keep track of login attempts, both successful and failures

and show them in the account and admin interfaces. this should help with
debugging, to find misconfigured clients, and potentially find attackers trying
to login.

we include details like login name, account name, protocol, authentication
mechanism, ip addresses, tls connection properties, user-agent. and of course
the result.

we group entries by their details. repeat connections don't cause new records
in the database, they just increase the count on the existing record.

we keep data for at most 30 days. and we keep at most 10k entries per account.
to prevent unbounded growth. for successful login attempts, we store them all
for 30d. if a bad user causes so many entries this becomes a problem, it will
be time to talk to the user...

there is no pagination/searching yet in the admin/account interfaces. so the
list may be long. we only show the 10 most recent login attempts by default.
the rest is only shown on a separate page.

there is no way yet to disable this. may come later, either as global setting
or per account.

webapisrv/server.go

@@ -18,6 +18,7 @@ import (
 	"log/slog"
 	"mime"
 	"mime/multipart"
+	"net"
 	"net/http"
 	"net/textproto"
 	"reflect"
@@ -424,23 +425,24 @@ func (s server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	authResult := "error"
+	la := loginAttempt(r, "webapi", "httpbasic")
+	la.LoginAddress = email
 	defer func() {
+		store.LoginAttemptAdd(context.Background(), log, la)
 		metricDuration.WithLabelValues(fn).Observe(float64(time.Since(t0)) / float64(time.Second))
-		metrics.AuthenticationInc("webapi", "httpbasic", authResult)
 	}()
 
 	var err error
-	acc, err = store.OpenEmailAuth(log, email, password, true)
+	acc, la.AccountName, err = store.OpenEmailAuth(log, email, password, true)
 	if err != nil {
 		mox.LimiterFailedAuth.Add(remoteIP, t0, 1)
 		if errors.Is(err, mox.ErrDomainNotFound) || errors.Is(err, mox.ErrAddressNotFound) || errors.Is(err, store.ErrUnknownCredentials) || errors.Is(err, store.ErrLoginDisabled) {
 			log.Debug("bad http basic authentication credentials")
 			metricResults.WithLabelValues(fn, "badauth").Inc()
-			authResult = "badcreds"
+			la.Result = store.AuthBadCredentials
 			msg := "use http basic auth with email address as username"
 			if errors.Is(err, store.ErrLoginDisabled) {
-				authResult = "logindisabled"
+				la.Result = store.AuthLoginDisabled
 				msg = "login is disabled for this account"
 			}
 			w.Header().Set("WWW-Authenticate", "Basic realm=webapi")
@@ -450,7 +452,8 @@ func (s server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		writeError(webapi.Error{Code: "server", Message: "error verifying credentials"})
 		return
 	}
-	authResult = "ok"
+	la.AccountName = acc.Name
+	la.Result = store.AuthSuccess
 	mox.LimiterFailedAuth.Reset(remoteIP, t0)
 
 	ct := r.Header.Get("Content-Type")
@@ -526,6 +529,24 @@ func (s server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// loginAttempt initializes a store.LoginAttempt, for adding to the store after
+// filling in the results and other details.
+func loginAttempt(r *http.Request, protocol, authMech string) store.LoginAttempt {
+	remoteIP, _, _ := net.SplitHostPort(r.RemoteAddr)
+	if remoteIP == "" {
+		remoteIP = r.RemoteAddr
+	}
+
+	return store.LoginAttempt{
+		RemoteIP:  remoteIP,
+		TLS:       store.LoginAttemptTLS(r.TLS),
+		Protocol:  protocol,
+		AuthMech:  authMech,
+		UserAgent: r.UserAgent(),
+		Result:    store.AuthError, // Replaced by caller.
+	}
+}
+
 func xcheckf(err error, format string, args ...any) {
 	if err != nil {
 		msg := fmt.Sprintf(format, args...)

webapisrv/server_test.go

@@ -61,8 +61,14 @@ func TestServer(t *testing.T) {
 	mox.Context = ctxbg
 	mox.ConfigStaticPath = filepath.FromSlash("../testdata/webapisrv/mox.conf")
 	mox.MustLoadConfig(true, false)
+	err := store.Init(ctxbg)
+	tcheckf(t, err, "store init")
+	defer func() {
+		err := store.Close()
+		tcheckf(t, err, "store close")
+	}()
 	defer store.Switchboard()()
-	err := queue.Init()
+	err = queue.Init()
 	tcheckf(t, err, "queue init")
 	defer queue.Shutdown()