admin/Azaion.Common/Entities/AuditEvent.cs

namespace Azaion.Common.Entities;

public class AuditEvent
{
    public long      Id         { get; set; }
    public string    EventType  { get; set; } = null!;
    public DateTime  OccurredAt { get; set; }
    public string?   Email      { get; set; }
    public string?   Ip         { get; set; }
    public string?   Metadata   { get; set; }
}

public static class AuditEventTypes
{
    public const string LoginFailed       = "login_failed";
    public const string LoginLockout      = "login_lockout";
    public const string LoginSuccess      = "login_success";

    // AZ-556 — per-category internal forensics for unified `InvalidCredentials` wire
    // response. SecOps can distinguish these in the audit_events table even though the
    // /login response cannot be distinguished by an attacker.
    public const string LoginFailedUnknownEmail = "login_failed_unknown_email";
    public const string LoginFailedDisabled     = "login_failed_disabled";

    // AZ-534 — MFA lifecycle + login events.
    public const string MfaEnroll         = "mfa_enroll";
    public const string MfaConfirm        = "mfa_confirm";
    public const string MfaDisable        = "mfa_disable";
    public const string MfaLoginSuccess   = "mfa_login_success";
    public const string MfaLoginFailed    = "mfa_login_failed";
    public const string MfaRecoveryUsed   = "mfa_recovery_used";
}