Initial commit

2026-03-07 05:40:11 +00:00 · 2025-12-28 21:16:03 +01:00
commit 62e3c6439e
552 changed files with 104858 additions and 0 deletions
--- a/routes/api/audit/+server.ts
+++ b/routes/api/audit/+server.ts
@@ -0,0 +1,68 @@
+import { json } from '@sveltejs/kit';
+import { authorize, enterpriseRequired } from '$lib/server/authorize';
+import { getAuditLogs, getAuditLogUsers, type AuditLogFilters, type AuditEntityType, type AuditAction } from '$lib/server/db';
+import type { RequestHandler } from './$types';
+
+export const GET: RequestHandler = async ({ url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	// Audit log is Enterprise-only
+	if (!auth.isEnterprise) {
+		return json(enterpriseRequired(), { status: 403 });
+	}
+
+	// Check permission
+	if (!await auth.canViewAuditLog()) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		// Parse query parameters
+		const filters: AuditLogFilters = {};
+
+		// Support multi-select filters (comma-separated)
+		const usernames = url.searchParams.get('usernames');
+		if (usernames) filters.usernames = usernames.split(',').filter(Boolean);
+
+		const entityTypes = url.searchParams.get('entityTypes');
+		if (entityTypes) filters.entityTypes = entityTypes.split(',').filter(Boolean) as AuditEntityType[];
+
+		const actions = url.searchParams.get('actions');
+		if (actions) filters.actions = actions.split(',').filter(Boolean) as AuditAction[];
+
+		// Legacy single-value support
+		const username = url.searchParams.get('username');
+		if (username) filters.usernames = [username];
+
+		const entityType = url.searchParams.get('entityType');
+		if (entityType) filters.entityTypes = [entityType as AuditEntityType];
+
+		const action = url.searchParams.get('action');
+		if (action) filters.actions = [action as AuditAction];
+
+		const envId = url.searchParams.get('environmentId');
+		if (envId) filters.environmentId = parseInt(envId);
+
+		// Labels filter (comma-separated)
+		const labels = url.searchParams.get('labels');
+		if (labels) filters.labels = labels.split(',').filter(Boolean);
+
+		const fromDate = url.searchParams.get('fromDate');
+		if (fromDate) filters.fromDate = fromDate;
+
+		const toDate = url.searchParams.get('toDate');
+		if (toDate) filters.toDate = toDate;
+
+		const limit = url.searchParams.get('limit');
+		if (limit) filters.limit = parseInt(limit);
+
+		const offset = url.searchParams.get('offset');
+		if (offset) filters.offset = parseInt(offset);
+
+		const result = await getAuditLogs(filters);
+		return json(result);
+	} catch (error) {
+		console.error('Error fetching audit logs:', error);
+		return json({ error: 'Failed to fetch audit logs' }, { status: 500 });
+	}
+};
--- a/routes/api/audit/events/+server.ts
+++ b/routes/api/audit/events/+server.ts
@@ -0,0 +1,79 @@
+import type { RequestHandler } from './$types';
+import { authorize, enterpriseRequired } from '$lib/server/authorize';
+import { auditEvents, type AuditEventData } from '$lib/server/audit-events';
+
+export const GET: RequestHandler = async ({ cookies }) => {
+	const auth = await authorize(cookies);
+
+	// Audit log is Enterprise-only
+	if (!auth.isEnterprise) {
+		return new Response(JSON.stringify(enterpriseRequired()), {
+			status: 403,
+			headers: { 'Content-Type': 'application/json' }
+		});
+	}
+
+	// Check permission
+	if (!await auth.canViewAuditLog()) {
+		return new Response(JSON.stringify({ error: 'Permission denied' }), {
+			status: 403,
+			headers: { 'Content-Type': 'application/json' }
+		});
+	}
+
+	const stream = new ReadableStream({
+		start(controller) {
+			const encoder = new TextEncoder();
+
+			// Send SSE event
+			const sendEvent = (type: string, data: any) => {
+				const event = `event: ${type}\ndata: ${JSON.stringify(data)}\n\n`;
+				try {
+					controller.enqueue(encoder.encode(event));
+				} catch (e) {
+					// Client disconnected
+				}
+			};
+
+			// Send initial connection event
+			sendEvent('connected', { timestamp: new Date().toISOString() });
+
+			// Send heartbeat to keep connection alive (every 5s to prevent Traefik 10s idle timeout)
+			const heartbeatInterval = setInterval(() => {
+				try {
+					sendEvent('heartbeat', { timestamp: new Date().toISOString() });
+				} catch {
+					clearInterval(heartbeatInterval);
+				}
+			}, 5000);
+
+			// Listen for audit events
+			const onAuditEvent = (data: AuditEventData) => {
+				sendEvent('audit', data);
+			};
+
+			auditEvents.on('audit', onAuditEvent);
+
+			// Cleanup when client disconnects
+			const cleanup = () => {
+				clearInterval(heartbeatInterval);
+				auditEvents.off('audit', onAuditEvent);
+			};
+
+			// Note: SvelteKit doesn't provide a direct way to detect client disconnect
+			// The cleanup will happen when the stream errors or the server shuts down
+			// For production, consider using a WebSocket instead for better connection management
+
+			return cleanup;
+		}
+	});
+
+	return new Response(stream, {
+		headers: {
+			'Content-Type': 'text/event-stream',
+			'Cache-Control': 'no-cache',
+			'Connection': 'keep-alive',
+			'X-Accel-Buffering': 'no' // Disable nginx buffering
+		}
+	});
+};
--- a/routes/api/audit/export/+server.ts
+++ b/routes/api/audit/export/+server.ts
@@ -0,0 +1,182 @@
+import { authorize, enterpriseRequired } from '$lib/server/authorize';
+import { getAuditLogs, type AuditLogFilters, type AuditEntityType, type AuditAction, type AuditLog } from '$lib/server/db';
+import type { RequestHandler } from './$types';
+
+function escapeCSV(value: string | null | undefined): string {
+	if (value === null || value === undefined) return '';
+	const str = String(value);
+	if (str.includes(',') || str.includes('"') || str.includes('\n')) {
+		return `"${str.replace(/"/g, '""')}"`;
+	}
+	return str;
+}
+
+function formatToJSON(logs: AuditLog[]): string {
+	return JSON.stringify(logs, null, 2);
+}
+
+function formatToCSV(logs: AuditLog[]): string {
+	const headers = [
+		'ID',
+		'Timestamp',
+		'Username',
+		'Action',
+		'Entity Type',
+		'Entity ID',
+		'Entity Name',
+		'Environment ID',
+		'Description',
+		'IP Address',
+		'User Agent',
+		'Details'
+	];
+
+	const rows = logs.map((log) => [
+		log.id,
+		log.createdAt,
+		escapeCSV(log.username),
+		escapeCSV(log.action),
+		escapeCSV(log.entityType),
+		escapeCSV(log.entityId),
+		escapeCSV(log.entityName),
+		log.environmentId ?? '',
+		escapeCSV(log.description),
+		escapeCSV(log.ipAddress),
+		escapeCSV(log.userAgent),
+		escapeCSV(log.details ? JSON.stringify(log.details) : '')
+	]);
+
+	return [headers.join(','), ...rows.map((row) => row.join(','))].join('\n');
+}
+
+function formatToMarkdown(logs: AuditLog[]): string {
+	const lines: string[] = [];
+
+	lines.push('# Audit Log Export');
+	lines.push('');
+	lines.push(`Generated: ${new Date().toISOString()}`);
+	lines.push('');
+	lines.push(`Total entries: ${logs.length}`);
+	lines.push('');
+	lines.push('---');
+	lines.push('');
+
+	for (const log of logs) {
+		lines.push(`## ${log.action.toUpperCase()} - ${log.entityType}`);
+		lines.push('');
+		lines.push(`| Field | Value |`);
+		lines.push(`|-------|-------|`);
+		lines.push(`| Timestamp | ${log.createdAt} |`);
+		lines.push(`| User | ${log.username} |`);
+		lines.push(`| Action | ${log.action} |`);
+		lines.push(`| Entity Type | ${log.entityType} |`);
+		if (log.entityName) lines.push(`| Entity Name | ${log.entityName} |`);
+		if (log.entityId) lines.push(`| Entity ID | \`${log.entityId}\` |`);
+		if (log.environmentId) lines.push(`| Environment ID | ${log.environmentId} |`);
+		if (log.description) lines.push(`| Description | ${log.description} |`);
+		if (log.ipAddress) lines.push(`| IP Address | ${log.ipAddress} |`);
+
+		if (log.details) {
+			lines.push('');
+			lines.push('**Details:**');
+			lines.push('```json');
+			lines.push(JSON.stringify(log.details, null, 2));
+			lines.push('```');
+		}
+
+		lines.push('');
+		lines.push('---');
+		lines.push('');
+	}
+
+	return lines.join('\n');
+}
+
+export const GET: RequestHandler = async ({ url, cookies }) => {
+	const auth = await authorize(cookies);
+
+	// Audit log is Enterprise-only
+	if (!auth.isEnterprise) {
+		return new Response(JSON.stringify(enterpriseRequired()), {
+			status: 403,
+			headers: { 'Content-Type': 'application/json' }
+		});
+	}
+
+	// Check permission
+	if (!await auth.canViewAuditLog()) {
+		return new Response(JSON.stringify({ error: 'Permission denied' }), {
+			status: 403,
+			headers: { 'Content-Type': 'application/json' }
+		});
+	}
+
+	try {
+		// Parse query parameters
+		const filters: AuditLogFilters = {};
+
+		const username = url.searchParams.get('username');
+		if (username) filters.username = username;
+
+		const entityType = url.searchParams.get('entityType');
+		if (entityType) filters.entityType = entityType as AuditEntityType;
+
+		const action = url.searchParams.get('action');
+		if (action) filters.action = action as AuditAction;
+
+		const envId = url.searchParams.get('environmentId');
+		if (envId) filters.environmentId = parseInt(envId);
+
+		const fromDate = url.searchParams.get('fromDate');
+		if (fromDate) filters.fromDate = fromDate;
+
+		const toDate = url.searchParams.get('toDate');
+		if (toDate) filters.toDate = toDate;
+
+		// For export, get all matching records (no pagination)
+		filters.limit = 10000; // Reasonable max limit
+
+		const result = await getAuditLogs(filters);
+		const logs = result.logs;
+
+		const format = url.searchParams.get('format') || 'json';
+		const timestamp = new Date().toISOString().split('T')[0];
+
+		let content: string;
+		let contentType: string;
+		let filename: string;
+
+		switch (format) {
+			case 'csv':
+				content = formatToCSV(logs);
+				contentType = 'text/csv';
+				filename = `audit-log-${timestamp}.csv`;
+				break;
+			case 'md':
+				content = formatToMarkdown(logs);
+				contentType = 'text/markdown';
+				filename = `audit-log-${timestamp}.md`;
+				break;
+			case 'json':
+			default:
+				content = formatToJSON(logs);
+				contentType = 'application/json';
+				filename = `audit-log-${timestamp}.json`;
+				break;
+		}
+
+		return new Response(content, {
+			status: 200,
+			headers: {
+				'Content-Type': contentType,
+				'Content-Disposition': `attachment; filename="${filename}"`
+			}
+		});
+	} catch (error) {
+		console.error('Error exporting audit logs:', error);
+		return new Response(JSON.stringify({ error: 'Failed to export audit logs' }), {
+			status: 500,
+			headers: { 'Content-Type': 'application/json' }
+		});
+	}
+};
--- a/routes/api/audit/users/+server.ts
+++ b/routes/api/audit/users/+server.ts
@@ -0,0 +1,26 @@
+import { json } from '@sveltejs/kit';
+import { authorize, enterpriseRequired } from '$lib/server/authorize';
+import { getAuditLogUsers } from '$lib/server/db';
+import type { RequestHandler } from './$types';
+
+export const GET: RequestHandler = async ({ cookies }) => {
+	const auth = await authorize(cookies);
+
+	// Audit log is Enterprise-only
+	if (!auth.isEnterprise) {
+		return json(enterpriseRequired(), { status: 403 });
+	}
+
+	// Check permission
+	if (!await auth.canViewAuditLog()) {
+		return json({ error: 'Permission denied' }, { status: 403 });
+	}
+
+	try {
+		const users = await getAuditLogUsers();
+		return json(users);
+	} catch (error) {
+		console.error('Error fetching audit log users:', error);
+		return json({ error: 'Failed to fetch audit log users' }, { status: 500 });
+	}
+};