Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: log form updates #2063

Merged
merged 4 commits into from
Jun 8, 2021
Merged

feat: log form updates #2063

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0005369
feat: log form updates
tshuli Jun 3, 2021
657f7ce
chore: log formId, remove unknown typing for ControllerHandler
tshuli Jun 7, 2021
da13c1f
chore: log req.query
tshuli Jun 8, 2021
df71aa7
chore: remove end slash for route
tshuli Jun 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 40 additions & 5 deletions src/app/modules/auth/auth.middlewares.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
import { StatusCodes } from 'http-status-codes'

import { createLoggerWithLabel } from '../../config/logger'
import { createReqMeta } from '../../utils/request'
import { ControllerHandler } from '../core/core.types'
import * as UserService from '../user/user.service'

import { isUserInSession } from './auth.utils'

const logger = createLoggerWithLabel(module)

/**
* Middleware that only allows authenticated users to pass through to the next
* handler.
Expand All @@ -30,11 +34,11 @@ const DENIED_DOMAINS = ['myrp.edu.sg', 'ichat.sp.edu.sg']
* @returns 400 if user in session is from a disallowed domain and
* HTTP method changes database state; next otherwise
*/
export const denyRpSpStudentEmails: ControllerHandler<
unknown,
unknown,
unknown
> = async (req, res, next) => {
export const denyRpSpStudentEmails: ControllerHandler = async (
req,
res,
next,
) => {
const userId = (req.session as Express.AuthedSession).user._id
return UserService.findUserById(userId)
.map((user) => {
Expand All @@ -53,3 +57,34 @@ export const denyRpSpStudentEmails: ControllerHandler<
.json({ message: 'User not found' }),
)
}

/**
* Logs all admin actions which change database state (i.e. non-GET requests)
* @returns next
*/
export const logAdminAction: ControllerHandler<{ formId: string }> = async (
tshuli marked this conversation as resolved.
Show resolved Hide resolved
req,
res,
next,
) => {
const sessionUserId = (req.session as Express.AuthedSession).user._id
const body = req.body
const method = req.method
const { formId } = req.params

if (req.method.toLowerCase() !== 'get') {
logger.info({
message: 'Admin attempting to make changes',
meta: {
action: 'logAdminAction',
method,
...createReqMeta(req),
sessionUserId,
formId,
body,
tshuli marked this conversation as resolved.
Show resolved Hide resolved
},
})
}

return next()
}
4 changes: 4 additions & 0 deletions src/app/routes/api/v3/admin/forms/admin-forms.routes.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import { Router } from 'express'

import {
denyRpSpStudentEmails,
logAdminAction,
withUserAuthentication,
} from '../../../../../modules/auth/auth.middlewares'

Expand All @@ -19,6 +20,9 @@ export const AdminFormsRouter = Router()
AdminFormsRouter.use(withUserAuthentication)
AdminFormsRouter.use(denyRpSpStudentEmails)

// Log all non-get admin form actions
AdminFormsRouter.use('/:formId([a-fA-F0-9]{24})/', logAdminAction)
tshuli marked this conversation as resolved.
Show resolved Hide resolved

AdminFormsRouter.use(AdminFormsSettingsRouter)
AdminFormsRouter.use(AdminFormsFeedbackRouter)
AdminFormsRouter.use(AdminFormsFormRouter)
Expand Down