fix(housekeeping): audit sensitive actions

Several privileged housekeeping handlers returned success without appending an audit entry, so the action log stayed incomplete even after the log table schema was fixed. Add audit writes for ban, mute, password reset, HC changes, trade lock, item grants, room ownership transfer, and hotel alerts, and cover the expected logging surface with a contract test.
2026-06-19 15:06:19 +00:00 · 2026-06-13 15:49:35 +02:00
parent 98aab95d58
commit dbcf139a52
9 changed files with 73 additions and 0 deletions
@@ -61,6 +61,11 @@ public class HousekeepingBanUserEvent extends MessageHandler {
        // object, so we return the target user id as the actionId — it's
        // the only stable handle the client can use until a dedicated
        // housekeeping_log row id supersedes it.
+        com.eu.habbo.habbohotel.modtool.HousekeepingAuditLog.log(
+                this.client.getHabbo().getHabboInfo().getId(),
+                this.client.getHabbo().getHabboInfo().getUsername(),
+                ACTION_KEY, userId, "hours=" + hours + " reason=" + (reason != null ? reason : ""),
+                this.client.getHabbo().getHabboInfo().getIpLogin());
        this.client.sendResponse(new HousekeepingActionResultComposer(ACTION_KEY, true, userId, ""));
    }
 }
@@ -62,6 +62,11 @@ public class HousekeepingGrantItemEvent extends MessageHandler {
            return;
        }

+        com.eu.habbo.habbohotel.modtool.HousekeepingAuditLog.log(
+                this.client.getHabbo().getHabboInfo().getId(),
+                this.client.getHabbo().getHabboInfo().getUsername(),
+                ACTION_KEY, userId, "itemId=" + itemId + " quantity=" + quantity,
+                this.client.getHabbo().getHabboInfo().getIpLogin());
        this.client.sendResponse(new HousekeepingActionResultComposer(ACTION_KEY, true, userId, ""));
    }
 }
@@ -55,6 +55,11 @@ public class HousekeepingMuteUserEvent extends MessageHandler {
            target.alert(reason);
        }

+        com.eu.habbo.habbohotel.modtool.HousekeepingAuditLog.log(
+                this.client.getHabbo().getHabboInfo().getId(),
+                this.client.getHabbo().getHabboInfo().getUsername(),
+                ACTION_KEY, userId, "minutes=" + minutes + " reason=" + (reason != null ? reason : ""),
+                this.client.getHabbo().getHabboInfo().getIpLogin());
        this.client.sendResponse(new HousekeepingActionResultComposer(ACTION_KEY, true, userId, ""));
    }
 }
@@ -79,6 +79,11 @@ public class HousekeepingResetUserPasswordEvent extends MessageHandler {
        // Plaintext flows through `message` — the client surfaces it via the
        // status banner so the operator can read it once. SSL is on the
        // operator: the only secure transport for the WS is wss://.
+        com.eu.habbo.habbohotel.modtool.HousekeepingAuditLog.log(
+                this.client.getHabbo().getHabboInfo().getId(),
+                this.client.getHabbo().getHabboInfo().getUsername(),
+                ACTION_KEY, userId, "password_reset=1",
+                this.client.getHabbo().getHabboInfo().getIpLogin());
        this.client.sendResponse(new HousekeepingActionResultComposer(ACTION_KEY, true, userId, plain));
    }

@@ -53,6 +53,11 @@ public class HousekeepingSendHotelAlertEvent extends MessageHandler {
            reached++;
        }

+        com.eu.habbo.habbohotel.modtool.HousekeepingAuditLog.log(
+                this.client.getHabbo().getHabboInfo().getId(),
+                this.client.getHabbo().getHabboInfo().getUsername(),
+                ACTION_KEY, 0, "reached=" + reached + " message=" + message,
+                this.client.getHabbo().getHabboInfo().getIpLogin());
        this.client.sendResponse(new HousekeepingActionResultComposer(ACTION_KEY, true, reached, ""));
    }
 }
@@ -76,6 +76,11 @@ public class HousekeepingSetHcSubscriptionEvent extends MessageHandler {
            return;
        }

+        com.eu.habbo.habbohotel.modtool.HousekeepingAuditLog.log(
+                this.client.getHabbo().getHabboInfo().getId(),
+                this.client.getHabbo().getHabboInfo().getUsername(),
+                ACTION_KEY, userId, "days=" + days + " expire=" + newExpire,
+                this.client.getHabbo().getHabboInfo().getIpLogin());
        this.client.sendResponse(new HousekeepingActionResultComposer(ACTION_KEY, true, userId, ""));
    }
 }
@@ -77,6 +77,11 @@ public class HousekeepingTradeLockUserEvent extends MessageHandler {
            }
        }

+        com.eu.habbo.habbohotel.modtool.HousekeepingAuditLog.log(
+                this.client.getHabbo().getHabboInfo().getId(),
+                this.client.getHabbo().getHabboInfo().getUsername(),
+                ACTION_KEY, userId, "hours=" + hours + " lockedUntil=" + lockedUntil + " reason=" + (reason != null ? reason : ""),
+                this.client.getHabbo().getHabboInfo().getIpLogin());
        this.client.sendResponse(new HousekeepingActionResultComposer(ACTION_KEY, true, userId, ""));
    }
 }
@@ -62,6 +62,11 @@ public class HousekeepingTransferRoomOwnershipEvent extends MessageHandler {
            return;
        }

+        com.eu.habbo.habbohotel.modtool.HousekeepingAuditLog.log(
+                this.client.getHabbo().getHabboInfo().getId(),
+                this.client.getHabbo().getHabboInfo().getUsername(),
+                ACTION_KEY, newOwnerId, "roomId=" + roomId + " newOwner=" + newOwner.getUsername(),
+                this.client.getHabbo().getHabboInfo().getIpLogin());
        this.client.sendResponse(new HousekeepingActionResultComposer(ACTION_KEY, true, roomId, ""));
    }
 }
@@ -0,0 +1,33 @@
+package com.eu.habbo.messages.incoming.housekeeping;
+
+import org.junit.jupiter.api.Test;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class HousekeepingAuditCoverageContractTest {
+    private static final List<String> SENSITIVE_HANDLERS = List.of(
+            "HousekeepingBanUserEvent.java",
+            "HousekeepingMuteUserEvent.java",
+            "HousekeepingResetUserPasswordEvent.java",
+            "HousekeepingSetHcSubscriptionEvent.java",
+            "HousekeepingTradeLockUserEvent.java",
+            "HousekeepingGrantItemEvent.java",
+            "HousekeepingTransferRoomOwnershipEvent.java",
+            "HousekeepingSendHotelAlertEvent.java"
+    );
+
+    @Test
+    void sensitiveHousekeepingActionsWriteAuditEntries() throws Exception {
+        Path base = Path.of("src/main/java/com/eu/habbo/messages/incoming/housekeeping");
+
+        for (String handler : SENSITIVE_HANDLERS) {
+            String source = Files.readString(base.resolve(handler));
+            assertTrue(source.contains("HousekeepingAuditLog.log"),
+                    handler + " must append a housekeeping audit log entry after successful privileged actions");
+        }
+    }
+}