Audit Log

backend/app/api/v1/auth.py

@@ -161,13 +161,34 @@ async def totp_disable(
     summary="Cambio password utente corrente",
 )
 async def change_password(
+    request: Request,
     body: PasswordChangeRequest,
     current_user: CurrentUser,
     db: DB,
 ) -> None:
     from app.core.security import verify_password, hash_password
+    from app.services.audit_service import log_audit
 
     if not verify_password(body.current_password, current_user.password_hash):
+        from app.services.audit_service import log_audit as _la
+        await _la(
+            db,
+            "auth.password_changed",
+            tenant_id=current_user.tenant_id,
+            user_id=current_user.id,
+            outcome="failure",
+            ip_address=request.client.host if request.client else None,
+            user_agent=request.headers.get("user-agent"),
+            payload={"reason": "wrong_current_password"},
+        )
         raise InvalidCredentialsError()
 
     current_user.password_hash = hash_password(body.new_password)
+    await log_audit(
+        db,
+        "auth.password_changed",
+        tenant_id=current_user.tenant_id,
+        user_id=current_user.id,
+        ip_address=request.client.host if request.client else None,
+        user_agent=request.headers.get("user-agent"),
+    )