Audit logging feature files

backend/server.js

@@ -15,6 +15,8 @@ const fs = require('fs');
 const { requireAuth, requireRole } = require('./middleware/auth');
 const createAuthRouter = require('./routes/auth');
 const createUsersRouter = require('./routes/users');
+const createAuditLogRouter = require('./routes/auditLog');
+const logAudit = require('./helpers/auditLog');
 
 const app = express();
 const PORT = process.env.PORT || 3001;
@@ -46,10 +48,13 @@ const db = new sqlite3.Database('./cve_database.db', (err) => {
 });
 
 // Auth routes (public)
-app.use('/api/auth', createAuthRouter(db));
+app.use('/api/auth', createAuthRouter(db, logAudit));
 
 // User management routes (admin only)
-app.use('/api/users', createUsersRouter(db, requireAuth, requireRole));
+app.use('/api/users', createUsersRouter(db, requireAuth, requireRole, logAudit));
+
+// Audit log routes (admin only)
+app.use('/api/audit-logs', createAuditLogRouter(db, requireAuth, requireRole));
 
 // Simple storage - upload to temp directory first
 const storage = multer.diskStorage({
@@ -215,10 +220,19 @@ app.post('/api/cves', requireAuth(db), requireRole('editor', 'admin'), (req, res
             }
             return res.status(500).json({ error: err.message });
         }
-        res.json({ 
-            id: this.lastID, 
+        logAudit(db, {
+            userId: req.user.id,
+            username: req.user.username,
+            action: 'cve_create',
+            entityType: 'cve',
+            entityId: cve_id,
+            details: { vendor, severity },
+            ipAddress: req.ip
+        });
+        res.json({
+            id: this.lastID,
             cve_id,
-            message: `CVE created successfully for vendor: ${vendor}` 
+            message: `CVE created successfully for vendor: ${vendor}`
         });
     });
 });
@@ -230,12 +244,20 @@ app.patch('/api/cves/:cveId/status', requireAuth(db), requireRole('editor', 'adm
     const { status } = req.body;
     
     const query = `UPDATE cves SET status = ?, updated_at = CURRENT_TIMESTAMP WHERE cve_id = ?`;
-    
-    db.run(query, [
-        vendor,status, cveId], function(err) {
+
+    db.run(query, [status, cveId], function(err) {
         if (err) {
             return res.status(500).json({ error: err.message });
         }
+        logAudit(db, {
+            userId: req.user.id,
+            username: req.user.username,
+            action: 'cve_update_status',
+            entityType: 'cve',
+            entityId: cveId,
+            details: { status },
+            ipAddress: req.ip
+        });
         res.json({ message: 'Status updated successfully', changes: this.changes });
     });
 });
@@ -329,6 +351,15 @@ app.post('/api/cves/:cveId/documents', requireAuth(db), requireRole('editor', 'a
                 }
                 return res.status(500).json({ error: err.message });
             }
+            logAudit(db, {
+                userId: req.user.id,
+                username: req.user.username,
+                action: 'document_upload',
+                entityType: 'document',
+                entityId: cveId,
+                details: { vendor, type, filename: file.originalname },
+                ipAddress: req.ip
+            });
             res.json({
                 id: this.lastID,
                 message: 'Document uploaded successfully',
@@ -359,6 +390,15 @@ app.delete('/api/documents/:id', requireAuth(db), requireRole('admin'), (req, re
             if (err) {
                 return res.status(500).json({ error: err.message });
             }
+            logAudit(db, {
+                userId: req.user.id,
+                username: req.user.username,
+                action: 'document_delete',
+                entityType: 'document',
+                entityId: id,
+                details: { file_path: row ? row.file_path : null },
+                ipAddress: req.ip
+            });
             res.json({ message: 'Document deleted successfully' });
         });
     });