lib audit.ts

0% Statements 0/113
100% Branches 1/1
100% Functions 1/1
0% Lines 0/113
Press n or j to go to the next uncovered block, b, p or k for the previous block.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  /**
 * Centralized Audit Logging Module
 * Single implementation used by all services (API, MCP, CLI, etc.)
 * Replaces 371 lines of custom audit logic spread across apps
 *
 * Handles:
 * - PostHog event emission (non-blocking)
 * - Database audit log persistence (non-blocking)
 * - Structured logging (always succeeds)
 */
 
import { logger } from "@snapback/infrastructure";
 
// PostHog configuration
const POSTHOG_API_KEY = process.env.POSTHOG_API_KEY || "";
const POSTHOG_HOST = process.env.POSTHOG_HOST || "https://us.posthog.com";
const POSTHOG_ENABLED = !!POSTHOG_API_KEY;
 
/**
 * Comprehensive audit event types supported across the system
 */
export type AuditEventType =
	// Auth events
	| "auth.signup"
	| "auth.signin"
	| "auth.signout"
	| "auth.signin_failed"
	| "auth.password_reset"
	| "auth.email_verified"
	// MFA events
	| "mfa.totp_enabled"
	| "mfa.totp_disabled"
	| "mfa.totp_verified"
	| "mfa.totp_failed"
	| "mfa.backup_code_used"
	// Passkey events
	| "passkey.enrolled"
	| "passkey.removed"
	| "passkey.verified"
	| "passkey.failed"
	// Session events
	| "session.created"
	| "session.refreshed"
	| "session.expired"
	| "session.revoked"
	// Organization events
	| "org.member_added"
	| "org.member_removed"
	| "org.role_changed"
	| "org.auto_provisioned"
	| "org.auto_provision_failed"
	// API key events
	| "apikey.created"
	| "apikey.revoked"
	| "apikey.used"
	// Step-up events
	| "stepup.required"
	| "stepup.success"
	| "stepup.failed";
 
/**
 * Audit event metadata
 */
export interface AuditEventMetadata {
	userId?: string;
	orgId?: string;
	ip?: string;
	userAgent?: string;
	method?: string;
	path?: string;
	statusCode?: number;
	errorMessage?: string;
	// Custom fields
	[key: string]: unknown;
}
 
/**
 * Emit event to PostHog (non-blocking)
 */
async function emitPostHogEvent(eventType: AuditEventType, metadata: AuditEventMetadata): Promise<void> {
	if (!POSTHOG_ENABLED) {
		return;
	}
 
	try {
		const event = {
			api_key: POSTHOG_API_KEY,
			event: eventType,
			distinct_id: metadata.userId || metadata.ip || "anonymous",
			properties: {
				...metadata,
				$ip: metadata.ip,
				$set: {
					email: metadata.userId ? `user_${metadata.userId}` : undefined,
				},
			},
			timestamp: new Date().toISOString(),
		};
 
		const response = await fetch(`${POSTHOG_HOST}/capture/`, {
			method: "POST",
			headers: {
				"Content-Type": "application/json",
			},
			body: JSON.stringify(event),
		});
 
		if (!response.ok) {
			logger.error("Failed to emit PostHog event", {
				eventType,
				status: response.status,
				statusText: response.statusText,
			});
		}
	} catch (error) {
		logger.error("Error emitting PostHog event", {
			error,
			eventType,
		});
	}
}
 
/**
 * Write audit log to database (non-blocking)
 * Stores audit events in telemetry_events table with event_category='audit'
 * Uses @snapback/platform DB connection via lazy import to avoid circular deps
 */
async function writeAuditLog(eventType: AuditEventType, metadata: AuditEventMetadata): Promise<void> {
	try {
		// Lazy import to avoid circular dependencies
		const { db, snapbackSchema } = await import("@snapback/platform");
 
		if (!db) {
			logger.warn("Database not available for audit logging", { eventType });
			return;
		}
 
		const { telemetryEvents } = snapbackSchema;
 
		// Write to telemetry_events table with event_category='audit'
		await db.insert(telemetryEvents).values({
			eventType,
			eventCategory: "audit",
			userId: metadata.userId,
			properties: {
				ip: metadata.ip,
				userAgent: metadata.userAgent,
				method: metadata.method,
				path: metadata.path,
				statusCode: metadata.statusCode,
				errorMessage: metadata.errorMessage,
				...metadata, // Include any custom fields
			},
		});
 
		logger.debug("Audit log written", {
			eventType,
			userId: metadata.userId,
			orgId: metadata.orgId,
		});
	} catch (error) {
		logger.error("Failed to write audit log", {
			error,
			eventType,
			metadata,
		});
		// Don't throw - audit logging should not break main flow
	}
}
 
/**
 * Track authentication event
 * Emits to PostHog and writes to audit log (both non-blocking)
 */
export async function trackEvent(eventType: AuditEventType, metadata: AuditEventMetadata): Promise<void> {
	// Log locally (always succeeds)
	logger.info("Audit event", {
		eventType,
		userId: metadata.userId,
		orgId: metadata.orgId,
		path: metadata.path,
	});
 
	// Emit to PostHog (non-blocking)
	emitPostHogEvent(eventType, metadata).catch((error) => {
		logger.error("PostHog emit failed", { error, eventType });
	});
 
	// Write to audit log (non-blocking)
	writeAuditLog(eventType, metadata).catch((error) => {
		logger.error("Audit log write failed", { error, eventType });
	});
}
 
/**
 * Track failed authentication attempt
 */
export async function trackFailedAuth(
	type: "signin" | "totp" | "passkey",
	metadata: AuditEventMetadata,
): Promise<void> {
	const eventMap = {
		signin: "auth.signin_failed" as AuditEventType,
		totp: "mfa.totp_failed" as AuditEventType,
		passkey: "passkey.failed" as AuditEventType,
	};
 
	await trackEvent(eventMap[type], metadata);
 
	// Could trigger additional actions:
	// - Check for abuse patterns
	// - Rate limit if needed
	// - Alert security team if excessive
}
 
/**
 * Helper type for better-auth database hooks
 */
export interface DatabaseHookContext {
	eventType: AuditEventType;
	metadata: AuditEventMetadata;
}
 
/**
 * Adapter for better-auth database hooks
 * Provides helper function for use in databaseHooks configuration
 */
export function createDatabaseHookHandler(eventType: AuditEventType) {
	return async (data: any) => {
		await trackEvent(eventType, {
			userId: data.userId || data.user?.id,
			orgId: data.organizationId || data.organization?.id,
			timestamp: new Date().toISOString(),
			...data,
		});
	};
}