Access Management | Application | monitor-pre-handlers', function () {
+  describe('#monitorApiTokenRoute', function () {
+    it('logs authentication attempt with grant type password', function () {
+      // given
+      const username = 'test@email.com';
+      const grant_type = 'password';
+      const scope = 'pix-app';
+      const hash = generateHash(username);
+      const logger = { warn: sinon.stub() };
+      const request = { payload: { grant_type, username, scope } };
+
+      // when
+      monitorPreHandlers.monitorApiTokenRoute(request, hFake, { logger });
+
+      // then
+      expect(logger.warn).to.have.been.calledWith({ hash, grant_type, scope }, 'Authentication attempt');
+    });
+
+    it('logs authentication attempt with grant type refresh token', async function () {
+      // given
+      const refresh_token = '123';
+      const grant_type = 'refresh_token';
+      const scope = 'pix-app';
+      const hash = generateHash(refresh_token);
+      const logger = { warn: sinon.stub() };
+      const request = { payload: { grant_type, refresh_token, scope } };
+
+      // when
+      monitorPreHandlers.monitorApiTokenRoute(request, hFake, { logger });
+
+      // then
+      expect(logger.warn).to.have.been.calledWith({ hash, grant_type, scope }, 'Authentication attempt');
+    });
+
+    it('logs authentication attempt with grant type unknown', async function () {
+      // given
+      const grant_type = 'unknown';
+      const logger = { warn: sinon.stub() };
+      const request = { payload: { foo: 'bar', grant_type } };
+
+      // when
+      monitorPreHandlers.monitorApiTokenRoute(request, hFake, { logger });
+
+      // then
+      expect(logger.warn).to.have.been.calledWith(request.payload, 'Authentication attempt with unknown method');
+    });
+  });
+});
