feat: complete Phase 2.6 - Security Hardening

- Implement session management with device tracking - Implement audit logging system - Implement account lockout for brute-force protection - Add security headers middleware - Add rate limiting middleware (stub) - Integrate security services into main application Build Status: Compiles successfully Phase: 2.6 of 8 (75% complete)
2026-03-05 09:09:46 -03:00 · 2026-03-05 09:09:46 -03:00 · 4627903999
commit 4627903999
parent be49d9d674
17 changed files with 910 additions and 61 deletions
--- a/backend/src/models/audit_log.rs
+++ b/backend/src/models/audit_log.rs
@ -0,0 +1,118 @@
+use mongodb::{
+    Collection,
+    bson::{doc, oid::ObjectId},
+};
+use futures::stream::TryStreamExt;
+use serde::{Deserialize, Serialize};
+use anyhow::Result;
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum AuditEventType {
+    #[serde(rename = "login_success")]
+    LoginSuccess,
+    #[serde(rename = "login_failed")]
+    LoginFailed,
+    #[serde(rename = "logout")]
+    Logout,
+    #[serde(rename = "password_recovery")]
+    PasswordRecovery,
+    #[serde(rename = "password_changed")]
+    PasswordChanged,
+    #[serde(rename = "account_created")]
+    AccountCreated,
+    #[serde(rename = "account_deleted")]
+    AccountDeleted,
+    #[serde(rename = "data_accessed")]
+    DataAccessed,
+    #[serde(rename = "data_modified")]
+    DataModified,
+    #[serde(rename = "data_shared")]
+    DataShared,
+    #[serde(rename = "session_created")]
+    SessionCreated,
+    #[serde(rename = "session_revoked")]
+    SessionRevoked,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AuditLog {
+    #[serde(rename = "_id", skip_serializing_if = "Option::is_none")]
+    pub id: Option<ObjectId>,
+    pub event_type: AuditEventType,
+    pub user_id: Option<ObjectId>,
+    pub email: Option<String>,
+    pub ip_address: String,
+    pub resource_type: Option<String>,
+    pub resource_id: Option<String>,
+    pub timestamp: mongodb::bson::DateTime,
+}
+
+#[derive(Clone)]
+pub struct AuditLogRepository {
+    collection: Collection<AuditLog>,
+}
+
+impl AuditLogRepository {
+    pub fn new(db: &mongodb::Database) -> Self {
+        let collection = db.collection("audit_logs");
+        Self { collection }
+    }
+
+    pub async fn log(
+        &self,
+        event_type: AuditEventType,
+        user_id: Option<ObjectId>,
+        email: Option<String>,
+        ip_address: String,
+        resource_type: Option<String>,
+        resource_id: Option<String>,
+    ) -> Result<ObjectId> {
+        let audit_log = AuditLog {
+            id: None,
+            event_type,
+            user_id,
+            email,
+            ip_address,
+            resource_type,
+            resource_id,
+            timestamp: mongodb::bson::DateTime::now(),
+        };
+
+        self.collection
+            .insert_one(audit_log, None)
+            .await?
+            .inserted_id
+            .as_object_id()
+            .ok_or_else(|| anyhow::anyhow!("Failed to get inserted id"))
+    }
+
+    pub async fn find_by_user(&self, user_id: &ObjectId) -> Result<Vec<AuditLog>> {
+        let cursor = self.collection
+            .find(
+                doc! {
+                    "user_id": user_id
+                },
+                None,
+            )
+            .await?;
+
+        let logs: Vec<AuditLog> = cursor.try_collect().await?;
+        Ok(logs)
+    }
+
+    pub async fn find_recent(&self, limit: u64) -> Result<Vec<AuditLog>> {
+        use mongodb::options::FindOptions;
+        
+        let opts = FindOptions::builder()
+            .sort(doc! { "timestamp": -1 })
+            .limit(limit as i64)
+            .build();
+
+        let cursor = self.collection
+            .find(doc! {}, opts)
+            .await?;
+
+        let logs: Vec<AuditLog> = cursor.try_collect().await?;
+        Ok(logs)
+    }
+}
--- a/backend/src/models/mod.rs
+++ b/backend/src/models/mod.rs
@ -7,3 +7,5 @@ pub mod medication;
 pub mod appointment;
 pub mod share;
 pub mod permission;
+pub mod session;
+pub mod audit_log;
--- a/backend/src/models/session.rs
+++ b/backend/src/models/session.rs
@ -0,0 +1,123 @@
+use mongodb::{
+    Collection,
+    bson::{doc, oid::ObjectId},
+};
+use futures::stream::TryStreamExt;
+use serde::{Deserialize, Serialize};
+use anyhow::Result;
+use std::time::SystemTime;
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct DeviceInfo {
+    pub device_type: String,  // "mobile", "desktop", "tablet"
+    pub os: String,           // "iOS", "Android", "Windows", "macOS", "Linux"
+    pub browser: Option<String>,
+    pub ip_address: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Session {
+    #[serde(rename = "_id", skip_serializing_if = "Option::is_none")]
+    pub id: Option<ObjectId>,
+    pub user_id: ObjectId,
+    pub device_info: DeviceInfo,
+    pub token_hash: String,   // Hash of the JWT token
+    pub created_at: mongodb::bson::DateTime,
+    pub last_used_at: mongodb::bson::DateTime,
+    pub expires_at: mongodb::bson::DateTime,
+    pub is_revoked: bool,
+}
+
+#[derive(Clone)]
+pub struct SessionRepository {
+    collection: Collection<Session>,
+}
+
+impl SessionRepository {
+    pub fn new(db: &mongodb::Database) -> Self {
+        let collection = db.collection("sessions");
+        Self { collection }
+    }
+
+    pub async fn create(
+        &self,
+        user_id: ObjectId,
+        device_info: DeviceInfo,
+        token_hash: String,
+        duration_hours: i64,
+    ) -> Result<ObjectId> {
+        let now = SystemTime::now();
+        let now_bson = mongodb::bson::DateTime::from(now);
+        
+        let expires_at = SystemTime::now()
+            .checked_add(std::time::Duration::from_secs(duration_hours as u64 * 3600))
+            .ok_or_else(|| anyhow::anyhow!("Invalid duration"))?;
+        let expires_at_bson = mongodb::bson::DateTime::from(expires_at);
+
+        let session = Session {
+            id: None,
+            user_id,
+            device_info,
+            token_hash,
+            created_at: now_bson,
+            last_used_at: now_bson,
+            expires_at: expires_at_bson,
+            is_revoked: false,
+        };
+
+        self.collection.insert_one(session, None).await?.inserted_id.as_object_id().ok_or_else(|| anyhow::anyhow!("Failed to get inserted id"))
+    }
+
+    pub async fn find_by_user(&self, user_id: &ObjectId) -> Result<Vec<Session>> {
+        let cursor = self.collection
+            .find(
+                doc! {
+                    "user_id": user_id,
+                    "is_revoked": false,
+                    "expires_at": { "$gt": mongodb::bson::DateTime::now() }
+                },
+                None,
+            )
+            .await?;
+
+        let sessions: Vec<Session> = cursor.try_collect().await?;
+        Ok(sessions)
+    }
+
+    pub async fn revoke(&self, session_id: &ObjectId) -> Result<()> {
+        self.collection
+            .update_one(
+                doc! { "_id": session_id },
+                doc! { "$set": { "is_revoked": true } },
+                None,
+            )
+            .await?;
+        Ok(())
+    }
+
+    pub async fn revoke_all_for_user(&self, user_id: &ObjectId) -> Result<()> {
+        self.collection
+            .update_many(
+                doc! { 
+                    "user_id": user_id,
+                    "is_revoked": false
+                },
+                doc! { "$set": { "is_revoked": true } },
+                None,
+            )
+            .await?;
+        Ok(())
+    }
+
+    pub async fn cleanup_expired(&self) -> Result<u64> {
+        let result = self.collection
+            .delete_many(
+                doc! {
+                    "expires_at": { "$lt": mongodb::bson::DateTime::now() }
+                },
+                None,
+            )
+            .await?;
+        Ok(result.deleted_count)
+    }
+}