DataDog · uurien · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
@@ -460,6 +460,9 @@ tracer.appsec.trackUserLoginFailureEvent('user_id', true, meta)
 tracer.appsec.trackUserLoginFailureEvent('user_id', false)
 tracer.appsec.trackUserLoginFailureEvent('user_id', false, meta)
 
+tracer.appsec.trackUserSignupEvent('user_id')
+tracer.appsec.trackUserSignupEvent('user_id', meta)
+
 tracer.appsec.trackCustomEvent('event_name')
 tracer.appsec.trackCustomEvent('event_name', meta)
 

@@ -654,12 +654,24 @@ declare namespace tracer {
        */
       eventTracking?: {
         /**
-         * Controls the automated user event tracking mode. Possible values are disabled, safe and extended.
-         * On safe mode, any detected Personally Identifiable Information (PII) about the user will be redacted from the event.
-         * On extended mode, no redaction will take place.
-         * @default 'safe'
+         * Controls the automated user tracking mode for user IDs and logins collections. Possible values:
+         * *  'anonymous': will hash user IDs and user logins before collecting them
+         * *  'anon': alias for 'anonymous'
+         * *  'safe': deprecated alias for 'anonymous'
+         * 
+         * *  'identification': will collect user IDs and logins without redaction
+         * *  'ident': alias for 'identification'
+         * *  'extended': deprecated alias for 'identification'
+         * 
+         * *  'disabled': will not collect user IDs and logins
+         * 
+         * Unknown values will be considered as 'disabled'
+         * @default 'ident'
          */
-        mode?: 'safe' | 'extended' | 'disabled'
+        mode?:
+          'anonymous' | 'anon' | 'safe' |
+          'identification' | 'ident' | 'extended' |
+          'disabled'
       },
       /**
        * Configuration for Api Security sampling
@@ -757,7 +769,7 @@ declare namespace tracer {
        */
       maxDepth?: number
     }
-    
+
     /**
      * Configuration enabling LLM Observability. Enablement is superceded by the DD_LLMOBS_ENABLED environment variable.
      */
@@ -876,6 +888,15 @@ declare namespace tracer {
      */
     trackUserLoginFailureEvent(userId: string, exists: boolean, metadata?: { [key: string]: string }): void
 
+    /**
+     * Links a signup event to the current trace.
+     * @param {string} userId The user id of the signed-up user
+     * @param {[key: string]: string} metadata Custom fields to link to the signup event.
+     *
+     * @beta This method is in beta and could change in future versions.
+     */
+    trackUserSignupEvent(userId: string, metadata?: { [key: string]: string }): void
+
     /**
      * Links a custom event to the current trace.
      * @param {string} eventName The name of the event.
@@ -2226,7 +2247,7 @@ declare namespace tracer {
        * Disable LLM Observability tracing.
        */
       disable (): void,
-      
+
       /**
        * Instruments a function by automatically creating a span activated on its
        * scope.
@@ -2268,10 +2289,10 @@ declare namespace tracer {
       /**
        * Decorate a function in a javascript runtime that supports function decorators.
        * Note that this is **not** supported in the Node.js runtime, but is in TypeScript.
-       * 
+       *
        * In TypeScript, this decorator is only supported in contexts where general TypeScript
        * function decorators are supported.
-       * 
+       *
        * @param options Optional LLM Observability span options.
        */
       decorate (options: llmobs.LLMObsNamelessSpanOptions): any
@@ -2288,7 +2309,7 @@ declare namespace tracer {
       /**
        * Sets inputs, outputs, tags, metadata, and metrics as provided for a given LLM Observability span.
        * Note that with the exception of tags, this method will override any existing values for the provided fields.
-       * 
+       *
        * For example:
        * ```javascript
        * llmobs.trace({ kind: 'llm', name: 'myLLM', modelName: 'gpt-4o', modelProvider: 'openai' }, () => {
@@ -2301,7 +2322,7 @@ declare namespace tracer {
        *  })
        * })
        * ```
-       * 
+       *
        * @param span The span to annotate (defaults to the current LLM Observability span if not provided)
        * @param options An object containing the inputs, outputs, tags, metadata, and metrics to set on the span.
        */
@@ -2477,14 +2498,14 @@ declare namespace tracer {
        * LLM Observability span kind. One of `agent`, `workflow`, `task`, `tool`, `retrieval`, `embedding`, or `llm`.
        */
       kind: llmobs.spanKind,
-  
+
       /**
        * The ID of the underlying user session. Required for tracking sessions.
        */
       sessionId?: string,
 
       /**
-       * The name of the ML application that the agent is orchestrating. 
+       * The name of the ML application that the agent is orchestrating.
        * If not provided, the default value will be set to mlApp provided during initalization, or `DD_LLMOBS_ML_APP`.
        */
       mlApp?: string,

@@ -95,6 +95,7 @@ module.exports = {
   oracledb: () => require('../oracledb'),
   openai: () => require('../openai'),
   paperplane: () => require('../paperplane'),
+  passport: () => require('../passport'),
   'passport-http': () => require('../passport-http'),
   'passport-local': () => require('../passport-local'),
   pg: () => require('../pg'),

@@ -1,22 +1,10 @@
 'use strict'
 
-const shimmer = require('../../datadog-shimmer')
 const { addHook } = require('./helpers/instrument')
-const { wrapVerify } = require('./passport-utils')
+const { strategyHook } = require('./passport-utils')
 
 addHook({
   name: 'passport-http',
   file: 'lib/passport-http/strategies/basic.js',
   versions: ['>=0.3.0']
-}, BasicStrategy => {
-  return shimmer.wrapFunction(BasicStrategy, BasicStrategy => function () {
-    const type = 'http'
-
-    if (typeof arguments[0] === 'function') {
-      arguments[0] = wrapVerify(arguments[0], false, type)
-    } else {
-      arguments[1] = wrapVerify(arguments[1], (arguments[0] && arguments[0].passReqToCallback), type)
-    }
-    return BasicStrategy.apply(this, arguments)
-  })
-})
+}, strategyHook)
@@ -1,22 +1,10 @@
 'use strict'
 
-const shimmer = require('../../datadog-shimmer')
 const { addHook } = require('./helpers/instrument')
-const { wrapVerify } = require('./passport-utils')
+const { strategyHook } = require('./passport-utils')
 
 addHook({
   name: 'passport-local',
   file: 'lib/strategy.js',
   versions: ['>=1.0.0']
-}, Strategy => {
-  return shimmer.wrapFunction(Strategy, Strategy => function () {
-    const type = 'local'
-
-    if (typeof arguments[0] === 'function') {
-      arguments[0] = wrapVerify(arguments[0], false, type)
-    } else {
-      arguments[1] = wrapVerify(arguments[1], (arguments[0] && arguments[0].passReqToCallback), type)
-    }
-    return Strategy.apply(this, arguments)
-  })
-})
+}, strategyHook)
@@ -5,33 +5,56 @@ const { channel } = require('./helpers/instrument')
 
 const passportVerifyChannel = channel('datadog:passport:verify:finish')
 
-function wrapVerifiedAndPublish (username, password, verified, type) {
-  if (!passportVerifyChannel.hasSubscribers) {
-    return verified
-  }
+function wrapVerifiedAndPublish (username, verified) {
+  return shimmer.wrapFunction(verified, function wrapVerify (verified) {
+    return function wrappedVerified (err, user) {
+      // if there is an error, it's neither an auth success nor a failure
+      if (!err) {
+        const abortController = new AbortController()
+
+        passportVerifyChannel.publish({ login: username, user, success: !!user, abortController })
+
+        if (abortController.signal.aborted) return
+      }
 
-  // eslint-disable-next-line n/handle-callback-err
-  return shimmer.wrapFunction(verified, verified => function (err, user, info) {
-    const credentials = { type, username }
-    passportVerifyChannel.publish({ credentials, user })
-    return verified.apply(this, arguments)
+      return verified.apply(this, arguments)
+    }
   })
 }
 
-function wrapVerify (verify, passReq, type) {
-  if (passReq) {
-    return function (req, username, password, verified) {
-      arguments[3] = wrapVerifiedAndPublish(username, password, verified, type)
-      return verify.apply(this, arguments)
+function wrapVerify (verify) {
+  return function wrappedVerify (req, username, password, verified) {
+    if (passportVerifyChannel.hasSubscribers) {
+      // replace the callback with our own wrapper to get the result
+      // if we ever need the type of strategy, we can get it from this.name
+      if (this._passReqToCallback) {
+        arguments[3] = wrapVerifiedAndPublish(arguments[1], arguments[3])
+      } else {
+        arguments[2] = wrapVerifiedAndPublish(arguments[0], arguments[2])
+      }
     }
-  } else {
-    return function (username, password, verified) {
-      arguments[2] = wrapVerifiedAndPublish(username, password, verified, type)
-      return verify.apply(this, arguments)
+
+    return verify.apply(this, arguments)
+  }
+}
+
+function wrapStrategy (Strategy) {
+  return function wrappedStrategy () {
+    // verify function can be either the first or second argument
+    if (typeof arguments[0] === 'function') {
+      arguments[0] = wrapVerify(arguments[0])
+    } else {
+      arguments[1] = wrapVerify(arguments[1])
     }
+
+    return Strategy.apply(this, arguments)
   }
 }
 
+function strategyHook (Strategy) {
+  return shimmer.wrapFunction(Strategy, wrapStrategy)
+}
+
 module.exports = {
-  wrapVerify
+  strategyHook
 }
@@ -0,0 +1,85 @@
+'use strict'
+
+const shimmer = require('../../datadog-shimmer')
+const { addHook } = require('./helpers/instrument')
+
+/* TODO: test with:
+passport-jwt JWTs
+  can be used both for login events, or as a session, that complicates things it think
+  maybe instrument this lib directly, and ofc only send the events after it was verified
+@nestjs/passport
+pasport-local
+passport-oauth2
+passport-google-oauth20
+passport-custom
+passport-http
+passport-http-bearer
+koa-passport
+*/
+
+function wrapDone (done) {
+  // eslint-disable-next-line n/handle-callback-err
+  return function wrappedDone (err, user) {
+    if (user) {
+      const abortController = new AbortController()
+
+      // express-session middleware sets req.sessionID, it's required to use passport sessions anyway so might as well use it ?
+      // what if session IDs are using rolling sessions or always changing or something idk ?
+      channel.publish({ req, user, sessionId: req.sessionID, abortController })
+
+      if (abortController.signal.aborted) return
+    }
+
+    return done.apply(this, arguments)
+  }
+}
+
+function wrapDeserializeUser (deserializeUser) {
+  return function wrappedDeserializeUser (fn, req, done) {
+    if (typeof req === 'function') {
+      done = req
+      // req = storage.getStore().get('req')
+      arguments[1] = wrapDone(done)
+    } else {
+      arguments[2] = wrapDone(done)
+    }
+
+    return deserializeUser.apply(this, arguments)
+  }
+}
+
+
+const { block } = require('../../dd-trace/src/appsec/blocking')
+const { getRootSpan } = require('../../dd-trace/src/appsec/sdk/utils')
+
+addHook({
+  name: 'passport',
+  file: 'lib/authenticator.js',
+  versions: ['>=0.3.0'] // TODO
+}, Authenticator => {
+  shimmer.wrap(Authenticator.prototype, 'deserializeUser', wrapDeserializeUser)
+
+  shimmer.wrap(Authenticator.prototype, 'authenticate', function wrapAuthenticate (authenticate) {
+    return function wrappedAuthenticate (name) {
+      const middleware = authenticate.apply(this, arguments)
+
+      const strategy = this._strategy(name)
+
+      strategy._verify
+
+      return function wrappedMiddleware (req, res, next) {
+        return middleware(req, res, function wrappedNext (err) {
+          console.log('NEW', req.user)
+          if (req.user?.name === 'bitch') {
+
+            return block(req, res, getRootSpan(global._ddtrace))
+          }
+
+          return next.apply(this, arguments)
+        })
+      }
+    }
+  })
+
+  return Authenticator
+})
@@ -1,5 +1,6 @@
 'use strict'
 
+// TODO: reorder all this, it's a mess
 module.exports = {
   HTTP_INCOMING_BODY: 'server.request.body',
   HTTP_INCOMING_QUERY: 'server.request.query',
@@ -20,6 +21,8 @@ module.exports = {
   HTTP_CLIENT_IP: 'http.client_ip',
 
   USER_ID: 'usr.id',
+  USER_LOGIN: 'usr.login',
+
   WAF_CONTEXT_PROCESSOR: 'waf.context.processor',
 
   HTTP_OUTGOING_URL: 'server.io.net.url',
@@ -29,5 +32,6 @@ module.exports = {
   DB_SYSTEM: 'server.db.system',
 
   LOGIN_SUCCESS: 'server.business_logic.users.login.success',
-  LOGIN_FAILURE: 'server.business_logic.users.login.failure'
+  LOGIN_FAILURE: 'server.business_logic.users.login.failure',
+  SIGNUP: 'server.business_logic.users.signup'
 }