feat(audit-logging): Implement Edge-compatible audit logging utility and safe logging module
- Added `auditLogEdge.js` for Edge Runtime compatible audit logging, including console logging and API fallback. - Introduced `auditLogSafe.js` for safe audit logging without direct database imports, ensuring compatibility across runtimes. - Enhanced `auth.js` to integrate safe audit logging for login actions, including success and failure cases. - Created middleware `auditLog.js` to facilitate audit logging for API routes with predefined configurations. - Updated `middleware.js` to allow API route access without authentication checks. - Added tests for audit logging functionality and Edge compatibility in `test-audit-logging.mjs` and `test-edge-compatibility.mjs`. - Implemented safe audit logging tests in `test-safe-audit-logging.mjs` to verify functionality across environments.
This commit is contained in:
Chop
@@ -1,3 +1,6 @@
|
||||
// Force this API route to use Node.js runtime for database access
|
||||
export const runtime = "nodejs";
|
||||
|
||||
import {
|
||||
getProjectById,
|
||||
updateProject,
|
||||
@@ -6,6 +9,11 @@ import {
|
||||
import initializeDatabase from "@/lib/init-db";
|
||||
import { NextResponse } from "next/server";
|
||||
import { withReadAuth, withUserAuth } from "@/lib/middleware/auth";
|
||||
import {
|
||||
logApiActionSafe,
|
||||
AUDIT_ACTIONS,
|
||||
RESOURCE_TYPES,
|
||||
} from "@/lib/auditLogSafe.js";
|
||||
|
||||
// Make sure the DB is initialized before queries run
|
||||
initializeDatabase();
|
||||
@@ -18,6 +26,16 @@ async function getProjectHandler(req, { params }) {
|
||||
return NextResponse.json({ error: "Project not found" }, { status: 404 });
|
||||
}
|
||||
|
||||
// Log project view
|
||||
await logApiActionSafe(
|
||||
req,
|
||||
AUDIT_ACTIONS.PROJECT_VIEW,
|
||||
RESOURCE_TYPES.PROJECT,
|
||||
id,
|
||||
req.session,
|
||||
{ project_name: project.project_name }
|
||||
);
|
||||
|
||||
return NextResponse.json(project);
|
||||
}
|
||||
|
||||
@@ -28,16 +46,54 @@ async function updateProjectHandler(req, { params }) {
|
||||
// Get user ID from authenticated request
|
||||
const userId = req.user?.id;
|
||||
|
||||
// Get original project data for audit log
|
||||
const originalProject = getProjectById(parseInt(id));
|
||||
|
||||
updateProject(parseInt(id), data, userId);
|
||||
|
||||
// Return the updated project
|
||||
// Get updated project
|
||||
const updatedProject = getProjectById(parseInt(id));
|
||||
|
||||
// Log project update
|
||||
await logApiActionSafe(
|
||||
req,
|
||||
AUDIT_ACTIONS.PROJECT_UPDATE,
|
||||
RESOURCE_TYPES.PROJECT,
|
||||
id,
|
||||
req.session,
|
||||
{
|
||||
originalData: originalProject,
|
||||
updatedData: data,
|
||||
changedFields: Object.keys(data),
|
||||
}
|
||||
);
|
||||
|
||||
return NextResponse.json(updatedProject);
|
||||
}
|
||||
|
||||
async function deleteProjectHandler(req, { params }) {
|
||||
const { id } = await params;
|
||||
|
||||
// Get project data before deletion for audit log
|
||||
const project = getProjectById(parseInt(id));
|
||||
|
||||
deleteProject(parseInt(id));
|
||||
|
||||
// Log project deletion
|
||||
await logApiActionSafe(
|
||||
req,
|
||||
AUDIT_ACTIONS.PROJECT_DELETE,
|
||||
RESOURCE_TYPES.PROJECT,
|
||||
id,
|
||||
req.session,
|
||||
{
|
||||
deletedProject: {
|
||||
project_name: project?.project_name,
|
||||
project_number: project?.project_number,
|
||||
},
|
||||
}
|
||||
);
|
||||
|
||||
return NextResponse.json({ success: true });
|
||||
}
|
||||
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
// Force this API route to use Node.js runtime for database access
|
||||
export const runtime = "nodejs";
|
||||
|
||||
import {
|
||||
getAllProjects,
|
||||
createProject,
|
||||
@@ -6,6 +9,11 @@ import {
|
||||
import initializeDatabase from "@/lib/init-db";
|
||||
import { NextResponse } from "next/server";
|
||||
import { withReadAuth, withUserAuth } from "@/lib/middleware/auth";
|
||||
import {
|
||||
logApiActionSafe,
|
||||
AUDIT_ACTIONS,
|
||||
RESOURCE_TYPES,
|
||||
} from "@/lib/auditLogSafe.js";
|
||||
|
||||
// Make sure the DB is initialized before queries run
|
||||
initializeDatabase();
|
||||
@@ -30,6 +38,19 @@ async function getProjectsHandler(req) {
|
||||
projects = getAllProjects(contractId);
|
||||
}
|
||||
|
||||
// Log project list access
|
||||
await logApiActionSafe(
|
||||
req,
|
||||
AUDIT_ACTIONS.PROJECT_VIEW,
|
||||
RESOURCE_TYPES.PROJECT,
|
||||
null, // No specific project ID for list view
|
||||
req.session,
|
||||
{
|
||||
filters: { contractId, assignedTo, createdBy },
|
||||
resultCount: projects.length,
|
||||
}
|
||||
);
|
||||
|
||||
return NextResponse.json(projects);
|
||||
}
|
||||
|
||||
@@ -40,9 +61,27 @@ async function createProjectHandler(req) {
|
||||
const userId = req.user?.id;
|
||||
|
||||
const result = createProject(data, userId);
|
||||
const projectId = result.lastInsertRowid;
|
||||
|
||||
// Log project creation
|
||||
await logApiActionSafe(
|
||||
req,
|
||||
AUDIT_ACTIONS.PROJECT_CREATE,
|
||||
RESOURCE_TYPES.PROJECT,
|
||||
projectId.toString(),
|
||||
req.session,
|
||||
{
|
||||
projectData: {
|
||||
project_name: data.project_name,
|
||||
project_number: data.project_number,
|
||||
contract_id: data.contract_id,
|
||||
},
|
||||
}
|
||||
);
|
||||
|
||||
return NextResponse.json({
|
||||
success: true,
|
||||
projectId: result.lastInsertRowid,
|
||||
projectId: projectId,
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user