Add audit logs for resetAccountLockout #5726

carmenlau · carmenlau · commit 2c4b21782f0a · 2026-05-20T10:17:04.000+01:00
diff --git a/pkg/admin/graphql/audit_log.go b/pkg/admin/graphql/audit_log.go
@@ -260,6 +260,9 @@ var auditLogActivityType = graphql.NewEnum(graphql.EnumConfig{
 		"ADMIN_API_MUTATION_GENERATE_OOB_OTP_CODE_EXECUTED": &graphql.EnumValueConfig{
 			Value: "admin_api.mutation.generate_oob_otp_code.executed",
 		},
+		"ADMIN_API_MUTATION_RESET_ACCOUNT_LOCKOUT_EXECUTED": &graphql.EnumValueConfig{
+			Value: "admin_api.mutation.reset_account_lockout.executed",
+		},
 		"ADMIN_API_MUTATION_RESET_PASSWORD_EXECUTED": &graphql.EnumValueConfig{
 			Value: "admin_api.mutation.reset_password.executed",
 		},
diff --git a/pkg/admin/graphql/lockout_mutation.go b/pkg/admin/graphql/lockout_mutation.go
@@ -6,6 +6,8 @@ import (
 	relay "github.com/authgear/authgear-server/pkg/graphqlgo/relay"
 
 	"github.com/authgear/authgear-server/pkg/api/apierrors"
+	"github.com/authgear/authgear-server/pkg/api/event/nonblocking"
+	apimodel "github.com/authgear/authgear-server/pkg/api/model"
 	"github.com/authgear/authgear-server/pkg/util/graphqlutil"
 )
 
@@ -51,7 +53,24 @@ var _ = registerMutationField(
 			ctx := p.Context
 			gqlCtx := GQLContext(ctx)
 
-			err := gqlCtx.AccountLockoutFacade.ResetAccountLockout(ctx, userID)
+			previousStatus, err := gqlCtx.AccountLockoutFacade.GetAccountLockoutStatus(ctx, userID)
+			if err != nil {
+				return nil, err
+			}
+
+			err = gqlCtx.AccountLockoutFacade.ResetAccountLockout(ctx, userID)
+			if err != nil {
+				return nil, err
+			}
+
+			err = gqlCtx.Events.DispatchEventOnCommit(ctx, &nonblocking.AdminAPIMutationResetAccountLockoutExecutedEventPayload{
+				UserRef: apimodel.UserRef{
+					Meta: apimodel.Meta{
+						ID: userID,
+					},
+				},
+				PreviousLockoutStatus: previousStatus,
+			})
 			if err != nil {
 				return nil, err
 			}
diff --git a/pkg/api/event/nonblocking/adminapi_mutation_resetaccountlockout_executed.go b/pkg/api/event/nonblocking/adminapi_mutation_resetaccountlockout_executed.go
@@ -0,0 +1,49 @@
+package nonblocking
+
+import (
+	"github.com/authgear/authgear-server/pkg/api/event"
+	"github.com/authgear/authgear-server/pkg/api/model"
+)
+
+const (
+	AdminAPIMutationResetAccountLockoutExecuted event.Type = "admin_api.mutation.reset_account_lockout.executed"
+)
+
+type AdminAPIMutationResetAccountLockoutExecutedEventPayload struct {
+	UserRef               model.UserRef               `json:"-" resolve:"user"`
+	UserModel             model.User                  `json:"user"`
+	PreviousLockoutStatus *model.AccountLockoutStatus `json:"previous_lockout_status"`
+}
+
+func (e *AdminAPIMutationResetAccountLockoutExecutedEventPayload) NonBlockingEventType() event.Type {
+	return AdminAPIMutationResetAccountLockoutExecuted
+}
+
+func (e *AdminAPIMutationResetAccountLockoutExecutedEventPayload) UserID() string {
+	return e.UserModel.ID
+}
+
+func (e *AdminAPIMutationResetAccountLockoutExecutedEventPayload) GetTriggeredBy() event.TriggeredByType {
+	return event.TriggeredByTypeAdminAPI
+}
+
+func (e *AdminAPIMutationResetAccountLockoutExecutedEventPayload) FillContext(ctx *event.Context) {
+}
+
+func (e *AdminAPIMutationResetAccountLockoutExecutedEventPayload) ForHook() bool {
+	return false
+}
+
+func (e *AdminAPIMutationResetAccountLockoutExecutedEventPayload) ForAudit() bool {
+	return true
+}
+
+func (e *AdminAPIMutationResetAccountLockoutExecutedEventPayload) RequireReindexUserIDs() []string {
+	return nil
+}
+
+func (e *AdminAPIMutationResetAccountLockoutExecutedEventPayload) DeletedUserIDs() []string {
+	return nil
+}
+
+var _ event.NonBlockingPayload = &AdminAPIMutationResetAccountLockoutExecutedEventPayload{}
diff --git a/portal/src/graphql/adminapi/globalTypes.generated.ts b/portal/src/graphql/adminapi/globalTypes.generated.ts
@@ -201,6 +201,7 @@ export enum AuditLogActivityType {
   AdminApiMutationRemoveUserFromGroupsExecuted = 'ADMIN_API_MUTATION_REMOVE_USER_FROM_GROUPS_EXECUTED',
   AdminApiMutationRemoveUserFromRolesExecuted = 'ADMIN_API_MUTATION_REMOVE_USER_FROM_ROLES_EXECUTED',
   AdminApiMutationReplaceScopesOfClientidExecuted = 'ADMIN_API_MUTATION_REPLACE_SCOPES_OF_CLIENTID_EXECUTED',
+  AdminApiMutationResetAccountLockoutExecuted = 'ADMIN_API_MUTATION_RESET_ACCOUNT_LOCKOUT_EXECUTED',
   AdminApiMutationResetPasswordExecuted = 'ADMIN_API_MUTATION_RESET_PASSWORD_EXECUTED',
   AdminApiMutationRevokeAllSessionsExecuted = 'ADMIN_API_MUTATION_REVOKE_ALL_SESSIONS_EXECUTED',
   AdminApiMutationRevokeSessionExecuted = 'ADMIN_API_MUTATION_REVOKE_SESSION_EXECUTED',
diff --git a/portal/src/graphql/adminapi/schema.graphql b/portal/src/graphql/adminapi/schema.graphql
@@ -286,6 +286,9 @@ enum AuditLogActivityType {
   """"""
   ADMIN_API_MUTATION_REPLACE_SCOPES_OF_CLIENTID_EXECUTED
 
+  """"""
+  ADMIN_API_MUTATION_RESET_ACCOUNT_LOCKOUT_EXECUTED
+
   """"""
   ADMIN_API_MUTATION_RESET_PASSWORD_EXECUTED
 
diff --git a/portal/src/locale-data/en.json b/portal/src/locale-data/en.json
@@ -1453,6 +1453,7 @@
   "AuditLogActivityType.ADMIN_API_MUTATION_DELETE_IDENTITY_EXECUTED": "Admin API Mutation: Delete identity",
   "AuditLogActivityType.ADMIN_API_MUTATION_DELETE_USER_EXECUTED": "Admin API Mutation: Delete user",
   "AuditLogActivityType.ADMIN_API_MUTATION_GENERATE_OOB_OTP_CODE_EXECUTED": "Admin API Mutation: Generate OOB OTP code",
+  "AuditLogActivityType.ADMIN_API_MUTATION_RESET_ACCOUNT_LOCKOUT_EXECUTED": "Admin API Mutation: Reset account lockout",
   "AuditLogActivityType.ADMIN_API_MUTATION_RESET_PASSWORD_EXECUTED": "Admin API Mutation: Reset password",
   "AuditLogActivityType.ADMIN_API_MUTATION_REVOKE_ALL_SESSIONS_EXECUTED": "Admin API Mutation: Revoke all sessions",
   "AuditLogActivityType.ADMIN_API_MUTATION_REVOKE_SESSION_EXECUTED": "Admin API Mutation: Revoke session",
