feat: mask client ip in audit log

This commit is contained in:
Marek Miklewicz
2026-06-30 19:08:10 +02:00
parent 227c16410c
commit 4fc787fea8
6 changed files with 37 additions and 3 deletions
+1 -1
View File
@@ -26,7 +26,7 @@ return static function (): void {
];
$clientIp = ClientIp::resolve($_SERVER, $settings);
$auditBase['client_ip'] = $clientIp;
$auditBase['client_ip'] = $settings->auditClientIp($clientIp);
$createdAt = time();
$correlation = KeyName::build($ctx->serverName(), $ctx->username(), $createdAt);
$auditBase['correlation'] = $correlation;
+14
View File
@@ -64,6 +64,7 @@ final class Settings
'MAIL_LOGIN_REDIRECT_URL' => '/',
'LOGIN_KEY_TTL' => '30',
'USER_IP_BOUND' => '1',
'IP_MASK' => '1',
'MAIL_LOGIN_SOURCE_SERVER_NAME' => '',
'MAIL_LOGIN_CLIENT_IP_MODE' => 'direct',
'MAIL_LOGIN_TRUSTED_PROXIES' => '',
@@ -135,6 +136,16 @@ final class Settings
return $this->getString('USER_IP_BOUND', '1') === '1';
}
public function ipMask(): bool
{
return $this->getString('IP_MASK', '1') === '1';
}
public function auditClientIp(string $clientIp): string
{
return $this->ipMask() ? 'MASLED' : $clientIp;
}
public function sourceServerName(): string
{
return $this->sanitizeServerName($this->getString('MAIL_LOGIN_SOURCE_SERVER_NAME', ''));
@@ -247,6 +258,9 @@ final class Settings
if (!in_array($this->getString('USER_IP_BOUND', ''), ['0', '1'], true)) {
throw new InvalidArgumentException('USER_IP_BOUND must be 0 or 1');
}
if (!in_array($this->getString('IP_MASK', ''), ['0', '1'], true)) {
throw new InvalidArgumentException('IP_MASK must be 0 or 1');
}
if (!in_array(strtolower($this->getString('DEFAULT_ENABLE', 'true')), ['0', '1', 'true', 'false', 'yes', 'no', 'on', 'off'], true)) {
throw new InvalidArgumentException('DEFAULT_ENABLE must be a boolean value');
}