Audit logging feature files

2026-01-29 15:10:29 -07:00
parent 41c8a1ef27
commit 1a578b23c1
11 changed files with 964 additions and 21 deletions
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -3,7 +3,7 @@ const express = require('express');
 const bcrypt = require('bcryptjs');
 const crypto = require('crypto');

-function createAuthRouter(db) {
+function createAuthRouter(db, logAudit) {
    const router = express.Router();

    // Login
@@ -28,16 +28,43 @@ function createAuthRouter(db) {
            });

            if (!user) {
+                logAudit(db, {
+                    userId: null,
+                    username: username,
+                    action: 'login_failed',
+                    entityType: 'auth',
+                    entityId: null,
+                    details: { reason: 'user_not_found' },
+                    ipAddress: req.ip
+                });
                return res.status(401).json({ error: 'Invalid username or password' });
            }

            if (!user.is_active) {
+                logAudit(db, {
+                    userId: user.id,
+                    username: username,
+                    action: 'login_failed',
+                    entityType: 'auth',
+                    entityId: null,
+                    details: { reason: 'account_disabled' },
+                    ipAddress: req.ip
+                });
                return res.status(401).json({ error: 'Account is disabled' });
            }

            // Verify password
            const validPassword = await bcrypt.compare(password, user.password_hash);
            if (!validPassword) {
+                logAudit(db, {
+                    userId: user.id,
+                    username: username,
+                    action: 'login_failed',
+                    entityType: 'auth',
+                    entityId: null,
+                    details: { reason: 'invalid_password' },
+                    ipAddress: req.ip
+                });
                return res.status(401).json({ error: 'Invalid username or password' });
            }

@@ -77,6 +104,16 @@ function createAuthRouter(db) {
                maxAge: 24 * 60 * 60 * 1000 // 24 hours
            });

+            logAudit(db, {
+                userId: user.id,
+                username: user.username,
+                action: 'login',
+                entityType: 'auth',
+                entityId: null,
+                details: { role: user.role },
+                ipAddress: req.ip
+            });
+
            res.json({
                message: 'Login successful',
                user: {
@@ -97,6 +134,17 @@ function createAuthRouter(db) {
        const sessionId = req.cookies?.session_id;

        if (sessionId) {
+            // Look up user before deleting session
+            const session = await new Promise((resolve) => {
+                db.get(
+                    `SELECT u.id as user_id, u.username FROM sessions s
+                     JOIN users u ON s.user_id = u.id
+                     WHERE s.session_id = ?`,
+                    [sessionId],
+                    (err, row) => resolve(row || null)
+                );
+            });
+
            // Delete session from database
            await new Promise((resolve) => {
                db.run(
@@ -105,6 +153,18 @@ function createAuthRouter(db) {
                    () => resolve()
                );
            });
+
+            if (session) {
+                logAudit(db, {
+                    userId: session.user_id,
+                    username: session.username,
+                    action: 'logout',
+                    entityType: 'auth',
+                    entityId: null,
+                    details: null,
+                    ipAddress: req.ip
+                });
+            }
        }

        // Clear cookie