Can customize login background image

Can log actions in JSON format
2025-10-28 18:05:35 +01:00 · 2025-10-28 11:43:23 +01:00
14 changed files with 311 additions and 150 deletions
--- a/assets/css/base_login_page.css
+++ b/assets/css/base_login_page.css
@@ -14,7 +14,6 @@ body {
 /* background */
@media screen and (min-width: 767px) {
    .bg-login {
-        background-image: url(/assets/img/forest.jpg);
        width: 100%;
        height: 100%;
        position: fixed;
--- a/src/actors/providers_states_actor.rs
+++ b/src/actors/providers_states_actor.rs
@@ -17,7 +17,7 @@ use crate::data::provider::ProviderID;
 use crate::utils::string_utils::rand_str;
 use crate::utils::time::time;

-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, serde::Serialize)]
 pub struct ProviderLoginState {
    pub provider_id: ProviderID,
    pub state_id: String,
--- a/src/actors/users_actor.rs
+++ b/src/actors/users_actor.rs
@@ -104,7 +104,7 @@ pub struct AddSuccessful2FALogin(pub UserID, pub IpAddr);
 #[rtype(result = "bool")]
 pub struct Clear2FALoginHistory(pub UserID);

-#[derive(Eq, PartialEq, Debug, Clone)]
+#[derive(Eq, PartialEq, Debug, Clone, serde::Serialize)]
 pub struct AuthorizedAuthenticationSources {
    pub local: bool,
    pub upstream: Vec<ProviderID>,
--- a/src/controllers/admin_api.rs
+++ b/src/controllers/admin_api.rs
@@ -65,7 +65,9 @@ pub async fn delete_user(

    let res = users.send(DeleteUserRequest(req.0.user_id)).await.unwrap();
    if res {
-        action_logger.log(Action::AdminDeleteUser(&user));
+        action_logger.log(Action::AdminDeleteUser {
+            user: user.loggable(),
+        });
        HttpResponse::Ok().finish()
    } else {
        HttpResponse::InternalServerError().finish()
--- a/src/controllers/admin_controller.rs
+++ b/src/controllers/admin_controller.rs
@@ -165,7 +165,10 @@ pub async fn users_route(
        let factors_to_keep = update.0.two_factor.split(';').collect::<Vec<_>>();
        for factor in &edited_user.two_factor {
            if !factors_to_keep.contains(&factor.id.0.as_str()) {
-                logger.log(Action::AdminRemoveUserFactor(&edited_user, factor));
+                logger.log(Action::AdminRemoveUserFactor {
+                    user: edited_user.loggable(),
+                    factor: factor.loggable(),
+                });
                users
                    .send(users_actor::Remove2FAFactor(
                        edited_user.uid.clone(),
@@ -186,10 +189,10 @@ pub async fn users_route(
        };

        if edited_user.authorized_authentication_sources() != auth_sources {
-            logger.log(Action::AdminSetAuthorizedAuthenticationSources(
-                &edited_user,
-                &auth_sources,
-            ));
+            logger.log(Action::AdminSetAuthorizedAuthenticationSources {
+                user: edited_user.loggable(),
+                sources: &auth_sources,
+            });
            users
                .send(users_actor::SetAuthorizedAuthenticationSources(
                    edited_user.uid.clone(),
@@ -216,10 +219,10 @@ pub async fn users_route(
        };

        if edited_user.granted_clients() != granted_clients {
-            logger.log(Action::AdminSetNewGrantedClientsList(
-                &edited_user,
-                &granted_clients,
-            ));
+            logger.log(Action::AdminSetNewGrantedClientsList {
+                user: edited_user.loggable(),
+                clients: &granted_clients,
+            });
            users
                .send(users_actor::SetGrantedClients(
                    edited_user.uid.clone(),
@@ -231,7 +234,9 @@ pub async fn users_route(

        // Clear user 2FA history if requested
        if update.0.clear_2fa_history.is_some() {
-            logger.log(Action::AdminClear2FAHistory(&edited_user));
+            logger.log(Action::AdminClear2FAHistory {
+                user: edited_user.loggable(),
+            });
            users
                .send(users_actor::Clear2FALoginHistory(edited_user.uid.clone()))
                .await
@@ -242,7 +247,9 @@ pub async fn users_route(
        let new_password = match update.0.gen_new_password.is_some() {
            false => None,
            true => {
-                logger.log(Action::AdminResetUserPassword(&edited_user));
+                logger.log(Action::AdminResetUserPassword {
+                    user: edited_user.loggable(),
+                });

                let temp_pass = rand_str(TEMPORARY_PASSWORDS_LEN);
                users
@@ -269,11 +276,15 @@ pub async fn users_route(
        } else {
            success = Some(match is_creating {
                true => {
-                    logger.log(Action::AdminCreateUser(&edited_user));
+                    logger.log(Action::AdminCreateUser {
+                        user: edited_user.loggable(),
+                    });
                    format!("User {} was successfully created!", edited_user.full_name())
                }
                false => {
-                    logger.log(Action::AdminUpdateUser(&edited_user));
+                    logger.log(Action::AdminUpdateUser {
+                        user: edited_user.loggable(),
+                    });
                    format!("User {} was successfully updated!", edited_user.full_name())
                }
            });
--- a/src/controllers/login_controller.rs
+++ b/src/controllers/login_controller.rs
@@ -13,6 +13,7 @@ use crate::controllers::base_controller::{
    build_fatal_error_page, redirect_user, redirect_user_for_login,
 };
 use crate::data::action_logger::{Action, ActionLogger};
+use crate::data::app_config::AppConfig;
 use crate::data::force_2fa_auth::Force2FAAuth;
 use crate::data::login_redirect::{LoginRedirect, get_2fa_url};
 use crate::data::provider::{Provider, ProvidersManager};
@@ -21,46 +22,60 @@ use crate::data::user::User;
 use crate::data::webauthn_manager::WebAuthManagerReq;
 use crate::utils::string_utils;

-pub struct BaseLoginPage<'a> {
+pub struct BaseLoginPage {
    pub danger: Option<String>,
    pub success: Option<String>,
+    pub background_image: &'static str,
    pub page_title: &'static str,
    pub app_name: &'static str,
-    pub redirect_uri: &'a LoginRedirect,
+    pub redirect_uri: LoginRedirect,
+}
+
+impl Default for BaseLoginPage {
+    fn default() -> Self {
+        Self {
+            page_title: "Login",
+            danger: None,
+            success: None,
+            background_image: &AppConfig::get().login_background_image,
+            app_name: APP_NAME,
+            redirect_uri: LoginRedirect::default(),
+        }
+    }
 }

 #[derive(Template)]
 #[template(path = "login/login.html")]
-struct LoginTemplate<'a> {
-    p: BaseLoginPage<'a>,
+struct LoginTemplate {
+    p: BaseLoginPage,
    login: String,
    providers: Vec<Provider>,
 }

 #[derive(Template)]
 #[template(path = "login/password_reset.html")]
-struct PasswordResetTemplate<'a> {
-    p: BaseLoginPage<'a>,
+struct PasswordResetTemplate {
+    p: BaseLoginPage,
    min_pass_len: usize,
 }

 #[derive(Template)]
 #[template(path = "login/choose_second_factor.html")]
 struct ChooseSecondFactorTemplate<'a> {
-    p: BaseLoginPage<'a>,
+    p: BaseLoginPage,
    user: &'a User,
 }

 #[derive(Template)]
 #[template(path = "login/otp_input.html")]
-struct LoginWithOTPTemplate<'a> {
-    p: BaseLoginPage<'a>,
+struct LoginWithOTPTemplate {
+    p: BaseLoginPage,
 }

 #[derive(Template)]
 #[template(path = "login/webauthn_input.html")]
-struct LoginWithWebauthnTemplate<'a> {
-    p: BaseLoginPage<'a>,
+struct LoginWithWebauthnTemplate {
+    p: BaseLoginPage,
    opaque_state: String,
    challenge_json: String,
 }
@@ -111,7 +126,7 @@ pub async fn login_route(
    // Check if user session must be closed
    if let Some(true) = query.logout {
        if let Some(id) = id {
-            logger.log(Action::Signout);
+            logger.log(Action::SignOut);
            id.logout();
        }
        success = Some("Goodbye!".to_string());
@@ -155,14 +170,20 @@ pub async fn login_route(
        match response {
            LoginResult::Success(user) => {
                let status = if user.need_reset_password {
-                    logger.log(Action::UserNeedNewPasswordOnLogin(&user));
+                    logger.log(Action::UserNeedNewPasswordOnLogin {
+                        user: user.loggable(),
+                    });
                    SessionStatus::NeedNewPassword
                } else if user.has_two_factor() && !user.can_bypass_two_factors_for_ip(remote_ip.0)
                {
-                    logger.log(Action::UserNeed2FAOnLogin(&user));
+                    logger.log(Action::UserNeed2FAOnLogin {
+                        user: user.loggable(),
+                    });
                    SessionStatus::Need2FA
                } else {
-                    logger.log(Action::UserSuccessfullyAuthenticated(&user));
+                    logger.log(Action::UserSuccessfullyAuthenticated {
+                        user: user.loggable(),
+                    });
                    SessionStatus::SignedIn
                };

@@ -172,7 +193,7 @@ pub async fn login_route(

            LoginResult::AccountDisabled => {
                log::warn!("Failed login for username {} : account is disabled", &login);
-                logger.log(Action::TryLoginWithDisabledAccount(&login));
+                logger.log(Action::TryLoginWithDisabledAccount { login: &login });
                danger = Some("Your account is disabled!".to_string());
            }

@@ -181,7 +202,7 @@ pub async fn login_route(
                    "Failed login for username {} : attempted to use local auth, but it is forbidden",
                    &login
                );
-                logger.log(Action::TryLocalLoginFromUnauthorizedAccount(&login));
+                logger.log(Action::TryLocalLoginFromUnauthorizedAccount { login: &login });
                danger = Some("You cannot login from local auth with your account!".to_string());
            }

@@ -191,7 +212,7 @@ pub async fn login_route(

            c => {
                log::warn!("Failed login for ip {remote_ip:?} /  username {login}: {c:?}");
-                logger.log(Action::FailedLoginWithBadCredentials(&login));
+                logger.log(Action::FailedLoginWithBadCredentials { login: &login });
                danger = Some("Login failed.".to_string());

                bruteforce
@@ -210,8 +231,8 @@ pub async fn login_route(
                page_title: "Login",
                danger,
                success,
-                app_name: APP_NAME,
-                redirect_uri: &query.redirect,
+                redirect_uri: query.0.redirect,
+                ..Default::default()
            },
            login,
            providers: providers.cloned(),
@@ -272,7 +293,7 @@ pub async fn reset_password_route(
                danger = Some("Failed to change password!".to_string());
            } else {
                SessionIdentity(id.as_ref()).set_status(&http_req, SessionStatus::SignedIn);
-                logger.log(Action::UserChangedPasswordOnLogin(&user_id));
+                logger.log(Action::UserChangedPasswordOnLogin { user_id: &user_id });
                return redirect_user(query.redirect.get());
            }
        }
@@ -283,9 +304,8 @@ pub async fn reset_password_route(
            p: BaseLoginPage {
                page_title: "Password reset",
                danger,
-                success: None,
-                app_name: APP_NAME,
-                redirect_uri: &query.redirect,
+                redirect_uri: query.0.redirect,
+                ..Default::default()
            },
            min_pass_len: MIN_PASS_LEN,
        }
@@ -333,10 +353,8 @@ pub async fn choose_2fa_method(
        ChooseSecondFactorTemplate {
            p: BaseLoginPage {
                page_title: "Two factor authentication",
-                danger: None,
-                success: None,
-                app_name: APP_NAME,
-                redirect_uri: &query.redirect,
+                redirect_uri: query.0.redirect,
+                ..Default::default()
            },
            user: &user,
        }
@@ -395,7 +413,7 @@ pub async fn login_with_otp(
        {
            logger.log(Action::OTPLoginAttempt {
                success: false,
-                user: &user,
+                user: user.loggable(),
            });
            danger = Some("Specified code is invalid!".to_string());
        } else {
@@ -412,7 +430,7 @@ pub async fn login_with_otp(
            session.set_status(&http_req, SessionStatus::SignedIn);
            logger.log(Action::OTPLoginAttempt {
                success: true,
-                user: &user,
+                user: user.loggable(),
            });
            return redirect_user(query.redirect.get());
        }
@@ -424,8 +442,8 @@ pub async fn login_with_otp(
                danger,
                success: None,
                page_title: "Two-Factor Auth",
-                app_name: APP_NAME,
-                redirect_uri: &query.redirect,
+                redirect_uri: query.0.redirect,
+                ..Default::default()
            },
        }
        .render()
@@ -487,11 +505,9 @@ pub async fn login_with_webauthn(
    HttpResponse::Ok().body(
        LoginWithWebauthnTemplate {
            p: BaseLoginPage {
-                danger: None,
-                success: None,
                page_title: "Two-Factor Auth",
-                app_name: APP_NAME,
-                redirect_uri: &query.redirect,
+                redirect_uri: query.0.redirect,
+                ..Default::default()
            },
            opaque_state: challenge.opaque_state,
            challenge_json: urlencoding::encode(&challenge_json).to_string(),
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@@ -239,7 +239,7 @@ pub async fn authorize(
                .unwrap();

            log::trace!("New OpenID session: {session:#?}");
-            logger.log(Action::NewOpenIDSession { client: &client });
+            logger.log(Action::NewOpenIDSession { client: &client.id });

            Ok(HttpResponse::Found()
                .append_header((
@@ -273,7 +273,7 @@ pub async fn authorize(
            };

            log::trace!("New OpenID id token: {:#?}", &id_token);
-            logger.log(Action::NewOpenIDSuccessfulImplicitAuth { client: &client });
+            logger.log(Action::NewOpenIDSuccessfulImplicitAuth { client: &client.id });

            Ok(HttpResponse::Found()
                .append_header((
--- a/src/controllers/providers_controller.rs
+++ b/src/controllers/providers_controller.rs
@@ -10,7 +10,7 @@ use crate::actors::bruteforce_actor::BruteForceActor;
 use crate::actors::providers_states_actor::{ProviderLoginState, ProvidersStatesActor};
 use crate::actors::users_actor::{LoginResult, UsersActor};
 use crate::actors::{bruteforce_actor, providers_states_actor, users_actor};
-use crate::constants::{APP_NAME, MAX_FAILED_LOGIN_ATTEMPTS};
+use crate::constants::MAX_FAILED_LOGIN_ATTEMPTS;
 use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
 use crate::controllers::login_controller::BaseLoginPage;
 use crate::data::action_logger::{Action, ActionLogger};
@@ -22,7 +22,7 @@ use crate::data::session_identity::{SessionIdentity, SessionStatus};
 #[derive(askama::Template)]
 #[template(path = "login/prov_login_error.html")]
 struct ProviderLoginError<'a> {
-    p: BaseLoginPage<'a>,
+    p: BaseLoginPage,
    message: &'a str,
 }

@@ -30,11 +30,9 @@ impl<'a> ProviderLoginError<'a> {
    pub fn get(message: &'a str, redirect_uri: &'a LoginRedirect) -> HttpResponse {
        let body = Self {
            p: BaseLoginPage {
-                danger: None,
-                success: None,
                page_title: "Upstream login",
-                app_name: APP_NAME,
-                redirect_uri,
+                redirect_uri: redirect_uri.clone(),
+                ..Default::default()
            },
            message,
        }
@@ -357,14 +355,18 @@ pub async fn finish_login(

    logger.log(Action::ProviderLoginSuccessful {
        provider: &provider,
-        user: &user,
+        user: user.loggable(),
    });

    let status = if user.has_two_factor() && !user.can_bypass_two_factors_for_ip(remote_ip.0) {
-        logger.log(Action::UserNeed2FAOnLogin(&user));
+        logger.log(Action::UserNeed2FAOnLogin {
+            user: user.loggable(),
+        });
        SessionStatus::Need2FA
    } else {
-        logger.log(Action::UserSuccessfullyAuthenticated(&user));
+        logger.log(Action::UserSuccessfullyAuthenticated {
+            user: user.loggable(),
+        });
        SessionStatus::SignedIn
    };

--- a/src/controllers/two_factor_api.rs
+++ b/src/controllers/two_factor_api.rs
@@ -57,7 +57,9 @@ pub async fn save_totp_factor(
        name: factor_name,
        kind: TwoFactorType::TOTP(key),
    };
-    logger.log(Action::AddNewFactor(&factor));
+    logger.log(Action::AddNewFactor {
+        factor: factor.loggable(),
+    });

    let res = users
        .send(users_actor::Add2FAFactor(user.uid.clone(), factor))
@@ -104,7 +106,9 @@ pub async fn save_webauthn_factor(
        name: factor_name,
        kind: TwoFactorType::WEBAUTHN(Box::new(key)),
    };
-    logger.log(Action::AddNewFactor(&factor));
+    logger.log(Action::AddNewFactor {
+        factor: factor.loggable(),
+    });

    let res = users
        .send(users_actor::Add2FAFactor(user.uid.clone(), factor))
--- a/src/data/action_logger.rs
+++ b/src/data/action_logger.rs
@@ -11,21 +11,113 @@ use actix_web::{Error, FromRequest, HttpRequest, web};
 use crate::actors::providers_states_actor::ProviderLoginState;
 use crate::actors::users_actor;
 use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersActor};
-use crate::data::client::Client;
+use crate::data::app_config::{ActionLoggerFormat, AppConfig};
+use crate::data::client::ClientID;
 use crate::data::provider::{Provider, ProviderID};

 use crate::data::session_identity::SessionIdentity;
-use crate::data::user::{FactorID, GrantedClients, TwoFactor, User, UserID};
+use crate::data::user::{FactorID, GrantedClients, TwoFactor, TwoFactorType, User, UserID};
+use crate::utils::time::time;

+#[derive(serde::Serialize)]
+pub struct LoggableUser {
+    pub uid: UserID,
+    pub username: String,
+    pub email: String,
+    pub admin: bool,
+}
+
+impl LoggableUser {
+    pub fn quick_identity(&self) -> String {
+        format!(
+            "{} {} {} ({:?})",
+            match self.admin {
+                true => "admin",
+                false => "user",
+            },
+            self.username,
+            self.email,
+            self.uid
+        )
+    }
+}
+
+impl User {
+    pub fn loggable(&self) -> LoggableUser {
+        LoggableUser {
+            uid: self.uid.clone(),
+            username: self.username.clone(),
+            email: self.email.clone(),
+            admin: self.admin,
+        }
+    }
+}
+
+#[derive(Debug, serde::Serialize)]
+pub enum LoggableFactorType {
+    TOTP,
+    WEBAUTHN,
+}
+
+#[derive(serde::Serialize)]
+pub struct LoggableFactor {
+    pub id: FactorID,
+    pub name: String,
+    pub kind: LoggableFactorType,
+}
+
+impl LoggableFactor {
+    pub fn quick_description(&self) -> String {
+        format!(
+            "#{} of type {:?} and name '{}'",
+            self.id.0, self.kind, self.name
+        )
+    }
+}
+
+impl TwoFactor {
+    pub fn loggable(&self) -> LoggableFactor {
+        LoggableFactor {
+            id: self.id.clone(),
+            name: self.name.to_string(),
+            kind: match self.kind {
+                TwoFactorType::TOTP(_) => LoggableFactorType::TOTP,
+                TwoFactorType::WEBAUTHN(_) => LoggableFactorType::WEBAUTHN,
+            },
+        }
+    }
+}
+
+#[derive(serde::Serialize)]
+#[serde(tag = "type")]
 pub enum Action<'a> {
-    AdminCreateUser(&'a User),
-    AdminUpdateUser(&'a User),
-    AdminDeleteUser(&'a User),
-    AdminResetUserPassword(&'a User),
-    AdminRemoveUserFactor(&'a User, &'a TwoFactor),
-    AdminSetAuthorizedAuthenticationSources(&'a User, &'a AuthorizedAuthenticationSources),
-    AdminSetNewGrantedClientsList(&'a User, &'a GrantedClients),
-    AdminClear2FAHistory(&'a User),
+    AdminCreateUser {
+        user: LoggableUser,
+    },
+    AdminUpdateUser {
+        user: LoggableUser,
+    },
+    AdminDeleteUser {
+        user: LoggableUser,
+    },
+    AdminResetUserPassword {
+        user: LoggableUser,
+    },
+    AdminRemoveUserFactor {
+        user: LoggableUser,
+        factor: LoggableFactor,
+    },
+    AdminSetAuthorizedAuthenticationSources {
+        user: LoggableUser,
+        sources: &'a AuthorizedAuthenticationSources,
+    },
+    AdminSetNewGrantedClientsList {
+        user: LoggableUser,
+        clients: &'a GrantedClients,
+    },
+    AdminClear2FAHistory {
+        user: LoggableUser,
+    },
    LoginWebauthnAttempt {
        success: bool,
        user_id: UserID,
@@ -73,29 +165,45 @@ pub enum Action<'a> {
    },
    ProviderLoginSuccessful {
        provider: &'a Provider,
-        user: &'a User,
+        user: LoggableUser,
+    },
+    SignOut,
+    UserNeed2FAOnLogin {
+        user: LoggableUser,
+    },
+    UserSuccessfullyAuthenticated {
+        user: LoggableUser,
+    },
+    UserNeedNewPasswordOnLogin {
+        user: LoggableUser,
+    },
+    TryLoginWithDisabledAccount {
+        login: &'a str,
+    },
+    TryLocalLoginFromUnauthorizedAccount {
+        login: &'a str,
+    },
+    FailedLoginWithBadCredentials {
+        login: &'a str,
+    },
+    UserChangedPasswordOnLogin {
+        user_id: &'a UserID,
    },
-    Signout,
-    UserNeed2FAOnLogin(&'a User),
-    UserSuccessfullyAuthenticated(&'a User),
-    UserNeedNewPasswordOnLogin(&'a User),
-    TryLoginWithDisabledAccount(&'a str),
-    TryLocalLoginFromUnauthorizedAccount(&'a str),
-    FailedLoginWithBadCredentials(&'a str),
-    UserChangedPasswordOnLogin(&'a UserID),
    OTPLoginAttempt {
-        user: &'a User,
+        user: LoggableUser,
        success: bool,
    },
    NewOpenIDSession {
-        client: &'a Client,
+        client: &'a ClientID,
    },
    NewOpenIDSuccessfulImplicitAuth {
-        client: &'a Client,
+        client: &'a ClientID,
    },
    ChangedHisPassword,
    ClearedHisLoginHistory,
-    AddNewFactor(&'a TwoFactor),
+    AddNewFactor {
+        factor: LoggableFactor,
+    },
    Removed2FAFactor {
        factor_id: &'a FactorID,
    },
@@ -104,35 +212,35 @@ pub enum Action<'a> {
 impl Action<'_> {
    pub fn as_string(&self) -> String {
        match self {
-            Action::AdminDeleteUser(user) => {
+            Action::AdminDeleteUser { user } => {
                format!("deleted account of {}", user.quick_identity())
            }
-            Action::AdminCreateUser(user) => {
+            Action::AdminCreateUser { user } => {
                format!("created account of {}", user.quick_identity())
            }
-            Action::AdminUpdateUser(user) => {
+            Action::AdminUpdateUser { user } => {
                format!("updated account of {}", user.quick_identity())
            }
-            Action::AdminResetUserPassword(user) => {
+            Action::AdminResetUserPassword { user } => {
                format!(
                    "set a temporary password for the account of {}",
                    user.quick_identity()
                )
            }
-            Action::AdminRemoveUserFactor(user, factor) => format!(
+            Action::AdminRemoveUserFactor { user, factor } => format!(
                "removed 2 factor ({}) of user ({})",
                factor.quick_description(),
                user.quick_identity()
            ),
-            Action::AdminClear2FAHistory(user) => {
+            Action::AdminClear2FAHistory { user } => {
                format!("cleared 2FA history of {}", user.quick_identity())
            }
-            Action::AdminSetAuthorizedAuthenticationSources(user, sources) => format!(
+            Action::AdminSetAuthorizedAuthenticationSources { user, sources } => format!(
                "update authorized authentication sources ({:?}) for user ({})",
                sources,
                user.quick_identity()
            ),
-            Action::AdminSetNewGrantedClientsList(user, clients) => format!(
+            Action::AdminSetNewGrantedClientsList { user, clients } => format!(
                "set new granted clients list ({:?}) for user ({})",
                clients,
                user.quick_identity()
@@ -191,32 +299,32 @@ impl Action<'_> {
                provider.id.0,
                user.quick_identity()
            ),
-            Action::Signout => "signed out".to_string(),
-            Action::UserNeed2FAOnLogin(user) => {
+            Action::SignOut => "signed out".to_string(),
+            Action::UserNeed2FAOnLogin { user } => {
                format!(
                    "successfully authenticated as user {:?} but need to do 2FA authentication",
                    user.quick_identity()
                )
            }
-            Action::UserSuccessfullyAuthenticated(user) => {
+            Action::UserSuccessfullyAuthenticated { user } => {
                format!("successfully authenticated as {}", user.quick_identity())
            }
-            Action::UserNeedNewPasswordOnLogin(user) => format!(
+            Action::UserNeedNewPasswordOnLogin { user } => format!(
                "successfully authenticated as {}, but need to set a new password",
                user.quick_identity()
            ),
-            Action::TryLoginWithDisabledAccount(login) => {
+            Action::TryLoginWithDisabledAccount { login } => {
                format!("successfully authenticated as {login}, but this is a DISABLED ACCOUNT")
            }
-            Action::TryLocalLoginFromUnauthorizedAccount(login) => {
+            Action::TryLocalLoginFromUnauthorizedAccount { login } => {
                format!(
                    "successfully locally authenticated as {login}, but this is a FORBIDDEN for this account!"
                )
            }
-            Action::FailedLoginWithBadCredentials(login) => {
+            Action::FailedLoginWithBadCredentials { login } => {
                format!("attempted to authenticate as {login} but with a WRONG PASSWORD")
            }
-            Action::UserChangedPasswordOnLogin(user_id) => {
+            Action::UserChangedPasswordOnLogin { user_id } => {
                format!("set a new password at login as user {user_id:?}")
            }
            Action::OTPLoginAttempt { user, success } => match success {
@@ -230,15 +338,15 @@ impl Action<'_> {
                ),
            },
            Action::NewOpenIDSession { client } => {
-                format!("opened a new OpenID session with {:?}", client.id)
+                format!("opened a new OpenID session with {:?}", client)
            }
            Action::NewOpenIDSuccessfulImplicitAuth { client } => format!(
                "finished an implicit flow connection for client {:?}",
-                client.id
+                client
            ),
            Action::ChangedHisPassword => "changed his password".to_string(),
            Action::ClearedHisLoginHistory => "cleared his login history".to_string(),
-            Action::AddNewFactor(factor) => format!(
+            Action::AddNewFactor { factor } => format!(
                "added a new factor to his account : {}",
                factor.quick_description(),
            ),
@@ -247,6 +355,15 @@ impl Action<'_> {
    }
 }

+#[derive(serde::Serialize)]
+struct JsonActionData<'a> {
+    time: u64,
+    ip: IpAddr,
+    user: Option<LoggableUser>,
+    #[serde(flatten)]
+    action: Action<'a>,
+}
+
 pub struct ActionLogger {
    ip: IpAddr,
    user: Option<User>,
@@ -254,15 +371,27 @@ pub struct ActionLogger {

 impl ActionLogger {
    pub fn log(&self, action: Action) {
-        log::info!(
-            "{} from {} has {}",
-            match &self.user {
-                None => "Anonymous user".to_string(),
-                Some(u) => u.quick_identity(),
+        match AppConfig::get().action_logger_format {
+            ActionLoggerFormat::Text => log::info!(
+                "{} from {} has {}",
+                match &self.user {
+                    None => "Anonymous user".to_string(),
+                    Some(u) => u.loggable().quick_identity(),
+                },
+                self.ip,
+                action.as_string()
+            ),
+            ActionLoggerFormat::Json => match serde_json::to_string(&JsonActionData {
+                time: time(),
+                ip: self.ip,
+                user: self.user.as_ref().map(User::loggable),
+                action,
+            }) {
+                Ok(j) => println!("{j}"),
+                Err(e) => log::error!("Failed to serialize event to JSON! {e}"),
            },
-            self.ip,
-            action.as_string()
-        )
+            ActionLoggerFormat::None => {}
+        }
    }
 }

--- a/src/data/app_config.rs
+++ b/src/data/app_config.rs
@@ -6,6 +6,15 @@ use crate::constants::{
    APP_NAME, CLIENTS_LIST_FILE, OIDC_PROVIDER_CB_URI, PROVIDERS_LIST_FILE, USERS_LIST_FILE,
 };

+/// Action logger format
+#[derive(Copy, Clone, Eq, PartialEq, Debug, clap::ValueEnum, Default)]
+pub enum ActionLoggerFormat {
+    #[default]
+    Text,
+    Json,
+    None,
+}
+
 /// Basic OIDC provider
 #[derive(Parser, Debug, Clone)]
 #[clap(author, version, about, long_about = None)]
@@ -45,6 +54,14 @@ pub struct AppConfig {
    /// Example: "https://api.geoip.rs"
    #[arg(long, short, env)]
    pub ip_location_service: Option<String>,
+
+    /// Action logger output format
+    #[arg(long, env, default_value_t, value_enum)]
+    pub action_logger_format: ActionLoggerFormat,
+
+    /// Login background image
+    #[arg(long, env, default_value = "/assets/img/forest.jpg")]
+    pub login_background_image: String,
 }

 lazy_static::lazy_static! {
--- a/src/data/user.rs
+++ b/src/data/user.rs
@@ -26,7 +26,7 @@ pub struct GeneralSettings {
    pub is_admin: bool,
 }

-#[derive(Eq, PartialEq, Clone, Debug)]
+#[derive(Eq, PartialEq, Clone, Debug, serde::Serialize)]
 pub enum GrantedClients {
    AllClients,
    SomeClients(Vec<ClientID>),
@@ -60,15 +60,6 @@ pub struct TwoFactor {
 }

 impl TwoFactor {
-    pub fn quick_description(&self) -> String {
-        format!(
-            "#{} of type {} and name '{}'",
-            self.id.0,
-            self.type_str(),
-            self.name
-        )
-    }
-
    pub fn type_str(&self) -> &'static str {
        match self.kind {
            TwoFactorType::TOTP(_) => "Authenticator app",
@@ -170,19 +161,6 @@ impl User {
        format!("{} {}", self.first_name, self.last_name)
    }

-    pub fn quick_identity(&self) -> String {
-        format!(
-            "{} {} {} ({:?})",
-            match self.admin {
-                true => "admin",
-                false => "user",
-            },
-            self.username,
-            self.email,
-            self.uid
-        )
-    }
-
    /// Get the list of sources from which a user can authenticate from
    pub fn authorized_authentication_sources(&self) -> AuthorizedAuthenticationSources {
        AuthorizedAuthenticationSources {
--- a/src/data/users_file_entity.rs
+++ b/src/data/users_file_entity.rs
@@ -31,28 +31,25 @@ fn hash_password<P: AsRef<[u8]>>(pwd: P) -> Res<String> {
 }

 fn verify_password<P: AsRef<[u8]>>(pwd: P, hash: &str) -> bool {
-    match bcrypt::verify(pwd, hash) {
-        Ok(r) => r,
-        Err(e) => {
-            log::warn!("Failed to verify password! {e:?}");
-            false
-        }
-    }
+    bcrypt::verify(pwd, hash).unwrap_or_else(|e| {
+        log::warn!("Failed to verify password! {e:?}");
+        false
+    })
 }

 impl UsersSyncBackend for EntityManager<User> {
-    fn find_by_email(&self, u: &str) -> Res<Option<User>> {
+    fn find_by_username_or_email(&self, u: &str) -> Res<Option<User>> {
        for entry in self.iter() {
-            if entry.email.eq(u) {
+            if entry.username.eq(u) || entry.email.eq(u) {
                return Ok(Some(entry.clone()));
            }
        }
        Ok(None)
    }

-    fn find_by_username_or_email(&self, u: &str) -> Res<Option<User>> {
+    fn find_by_email(&self, u: &str) -> Res<Option<User>> {
        for entry in self.iter() {
-            if entry.username.eq(u) || entry.email.eq(u) {
+            if entry.email.eq(u) {
                return Ok(Some(entry.clone()));
            }
        }
--- a/templates/login/base_login_page.html
+++ b/templates/login/base_login_page.html
@@ -30,6 +30,12 @@
                font-size: 3.5rem;
            }
        }
+
+        @media screen and (min-width: 767px) {
+            .bg-login {
+                background-image: url({{ p.background_image }});
+            }
+        }
    </style>
Author	SHA1	Message	Date
Pierre HUBERT	ffd93c5435	Can customize login background image All checks were successful continuous-integration/drone/push Build is passing Details	2025-10-28 18:05:35 +01:00
Pierre HUBERT	2a729d4153	Can log actions in JSON format All checks were successful continuous-integration/drone/push Build is passing Details	2025-10-28 11:43:23 +01:00