home: auth log remote ip

AdguardTeam · Oct 27, 2023 · 6b11b46 · 6b11b46
1 parent 2a56c78
commit 6b11b46
Showing 1 changed file with 36 additions and 7 deletions.
diff --git a/internal/home/auth.go b/internal/home/auth.go
@@ -532,10 +532,39 @@ func RegisterAuthHandlers() {
 	httpRegister(http.MethodGet, "/control/logout", handleLogout)
 }
 
+// prepLogMsg prepares a message with IP address for logging and logs the IP
+// parsing error if any.
+func prepLogMsg(addr, format string, args ...any) (msg string) {
+	if len(args) > 0 {
+		format = fmt.Sprintf(format, args...)
+	}
+
+	ip, err := netutil.SplitHost(addr)
+	if err != nil {
+		log.Error("auth: getting remote address: %s", err)
+	}
+
+	return fmt.Sprintf("from ip %s: %s", ip, format)
+}
+
+// logDebugWithIP writes to debug log a formatted message with IP address and
+// logs the IP parsing error if any.
+func logDebugWithIP(addr, format string, args ...any) {
+	log.Debug("%s", prepLogMsg(addr, format, args...))
+}
+
+// logInfoWithIP writes to info log a formatted message with IP address and logs
+// the IP parsing error if any.
+func logInfoWithIP(addr, format string, args ...any) {
+	log.Info("%s", prepLogMsg(addr, format, args...))
+}
+
 // optionalAuthThird return true if user should authenticate first.
 func optionalAuthThird(w http.ResponseWriter, r *http.Request) (mustAuth bool) {
+	remoteAddr := r.RemoteAddr
+
 	if glProcessCookie(r) {
-		log.Debug("auth: authentication is handled by GL-Inet submodule")
+		logDebugWithIP(remoteAddr, "auth: authentication is handled by GL-Inet submodule")
 
 		return false
 	}
@@ -550,14 +579,14 @@ func optionalAuthThird(w http.ResponseWriter, r *http.Request) (mustAuth bool) {
 		if hasBasic {
 			_, isAuthenticated = Context.auth.findUser(user, pass)
 			if !isAuthenticated {
-				log.Info("auth: invalid Basic Authorization value")
+				logInfoWithIP(remoteAddr, "auth: invalid Basic Authorization value")
 			}
 		}
 	} else {
 		res := Context.auth.checkSession(cookie.Value)
 		isAuthenticated = res == checkSessionOK
 		if !isAuthenticated {
-			log.Debug("auth: invalid cookie value: %s", cookie)
+			logDebugWithIP(remoteAddr, "auth: invalid cookie value: %s", cookie)
 		}
 	}
 
@@ -567,13 +596,13 @@ func optionalAuthThird(w http.ResponseWriter, r *http.Request) (mustAuth bool) {
 
 	if p := r.URL.Path; p == "/" || p == "/index.html" {
 		if glProcessRedirect(w, r) {
-			log.Debug("auth: redirected to login page by GL-Inet submodule")
+			logDebugWithIP(remoteAddr, "auth: redirected to login page by GL-Inet submodule")
 		} else {
-			log.Debug("auth: redirected to login page")
+			logDebugWithIP(remoteAddr, "auth: redirected to login page")
 			http.Redirect(w, r, "login.html", http.StatusFound)
 		}
 	} else {
-		log.Debug("auth: responded with forbidden to %s %s", r.Method, p)
+		logDebugWithIP(remoteAddr, "auth: responded with forbidden to %s %s", r.Method, p)
 		w.WriteHeader(http.StatusForbidden)
 		_, _ = w.Write([]byte("Forbidden"))
 	}
@@ -600,7 +629,7 @@ func optionalAuth(
 					return
 				}
 
-				log.Debug("auth: invalid cookie value: %s", cookie)
+				logDebugWithIP(r.RemoteAddr, "auth: invalid cookie value: %s", cookie)
 			}
 		} else if isPublicResource(p) {
 			// Process as usual, no additional auth requirements.