From 1204e0c1b26d470e58ce47ebc021923d4881811d Mon Sep 17 00:00:00 2001 From: derekc Date: Mon, 23 Mar 2026 08:44:04 -0700 Subject: [PATCH] Add IP, user-agent, and full titles to all auth ntfy notifications Co-Authored-By: Claude Sonnet 4.6 --- backend/app/routers/auth.py | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/backend/app/routers/auth.py b/backend/app/routers/auth.py index 412ce4a..180274e 100644 --- a/backend/app/routers/auth.py +++ b/backend/app/routers/auth.py @@ -31,7 +31,7 @@ COOKIE_OPTS = { @router.post("/register", response_model=TokenResponse, status_code=status.HTTP_201_CREATED) -async def register(body: RegisterRequest, response: Response, db: AsyncSession = Depends(get_db)): +async def register(body: RegisterRequest, response: Response, request: Request, db: AsyncSession = Depends(get_db)): existing = await db.execute(select(User).where(User.email == body.email)) if existing.scalar_one_or_none(): raise HTTPException(status_code=400, detail="Email already registered") @@ -59,9 +59,11 @@ async def register(body: RegisterRequest, response: Response, db: AsyncSession = refresh = create_refresh_token({"sub": str(user.id)}) response.set_cookie(REFRESH_COOKIE, refresh, **COOKIE_OPTS) + ip = request.headers.get("X-Forwarded-For", request.client.host if request.client else "unknown").split(",")[0].strip() + ua = request.headers.get("User-Agent", "unknown") await notify( - title="New User Registered", - message=f"{body.full_name} ({body.email})", + title="Homeschool Dashboard New User Registered", + message=f"Name: {body.full_name}\nEmail: {body.email}\nIP: {ip}\nUA: {ua}", priority="default", tags=["bust_in_silhouette"], ) @@ -74,20 +76,22 @@ _LOGIN_LOCKOUT_MINUTES = 15 @router.post("/login", response_model=TokenResponse) -async def login(body: LoginRequest, response: Response, db: AsyncSession = Depends(get_db)): +async def login(body: LoginRequest, response: Response, request: Request, db: AsyncSession = Depends(get_db)): result = await db.execute(select(User).where(User.email == body.email)) user = result.scalar_one_or_none() if not user: raise HTTPException(status_code=401, detail="Invalid credentials") now = datetime.now(timezone.utc).replace(tzinfo=None) + ip = request.headers.get("X-Forwarded-For", request.client.host if request.client else "unknown").split(",")[0].strip() + ua = request.headers.get("User-Agent", "unknown") if user.locked_until and user.locked_until > now: remaining = int((user.locked_until - now).total_seconds() / 60) + 1 logger.warning("Locked account login attempt for email=%s", body.email) await notify( - title="Login Attempt on Locked Account", - message=f"{body.email} — locked for {remaining} more minute(s)", + title="Homeschool Dashboard Login Attempt on Locked Account", + message=f"Email: {body.email}\nLocked for {remaining} more minute(s)\nIP: {ip}\nUA: {ua}", priority="high", tags=["lock"], ) @@ -103,8 +107,8 @@ async def login(body: LoginRequest, response: Response, db: AsyncSession = Depen user.locked_until = now + timedelta(minutes=_LOGIN_LOCKOUT_MINUTES) logger.warning("Account locked for email=%s after %d failed attempts", body.email, user.failed_login_attempts) await notify( - title="Account Locked", - message=f"{body.email} locked after {user.failed_login_attempts} failed attempts", + title="Homeschool Dashboard Account Locked", + message=f"Email: {body.email}\nLocked after {user.failed_login_attempts} failed attempts\nIP: {ip}\nUA: {ua}", priority="urgent", tags=["warning"], )