This merge request refactors the audit events for the PasswordsController. It introduces a new event called "password_reset_requested" that is triggered when a user requests a password reset using a registered email address. The code changes include updating the log_audit_event method to use the new audit event and adding tests to ensure the audit events are generated correctly.
What does this MR do and why?
Adds audit event types for PasswordsController. Refactors associated API helpers to use
Gitlab::Audit::Auditor to build audit events.
This affects the following services:
This MR also adds a previously uncaught test case where a nonexistent (or secondary) email is used to retrieve a password. Previous code would add an audit event using a blank scope; since scope is required in the new audit framework, PasswordsController has been updated to not audit such events where
resource is not provided.
This is an instance-level audit event and must be verified with admin access. This may only be possible in a local environment.
- Log out
- Click the password reset link
- Open the generated reset email and click the link
- Choose a new password
- Verify an audit event is created:
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
I have evaluated the MR acceptance checklist for this MR.
Related to #374107 (closed)