Log sensitive account changes

app/blueprints/users/account.py

@@ -24,7 +24,7 @@ from wtforms.validators import *
 
 from app.models import *
 from app.tasks.emails import sendVerifyEmail, sendEmailRaw
-from app.utils import randomString, make_flask_login_password, is_safe_url, check_password_hash
+from app.utils import randomString, make_flask_login_password, is_safe_url, check_password_hash, addAuditLog
 from passlib.pwd import genphrase
 
 from . import bp
@@ -112,6 +112,9 @@ def register():
 			user = User(form.username.data, False, form.email.data, make_flask_login_password(form.password.data))
 			db.session.add(user)
 
+			addAuditLog(AuditSeverity.USER, user, "Registered",
+					url_for("users.profile", username=user.username))
+
 			token = randomString(32)
 
 			ver = UserEmailVerification()
@@ -142,6 +145,9 @@ def forgot_password():
 		if user:
 			token = randomString(32)
 
+			addAuditLog(AuditSeverity.USER, user, "(Anonymous) requested a password reset",
+					url_for("users.profile", username=user.username), None)
+
 			ver = UserEmailVerification()
 			ver.user = user
 			ver.token = token
@@ -188,6 +194,8 @@ def handle_set_password(form):
 		flash("Passwords do not much", "danger")
 		return
 
+	addAuditLog(AuditSeverity.USER, current_user, "Changed their password", url_for("users.profile", username=current_user.username))
+
 	current_user.password = make_flask_login_password(form.password.data)
 	db.session.commit()
 
@@ -259,6 +267,9 @@ def verify_email():
 		flash("Unknown verification token!", "danger")
 		return redirect(url_for("homepage.home"))
 
+	addAuditLog(AuditSeverity.USER, ver.user, "Confirmed their email",
+			url_for("users.profile", username=ver.user.username))
+
 	was_activating = not ver.user.is_active
 	ver.user.is_active = True
 	ver.user.email = ver.email

app/models.py

@@ -1366,8 +1366,9 @@ class PackageReview(db.Model):
 
 class AuditSeverity(enum.Enum):
 	NORMAL = 0 # Normal user changes
-	EDITOR = 1 # Editor changes
-	MODERATION = 2 # Destructive / moderator changes
+	USER   = 1 # Security user changes
+	EDITOR = 2 # Editor changes
+	MODERATION = 3 # Destructive / moderator changes
 
 	def __str__(self):
 		return self.name

app/templates/admin/audit.html

@@ -26,6 +26,8 @@ Audit Log
 							<i class="fas fa-exclamation-triangle" style="color: yellow;"></i>
 						{% elif entry.severity == entry.severity.EDITOR %}
 							<i class="fas fa-users" style="color: #537eac;"></i>
+						{% elif entry.severity == entry.severity.USER %}
+							<i class="fas fa-user"></i>
 						{% endif %}
 					</div>
 

app/templates/base.html

@@ -7,7 +7,7 @@
 	<meta name="viewport" content="width=device-width, initial-scale=1">
 	<title>{% block title %}title{% endblock %} - {{ config.USER_APP_NAME }}</title>
 	<link rel="stylesheet" type="text/css" href="/static/bootstrap.css">
-	<link rel="stylesheet" type="text/css" href="/static/custom.css?v=14">
+	<link rel="stylesheet" type="text/css" href="/static/custom.css?v=15">
 	<link rel="search" type="application/opensearchdescription+xml" href="/static/opensearch.xml" title="ContentDB" />
 	<link rel="shortcut icon" href="/favicon-16.png" sizes="16x16">
 	<link rel="icon" href="/favicon-128.png" sizes="128x128">

migrations/versions/c154912eaa0c_.py

@@ -0,0 +1,24 @@
+"""empty message
+
+Revision ID: c154912eaa0c
+Revises: 7f166b5218d7
+Create Date: 2020-12-05 02:29:16.706564
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'c154912eaa0c'
+down_revision = '7f166b5218d7'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.execute("COMMIT")
+    op.execute("ALTER TYPE auditseverity ADD VALUE 'USER'")
+
+def downgrade():
+    pass