MiauRizius/MiauInv
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 4 Wiki Activity

feat: added activity log

Browse Source
This commit is contained in:
miaurizius
2026-06-10 14:17:33 +02:00
parent 96f1a40266
commit 0442e4f699
16 changed files with 1027 additions and 579 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/AUTHENTICATION.md
View File

@@ -12,6 +12,7 @@ JWTs are signed with a symmetric secret from the `JWT_SECRET` environment variab
| Middleware | `auth/middleware.go` | Extracts access tokens from bearer headers or cookies and injects claims into the request context. |
| Password helpers | `auth/password.go` | bcrypt hashing and verification. |
| Login/account handlers | `handlers/account.go` | Register, login, 2FA, refresh, logout, account settings, and user metadata. |
| Activity handlers | `handlers/activity.go` | Activity log endpoint, activity metadata recording, and audit middleware. |
| Passkey handlers | `handlers/passkeys.go` | WebAuthn/passkey registration, login, removal, and disable flows. |
| Persistent session storage | `storage/storage.go`, `storage/passkeys.go` | Refresh tokens, 2FA state, TOTP secret, recovery-code hashes, passkey credentials, and WebAuthn challenge state. |
| Frontend auth logic | `frontend/assets/js/auth.js`, `frontend/assets/js/login.js`, `frontend/assets/js/api.js` | Login UI, passkey login, token refresh, account settings, 2FA UI interactions, and passkey UI interactions. |
@@ -263,3 +264,22 @@ The current implementation is usable for private/self-hosted deployments, but th
- Add optional session/device management UI.
- Consider encrypting TOTP secrets and passkey credential data at rest if the deployment threat model includes database disclosure.
- Expand tests for all authentication and account settings handlers.
## Activity Log
MiauInv records account, authentication, security, and inventory activity in the `activity_logs` table. The log is designed for user-visible traceability and lightweight security review.
Recorded examples include:
- password login success and failure,
- 2FA login success and failure,
- refresh-token rotation,
- logout,
- username and password changes,
- TOTP setup, enable, disable, and recovery-code regeneration,
- passkey registration, login, removal, and disable,
- inventory, location, project, stock, and allocation mutations.
The log does not store request bodies or secret values. Passwords, TOTP codes, recovery codes, refresh tokens, and WebAuthn payloads are excluded.
`GET /api/activity` returns the current user's recent activity with bounded `limit` and `offset` pagination. Admin users may request all activity with `?all=true`.