feat(audit): emit auth_refresh_reuse_detected on refresh-token replay #109

Merged

YousifShkara merged 1 commit from feat/audit-refresh-reuse-event into main 2026-06-11 05:45:34 +02:00

Conversation 0 Commits 1 Files changed 2 +36 -1

YousifShkara commented 2026-06-11 05:45:31 +02:00

Owner

Copy link

Closes BUNYIP-88.

The refresh-token reuse detection branch in crates/bunyip-oidc/src/services/oidc_provider.rs correctly revokes the whole token family on replay (refresh_token_families.revoke_reason = 'reuse_detected') but the actual security event was silent: a TODO: emit audit event auth.refresh_reuse_detected sat at the spot where the audit-log row should have been written. On a live OP that is the difference between "we noticed a replay attack and shut it down" and "nothing happened, as far as ops can tell."

Changes:

• crates/bunyip-domain/src/models/audit.rs: add AuditAction::AuthRefreshReuseDetected and the matching "auth_refresh_reuse_detected" arm in as_str. Not an admin action (system-detected security event), so is_admin_action stays untouched.

• crates/bunyip-oidc/src/services/oidc_provider.rs: at the TODO site, after the family-revoke commit and before returning Err(OidcInvalidGrant), build a CreateAuditLog with action AuthRefreshReuseDetected, severity Critical, actor_id = old.user_id (so /admin/audit-logs?actor_id=... surfaces the affected user without needing extra context), resource = refresh_token_family/<family_id>, and metadata carrying client_id + the two timestamps that drove the detection (jti_used_at, jti_revoked_at). The actor_id is set directly rather than via with_actor to avoid a DB lookup for email + role in a security-event hot path; metadata carries the rest.

Write is best-effort: an audit-log insert failure logs a tracing::warn! line and does NOT change the Err(OidcInvalidGrant) returned to the caller. The security event is enforced (family revoked) regardless of whether the log line lands.

just check-container clean (modulo the pre-existing test_config_defaults parallel-env-var flake on main; 188 other tests pass; fmt + clippy + build clean).

#BUNYIP-88

Closes BUNYIP-88. The refresh-token reuse detection branch in `crates/bunyip-oidc/src/services/oidc_provider.rs` correctly revokes the whole token family on replay (`refresh_token_families.revoke_reason = 'reuse_detected'`) but the actual security event was silent: a `TODO: emit audit event auth.refresh_reuse_detected` sat at the spot where the audit-log row should have been written. On a live OP that is the difference between "we noticed a replay attack and shut it down" and "nothing happened, as far as ops can tell." Changes: - `crates/bunyip-domain/src/models/audit.rs`: add `AuditAction::AuthRefreshReuseDetected` and the matching `"auth_refresh_reuse_detected"` arm in `as_str`. Not an admin action (system-detected security event), so `is_admin_action` stays untouched. - `crates/bunyip-oidc/src/services/oidc_provider.rs`: at the TODO site, after the family-revoke commit and before returning `Err(OidcInvalidGrant)`, build a `CreateAuditLog` with action `AuthRefreshReuseDetected`, severity Critical, `actor_id = old.user_id` (so /admin/audit-logs?actor_id=... surfaces the affected user without needing extra context), `resource = refresh_token_family/<family_id>`, and metadata carrying client_id + the two timestamps that drove the detection (`jti_used_at`, `jti_revoked_at`). The actor_id is set directly rather than via `with_actor` to avoid a DB lookup for email + role in a security-event hot path; metadata carries the rest. Write is best-effort: an audit-log insert failure logs a `tracing::warn!` line and does NOT change the `Err(OidcInvalidGrant)` returned to the caller. The security event is enforced (family revoked) regardless of whether the log line lands. `just check-container` clean (modulo the pre-existing `test_config_defaults` parallel-env-var flake on `main`; 188 other tests pass; fmt + clippy + build clean). #BUNYIP-88

YousifShkara self-assigned this 2026-06-11 05:45:31 +02:00

YousifShkara added 1 commit 2026-06-11 05:45:31 +02:00

feat(audit): emit auth_refresh_reuse_detected on refresh-token replay ... 112f7ce059

Closes BUNYIP-88.

The refresh-token reuse detection branch in `crates/bunyip-oidc/src/services/oidc_provider.rs` correctly revokes the whole token family on replay (`refresh_token_families.revoke_reason = 'reuse_detected'`) but the actual security event was silent: a `TODO: emit audit event auth.refresh_reuse_detected` sat at the spot where the audit-log row should have been written. On a live OP that is the difference between "we noticed a replay attack and shut it down" and "nothing happened, as far as ops can tell."

Changes:

- `crates/bunyip-domain/src/models/audit.rs`: add `AuditAction::AuthRefreshReuseDetected` and the matching `"auth_refresh_reuse_detected"` arm in `as_str`. Not an admin action (system-detected security event), so `is_admin_action` stays untouched.

- `crates/bunyip-oidc/src/services/oidc_provider.rs`: at the TODO site, after the family-revoke commit and before returning `Err(OidcInvalidGrant)`, build a `CreateAuditLog` with action `AuthRefreshReuseDetected`, severity Critical, `actor_id = old.user_id` (so /admin/audit-logs?actor_id=... surfaces the affected user without needing extra context), `resource = refresh_token_family/<family_id>`, and metadata carrying client_id + the two timestamps that drove the detection (`jti_used_at`, `jti_revoked_at`). The actor_id is set directly rather than via `with_actor` to avoid a DB lookup for email + role in a security-event hot path; metadata carries the rest.

Write is best-effort: an audit-log insert failure logs a `tracing::warn!` line and does NOT change the `Err(OidcInvalidGrant)` returned to the caller. The security event is enforced (family revoked) regardless of whether the log line lands.

`just check-container` clean (modulo the pre-existing `test_config_defaults` parallel-env-var flake on `main`; 188 other tests pass; fmt + clippy + build clean).

#BUNYIP-88

YousifShkara merged commit 3009e9857e into main 2026-06-11 05:45:34 +02:00

YousifShkara deleted branch feat/audit-refresh-reuse-event 2026-06-11 05:45:34 +02:00

YousifShkara referenced this pull request from a commit 2026-06-11 05:45:35 +02:00

Merge pull request 'feat(audit): emit auth_refresh_reuse_detected on refresh-token replay' (#109) from feat/audit-refresh-reuse-event into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

YousifShkara

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

psa-systems/bunyip!109

No description provided.