Merge branch 'main' into feat/account-deletion

packages/lib/server-only/2fa/disable-2fa.ts

@@ -1,21 +1,25 @@
 import { compare } from 'bcrypt';
 
 import { prisma } from '@documenso/prisma';
-import { User } from '@documenso/prisma/client';
+import type { User } from '@documenso/prisma/client';
+import { UserSecurityAuditLogType } from '@documenso/prisma/client';
 
 import { ErrorCode } from '../../next-auth/error-codes';
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { validateTwoFactorAuthentication } from './validate-2fa';
 
 type DisableTwoFactorAuthenticationOptions = {
   user: User;
   backupCode: string;
   password: string;
+  requestMetadata?: RequestMetadata;
 };
 
 export const disableTwoFactorAuthentication = async ({
   backupCode,
   user,
   password,
+  requestMetadata,
 }: DisableTwoFactorAuthenticationOptions) => {
   if (!user.password) {
     throw new Error(ErrorCode.USER_MISSING_PASSWORD);
@@ -33,15 +37,26 @@ export const disableTwoFactorAuthentication = async ({
     throw new Error(ErrorCode.INCORRECT_TWO_FACTOR_BACKUP_CODE);
   }
 
-  await prisma.user.update({
-    where: {
-      id: user.id,
-    },
-    data: {
-      twoFactorEnabled: false,
-      twoFactorBackupCodes: null,
-      twoFactorSecret: null,
-    },
+  await prisma.$transaction(async (tx) => {
+    await tx.user.update({
+      where: {
+        id: user.id,
+      },
+      data: {
+        twoFactorEnabled: false,
+        twoFactorBackupCodes: null,
+        twoFactorSecret: null,
+      },
+    });
+
+    await tx.userSecurityAuditLog.create({
+      data: {
+        userId: user.id,
+        type: UserSecurityAuditLogType.AUTH_2FA_DISABLE,
+        userAgent: requestMetadata?.userAgent,
+        ipAddress: requestMetadata?.ipAddress,
+      },
+    });
   });
 
   return true;

packages/lib/server-only/2fa/enable-2fa.ts

@@ -1,18 +1,21 @@
 import { ErrorCode } from '@documenso/lib/next-auth/error-codes';
 import { prisma } from '@documenso/prisma';
-import { User } from '@documenso/prisma/client';
+import { type User, UserSecurityAuditLogType } from '@documenso/prisma/client';
 
+import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { getBackupCodes } from './get-backup-code';
 import { verifyTwoFactorAuthenticationToken } from './verify-2fa-token';
 
 type EnableTwoFactorAuthenticationOptions = {
   user: User;
   code: string;
+  requestMetadata?: RequestMetadata;
 };
 
 export const enableTwoFactorAuthentication = async ({
   user,
   code,
+  requestMetadata,
 }: EnableTwoFactorAuthenticationOptions) => {
   if (user.identityProvider !== 'DOCUMENSO') {
     throw new Error(ErrorCode.INCORRECT_IDENTITY_PROVIDER);
@@ -32,13 +35,24 @@ export const enableTwoFactorAuthentication = async ({
     throw new Error(ErrorCode.INCORRECT_TWO_FACTOR_CODE);
   }
 
-  const updatedUser = await prisma.user.update({
-    where: {
-      id: user.id,
-    },
-    data: {
-      twoFactorEnabled: true,
-    },
+  const updatedUser = await prisma.$transaction(async (tx) => {
+    await tx.userSecurityAuditLog.create({
+      data: {
+        userId: user.id,
+        type: UserSecurityAuditLogType.AUTH_2FA_ENABLE,
+        userAgent: requestMetadata?.userAgent,
+        ipAddress: requestMetadata?.ipAddress,
+      },
+    });
+
+    return await tx.user.update({
+      where: {
+        id: user.id,
+      },
+      data: {
+        twoFactorEnabled: true,
+      },
+    });
   });
 
   const recoveryCodes = getBackupCodes({ user: updatedUser });

packages/lib/server-only/2fa/setup-2fa.ts

@@ -5,7 +5,7 @@ import { createTOTPKeyURI } from 'oslo/otp';
 
 import { ErrorCode } from '@documenso/lib/next-auth/error-codes';
 import { prisma } from '@documenso/prisma';
-import type { User } from '@documenso/prisma/client';
+import { type User } from '@documenso/prisma/client';
 
 import { DOCUMENSO_ENCRYPTION_KEY } from '../../constants/crypto';
 import { symmetricEncrypt } from '../../universal/crypto';