24791061837

Committed 22 Apr 2026 04:50PM UTC coverage: 81.067%. First build

Build # 24791061837

Build Type

push

github

Committed by

web-flow

Commit Message

Add auditlogs (#1)

* Add auditlogs

* test

* test

* test

* test

* test

* test

Coverage Stats

164 of 233 branches covered (70.39%)

Branch coverage included in aggregate %.

1878 of 2390 new or added lines in 34 files covered. (78.58%)

2722 of 3327 relevant lines covered (81.82%)

6.69 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

92.59

/handler/api_v1_users.go

package handler

import (
        "net/http"
        "time"

        "github.com/labstack/echo/v4"
        "github.com/labstack/gommon/log"

        "github.com/DigitalTolk/wireguard-ui/model"
        "github.com/DigitalTolk/wireguard-ui/store"
        "github.com/DigitalTolk/wireguard-ui/util"
)

// APIListUsers returns all users
func APIListUsers(db store.IStore) echo.HandlerFunc {
        return func(c echo.Context) error {
                users, err := db.GetUsers()
                if err != nil {
                        return apiInternalError(c, "Cannot get user list")
                }
                return c.JSON(http.StatusOK, users)
        }
}

// APIGetUser returns a single user by username
func APIGetUser(db store.IStore) echo.HandlerFunc {
        return func(c echo.Context) error {
                username := c.Param("username")
                if !usernameRegexp.MatchString(username) {
                        return apiBadRequest(c, "Invalid username")
                }

                // non-admins can only access their own data
                if !isAdmin(c) && username != currentUser(c) {
                        return apiForbidden(c, "Cannot access other user data")
                }

                user, err := db.GetUserByName(username)
                if err != nil {
                        return apiNotFound(c, "User not found")
                }
                return c.JSON(http.StatusOK, user)
        }
}

// APICreateUser creates a new user
func APICreateUser(db store.IStore) echo.HandlerFunc {
        return func(c echo.Context) error {
                var body struct {
                        Username string `json:"username"`
                        Admin    bool   `json:"admin"`
                        Email    string `json:"email"`
                }
                if err := c.Bind(&body); err != nil {
                        return apiBadRequest(c, "Invalid request body")
                }

                if body.Username == "" || !usernameRegexp.MatchString(body.Username) {
                        return apiBadRequest(c, "Invalid username")
                }

                // check if user exists
                if _, err := db.GetUserByName(body.Username); err == nil {
                        return apiBadRequest(c, "Username already taken")
                }

                now := time.Now().UTC()
                user := model.User{
                        Username:  body.Username,
                        Email:     body.Email,
                        Admin:     body.Admin,
                        CreatedAt: now,
                        UpdatedAt: now,
                }

                if err := db.SaveUser(user); err != nil {
                        return apiInternalError(c, err.Error())
                }

                log.Infof("Created user: %s", user.Username)
                auditLogEvent(c, "user.create", "user", user.Username, map[string]interface{}{"admin": user.Admin})
                return c.JSON(http.StatusCreated, user)
        }
}

// APIUpdateUser updates an existing user
func APIUpdateUser(db store.IStore) echo.HandlerFunc {
        return func(c echo.Context) error {
                username := c.Param("username")
                if !usernameRegexp.MatchString(username) {
                        return apiBadRequest(c, "Invalid username")
                }

                // non-admins can only update their own data
                if !isAdmin(c) && username != currentUser(c) {
                        return apiForbidden(c, "Cannot update other user data")
                }

                user, err := db.GetUserByName(username)
                if err != nil {
                        return apiNotFound(c, "User not found")
                }

                var body struct {
                        Email       string `json:"email"`
                        DisplayName string `json:"display_name"`
                        Admin       *bool  `json:"admin"`
                }
                if err := c.Bind(&body); err != nil {
                        return apiBadRequest(c, "Invalid request body")
                }

                if body.Email != "" {
                        user.Email = body.Email
                }
                if body.DisplayName != "" {
                        user.DisplayName = body.DisplayName
                }
                // only admins can change admin status, and not their own
                if body.Admin != nil && isAdmin(c) && username != currentUser(c) {
                        user.Admin = *body.Admin
                }
                user.UpdatedAt = time.Now().UTC()

                if err := db.SaveUser(user); err != nil {
                        return apiInternalError(c, err.Error())
                }

                // update session if the current user updated themselves
                if username == currentUser(c) {
                        setUser(c, user.Username, user.Admin, util.GetDBUserCRC32(user))
                }

                log.Infof("Updated user: %s", user.Username)
                auditLogEvent(c, "user.update", "user", user.Username, nil)
                return c.JSON(http.StatusOK, user)
        }
}

// APIDeleteUser deletes a user
func APIDeleteUser(db store.IStore) echo.HandlerFunc {
        return func(c echo.Context) error {
                username := c.Param("username")
                if !usernameRegexp.MatchString(username) {
                        return apiBadRequest(c, "Invalid username")
                }

                if username == currentUser(c) {
                        return apiBadRequest(c, "Cannot delete yourself")
                }

                if err := db.DeleteUser(username); err != nil {
                        return apiInternalError(c, "Cannot delete user")
                }

                log.Infof("Deleted user: %s", username)
                auditLogEvent(c, "user.delete", "user", username, nil)
                return c.NoContent(http.StatusNoContent)
        }
}

1	package handler
2
3	import (
4	"net/http"
5	"time"
6
7	"github.com/labstack/echo/v4"
8	"github.com/labstack/gommon/log"
9
10	"github.com/DigitalTolk/wireguard-ui/model"
11	"github.com/DigitalTolk/wireguard-ui/store"
12	"github.com/DigitalTolk/wireguard-ui/util"
13	)
14
15	// APIListUsers returns all users
16	func APIListUsers(db store.IStore) echo.HandlerFunc {	1✔
17	return func(c echo.Context) error {	2✔
18	users, err := db.GetUsers()	1✔
19	if err != nil {	1✔
NEW 20	return apiInternalError(c, "Cannot get user list")	×
NEW 21	}	×
22	return c.JSON(http.StatusOK, users)	1✔
23	}
24	}
25
26	// APIGetUser returns a single user by username
27	func APIGetUser(db store.IStore) echo.HandlerFunc {	4✔
28	return func(c echo.Context) error {	8✔
29	username := c.Param("username")	4✔
30	if !usernameRegexp.MatchString(username) {	5✔
31	return apiBadRequest(c, "Invalid username")	1✔
32	}	1✔
33
34	// non-admins can only access their own data
35	if !isAdmin(c) && username != currentUser(c) {	4✔
36	return apiForbidden(c, "Cannot access other user data")	1✔
37	}	1✔
38
39	user, err := db.GetUserByName(username)	2✔
40	if err != nil {	3✔
41	return apiNotFound(c, "User not found")	1✔
42	}	1✔
43	return c.JSON(http.StatusOK, user)	1✔
44	}
45	}
46
47	// APICreateUser creates a new user
48	func APICreateUser(db store.IStore) echo.HandlerFunc {	4✔
49	return func(c echo.Context) error {	8✔
50	var body struct {	4✔
51	Username string `json:"username"`	4✔
52	Admin bool `json:"admin"`	4✔
53	Email string `json:"email"`	4✔
54	}	4✔
55	if err := c.Bind(&body); err != nil {	5✔
56	return apiBadRequest(c, "Invalid request body")	1✔
57	}	1✔
58
59	if body.Username == "" \|\| !usernameRegexp.MatchString(body.Username) {	4✔
60	return apiBadRequest(c, "Invalid username")	1✔
61	}	1✔
62
63	// check if user exists
64	if _, err := db.GetUserByName(body.Username); err == nil {	3✔
65	return apiBadRequest(c, "Username already taken")	1✔
66	}	1✔
67
68	now := time.Now().UTC()	1✔
69	user := model.User{	1✔
70	Username: body.Username,	1✔
71	Email: body.Email,	1✔
72	Admin: body.Admin,	1✔
73	CreatedAt: now,	1✔
74	UpdatedAt: now,	1✔
75	}	1✔
76		1✔
77	if err := db.SaveUser(user); err != nil {	1✔
NEW 78	return apiInternalError(c, err.Error())	×
NEW 79	}	×
80
81	log.Infof("Created user: %s", user.Username)	1✔
82	auditLogEvent(c, "user.create", "user", user.Username, map[string]interface{}{"admin": user.Admin})	1✔
83	return c.JSON(http.StatusCreated, user)	1✔
84	}
85	}
86
87	// APIUpdateUser updates an existing user
88	func APIUpdateUser(db store.IStore) echo.HandlerFunc {	7✔
89	return func(c echo.Context) error {	14✔
90	username := c.Param("username")	7✔
91	if !usernameRegexp.MatchString(username) {	8✔
92	return apiBadRequest(c, "Invalid username")	1✔
93	}	1✔
94
95	// non-admins can only update their own data
96	if !isAdmin(c) && username != currentUser(c) {	7✔
97	return apiForbidden(c, "Cannot update other user data")	1✔
98	}	1✔
99
100	user, err := db.GetUserByName(username)	5✔
101	if err != nil {	6✔
102	return apiNotFound(c, "User not found")	1✔
103	}	1✔
104
105	var body struct {	4✔
106	Email string `json:"email"`	4✔
107	DisplayName string `json:"display_name"`	4✔
108	Admin *bool `json:"admin"`	4✔
109	}	4✔
110	if err := c.Bind(&body); err != nil {	5✔
111	return apiBadRequest(c, "Invalid request body")	1✔
112	}	1✔
113
114	if body.Email != "" {	5✔
115	user.Email = body.Email	2✔
116	}	2✔
117	if body.DisplayName != "" {	4✔
118	user.DisplayName = body.DisplayName	1✔
119	}	1✔
120	// only admins can change admin status, and not their own
121	if body.Admin != nil && isAdmin(c) && username != currentUser(c) {	4✔
122	user.Admin = *body.Admin	1✔
123	}	1✔
124	user.UpdatedAt = time.Now().UTC()	3✔
125		3✔
126	if err := db.SaveUser(user); err != nil {	3✔
NEW 127	return apiInternalError(c, err.Error())	×
NEW 128	}	×
129
130	// update session if the current user updated themselves
131	if username == currentUser(c) {	4✔
132	setUser(c, user.Username, user.Admin, util.GetDBUserCRC32(user))	1✔
133	}	1✔
134
135	log.Infof("Updated user: %s", user.Username)	3✔
136	auditLogEvent(c, "user.update", "user", user.Username, nil)	3✔
137	return c.JSON(http.StatusOK, user)	3✔
138	}
139	}
140
141	// APIDeleteUser deletes a user
142	func APIDeleteUser(db store.IStore) echo.HandlerFunc {	3✔
143	return func(c echo.Context) error {	6✔
144	username := c.Param("username")	3✔
145	if !usernameRegexp.MatchString(username) {	4✔
146	return apiBadRequest(c, "Invalid username")	1✔
147	}	1✔
148
149	if username == currentUser(c) {	3✔
150	return apiBadRequest(c, "Cannot delete yourself")	1✔
151	}	1✔
152
153	if err := db.DeleteUser(username); err != nil {	1✔
NEW 154	return apiInternalError(c, "Cannot delete user")	×
NEW 155	}	×
156
157	log.Infof("Deleted user: %s", username)	1✔
158	auditLogEvent(c, "user.delete", "user", username, nil)	1✔
159	return c.NoContent(http.StatusNoContent)	1✔
160	}
161	}

DigitalTolk / wireguard-ui / 24791061837

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous