feat: log form updates

src/app/modules/auth/auth.middlewares.ts

@@ -1,10 +1,14 @@
 import { StatusCodes } from 'http-status-codes'
 
+import { createLoggerWithLabel } from '../../config/logger'
+import { createReqMeta } from '../../utils/request'
 import { ControllerHandler } from '../core/core.types'
 import * as UserService from '../user/user.service'
 
 import { isUserInSession } from './auth.utils'
 
+const logger = createLoggerWithLabel(module)
+
 /**
  * Middleware that only allows authenticated users to pass through to the next
  * handler.
@@ -53,3 +57,32 @@ export const denyRpSpStudentEmails: ControllerHandler<
         .json({ message: 'User not found' }),
     )
 }
+
+/**
+ * Logs all admin actions which change database state (i.e. non-GET requests)
+ * @returns next
+ */
+export const logAdminAction: ControllerHandler<
+  unknown,
+  unknown,
+  unknown
+> = async (req, res, next) => {
+  const sessionUserId = (req.session as Express.AuthedSession).user._id
+  const body = req.body
+  const method = req.method
+
+  if (req.method.toLowerCase() !== 'get') {
+    logger.info({
+      message: 'Admin attempting to make changes',
+      meta: {
+        action: 'logAdminAction',
+        method,
+        ...createReqMeta(req),
+        sessionUserId,
+        body,
+      },
+    })
+  }
+
+  return next()
+}

src/app/routes/api/v3/admin/forms/admin-forms.routes.ts

@@ -2,6 +2,7 @@ import { Router } from 'express'
 
 import {
   denyRpSpStudentEmails,
+  logAdminAction,
   withUserAuthentication,
 } from '../../../../../modules/auth/auth.middlewares'
 
@@ -19,6 +20,9 @@ export const AdminFormsRouter = Router()
 AdminFormsRouter.use(withUserAuthentication)
 AdminFormsRouter.use(denyRpSpStudentEmails)
 
+// Log all non-get admin actions
+AdminFormsRouter.use(logAdminAction)
+
 AdminFormsRouter.use(AdminFormsSettingsRouter)
 AdminFormsRouter.use(AdminFormsFeedbackRouter)
 AdminFormsRouter.use(AdminFormsFormRouter)