api: factor out auth logger and use for all API authentication failures

we have information here not available in the access log, especially if the /api2/extjs formatter is used, which encapsulates errors in a 200 response. So keep the auth log for now, but extend it use from create ticket calls to all authentication failures for API calls, this ensures one can also fail2ban tokens. Do that logging in a central place, which makes it simple but means that we do not have the user ID information available to include in the log. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2025-08-13 22:00:01 +00:00 · 2020-11-04 16:12:13 +01:00 · 2020-11-04 16:12:13 +01:00 · 5d7ae1f38c
commit 5d7ae1f38c
parent 4031710b36
1 changed files with 13 additions and 0 deletions
--- a/src/server/rest.rs
+++ b/src/server/rest.rs
@ -164,6 +164,15 @@ fn log_response(
            ));
    }
 }
+pub fn auth_logger() -> Result<FileLogger, Error> {
+    let logger_options = tools::FileLogOptions {
+        append: true,
+        prefix_time: true,
+        owned_by_backup: true,
+        ..Default::default()
+    };
+    FileLogger::new(crate::buildcfg::API_AUTH_LOG_FN, logger_options)
+}

 fn get_proxied_peer(headers: &HeaderMap) -> Option<std::net::SocketAddr> {
    lazy_static! {
@ -687,6 +696,10 @@ async fn handle_request(
                match auth_result {
                    Ok(authid) => rpcenv.set_auth_id(Some(authid.to_string())),
                    Err(err) => {
+                        let peer = peer.ip();
+                        auth_logger()?
+                            .log(format!("authentication failure; rhost={} msg={}", peer, err));
+
                        // always delay unauthorized calls by 3 seconds (from start of request)
                        let err = http_err!(UNAUTHORIZED, "authentication failed - {}", err);
                        tokio::time::delay_until(Instant::from_std(delay_unauth_time)).await;