MOPC/MOPC-Portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
79ac60dc1e78c68f000a838c77384df56dbd4d04
MOPC-Portal/src/server/trpc.ts
Matt 79ac60dc1e
Some checks failed
Build and Push Docker Image / build (push) Has been cancelled
Details
feat: automatic mutation audit logging for all non-super-admin users 
Implement withMutationAudit middleware in tRPC that automatically logs
every successful mutation for non-SUPER_ADMIN users. Captures procedure
path, sanitized input (passwords/tokens redacted), user role, IP, and
user agent. Applied to all procedure types except superAdminProcedure.

- Input sanitization: strips sensitive fields, truncates long strings
  (500 chars), limits array size (20 items), caps nesting depth (4)
- Entity ID auto-extraction from common input patterns (id, userId,
  projectId, roundId, etc.)
- Action names derived from procedure path (e.g., evaluation.submit
  becomes EVALUATION_SUBMIT)
- Audit page updated with new action types and entity types for
  filtering auto-generated entries
- Failures silently caught — audit logging never breaks operations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 18:04:52 +01:00

281 lines
9.2 KiB
TypeScript
Raw Blame History

import { initTRPC, TRPCError } from '@trpc/server'
import superjson from 'superjson'
import { ZodError } from 'zod'
import type { Prisma } from '@prisma/client'
import type { Context } from './context'
import type { UserRole } from '@prisma/client'
/**
* Initialize tRPC with context type and configuration
*/
const t = initTRPC.context<Context>().create({
transformer: superjson,
errorFormatter({ shape, error }) {
return {
...shape,
data: {
...shape.data,
zodError:
error.cause instanceof ZodError ? error.cause.flatten() : null,
},
}
},
})
/**
* Export reusable router and procedure helpers
*/
export const router = t.router
export const publicProcedure = t.procedure
export const middleware = t.middleware
export const createCallerFactory = t.createCallerFactory
// =============================================================================
// Middleware
// =============================================================================
/**
* Middleware to require authenticated user
*/
const isAuthenticated = middleware(async ({ ctx, next }) => {
if (!ctx.session?.user) {
throw new TRPCError({
code: 'UNAUTHORIZED',
message: 'You must be logged in to perform this action',
})
}
return next({
ctx: {
...ctx,
user: ctx.session.user,
},
})
})
/**
* Helper to check if a user has any of the specified roles.
* Checks the roles array first, falls back to [role] for stale JWT tokens.
*/
export function userHasRole(user: { role: UserRole; roles?: UserRole[] }, ...checkRoles: UserRole[]): boolean {
const userRoles = user.roles?.length ? user.roles : [user.role]
return checkRoles.some(r => userRoles.includes(r))
}
/**
* Middleware to require specific role(s)
*/
const hasRole = (...roles: UserRole[]) =>
middleware(async ({ ctx, next }) => {
if (!ctx.session?.user) {
throw new TRPCError({
code: 'UNAUTHORIZED',
message: 'You must be logged in to perform this action',
})
}
// Use roles array, fallback to [role] for stale JWT tokens
const userRoles = ctx.session.user.roles?.length
? ctx.session.user.roles
: [ctx.session.user.role]
if (!roles.some(r => userRoles.includes(r))) {
throw new TRPCError({
code: 'FORBIDDEN',
message: 'You do not have permission to perform this action',
})
}
return next({
ctx: {
...ctx,
user: ctx.session.user,
},
})
})
// =============================================================================
// Mutation Audit Logging
// =============================================================================
/** Fields that must never appear in audit log input snapshots. */
const SENSITIVE_KEYS = new Set([
'password', 'passwordHash', 'currentPassword', 'newPassword', 'confirmPassword',
'token', 'secret', 'apiKey', 'accessKey', 'secretKey',
'creditCard', 'cvv', 'ssn',
])
/** Max depth / size for serialized input to avoid bloating the audit table. */
const MAX_INPUT_DEPTH = 4
const MAX_STRING_LENGTH = 500
const MAX_ARRAY_LENGTH = 20
/**
* Recursively sanitize an input object for safe storage in audit logs.
* - Strips sensitive fields (passwords, tokens, secrets)
* - Truncates long strings and arrays
* - Limits nesting depth
*/
function sanitizeInput(value: unknown, depth = 0): unknown {
if (depth > MAX_INPUT_DEPTH) return '[nested]'
if (value === null || value === undefined) return value
if (typeof value === 'boolean' || typeof value === 'number') return value
if (typeof value === 'string') {
return value.length > MAX_STRING_LENGTH
? value.slice(0, MAX_STRING_LENGTH) + '...'
: value
}
if (value instanceof Date) return value.toISOString()
if (Array.isArray(value)) {
const truncated = value.slice(0, MAX_ARRAY_LENGTH).map(v => sanitizeInput(v, depth + 1))
if (value.length > MAX_ARRAY_LENGTH) truncated.push(`[+${value.length - MAX_ARRAY_LENGTH} more]`)
return truncated
}
if (typeof value === 'object') {
const result: Record<string, unknown> = {}
for (const [key, val] of Object.entries(value as Record<string, unknown>)) {
if (SENSITIVE_KEYS.has(key)) {
result[key] = '[REDACTED]'
} else {
result[key] = sanitizeInput(val, depth + 1)
}
}
return result
}
return String(value)
}
/**
* Middleware that automatically logs all successful mutations for non-SUPER_ADMIN users.
* Captures: procedure path, sanitized input, user role, IP, user agent.
* Failures are silently caught — audit logging never breaks the calling operation.
*/
const withMutationAudit = middleware(async ({ ctx, next, path, type, getRawInput }) => {
const result = await next()
// Only log mutations, only on success
if (type !== 'mutation' || !result.ok) return result
// Must have an authenticated user
const user = ctx.session?.user
if (!user?.id) return result
// Skip SUPER_ADMIN — they have their own manual audit trail
if (user.role === 'SUPER_ADMIN') return result
try {
// Extract router name and procedure name from path (e.g., "evaluation.submit")
const dotIndex = path.indexOf('.')
const routerName = dotIndex > 0 ? path.slice(0, dotIndex) : path
const procedureName = dotIndex > 0 ? path.slice(dotIndex + 1) : path
// Convert procedure path to readable action (e.g., "evaluation.submit" → "EVALUATION_SUBMIT")
const action = path.replace(/\./g, '_').replace(/([a-z])([A-Z])/g, '$1_$2').toUpperCase()
// Get and sanitize the raw input
let sanitizedInput: unknown = undefined
try {
const rawInput = await getRawInput()
if (rawInput !== undefined) {
sanitizedInput = sanitizeInput(rawInput)
}
} catch {
// getRawInput can fail if input was already consumed; ignore
}
// Capitalize first letter of router name for entityType
const entityType = routerName.charAt(0).toUpperCase() + routerName.slice(1)
// Try to extract entityId from common input patterns
const inputObj = (typeof sanitizedInput === 'object' && sanitizedInput !== null)
? sanitizedInput as Record<string, unknown>
: undefined
const entityId = inputObj?.id ?? inputObj?.userId ?? inputObj?.projectId ??
inputObj?.roundId ?? inputObj?.competitionId ?? inputObj?.editionId ??
inputObj?.targetUserId ?? inputObj?.sessionId ?? inputObj?.awardId
await ctx.prisma.auditLog.create({
data: {
userId: user.id,
action,
entityType,
entityId: entityId ? String(entityId) : undefined,
detailsJson: {
procedure: path,
procedureName,
role: user.role,
roles: user.roles,
input: sanitizedInput,
} as Prisma.InputJsonValue,
ipAddress: ctx.ip,
userAgent: ctx.userAgent,
},
})
} catch (error) {
// Never break the calling operation on audit failure
console.error('[MutationAudit] Failed to log:', path, error)
}
return result
})
// =============================================================================
// Procedure Types
// =============================================================================
/**
* Protected procedure - requires authenticated user
* Mutations are automatically audit-logged for non-SUPER_ADMIN users.
*/
export const protectedProcedure = t.procedure.use(isAuthenticated).use(withMutationAudit)
/**
* Admin procedure - requires SUPER_ADMIN or PROGRAM_ADMIN role
* PROGRAM_ADMIN mutations are audit-logged; SUPER_ADMIN mutations are skipped.
*/
export const adminProcedure = t.procedure
.use(hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN'))
.use(withMutationAudit)
/**
* Super admin procedure - requires SUPER_ADMIN role
* No automatic mutation audit (super admins have manual audit trail).
*/
export const superAdminProcedure = t.procedure.use(hasRole('SUPER_ADMIN'))
/**
* Jury procedure - requires JURY_MEMBER role
* All mutations are automatically audit-logged.
*/
export const juryProcedure = t.procedure.use(hasRole('JURY_MEMBER')).use(withMutationAudit)
/**
* Mentor procedure - requires MENTOR role (or admin)
* MENTOR and PROGRAM_ADMIN mutations are audit-logged.
*/
export const mentorProcedure = t.procedure
.use(hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN', 'MENTOR'))
.use(withMutationAudit)
/**
* Observer procedure - requires OBSERVER role (read-only access)
* Mutations (if any) are audit-logged for OBSERVER and PROGRAM_ADMIN.
*/
export const observerProcedure = t.procedure
.use(hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN', 'OBSERVER'))
.use(withMutationAudit)
/**
* Award master procedure - requires AWARD_MASTER role (or admin)
* AWARD_MASTER and PROGRAM_ADMIN mutations are audit-logged.
*/
export const awardMasterProcedure = t.procedure
.use(hasRole('SUPER_ADMIN', 'PROGRAM_ADMIN', 'AWARD_MASTER'))
.use(withMutationAudit)
/**
* Audience procedure - requires any authenticated user
* All mutations are automatically audit-logged.
*/
export const audienceProcedure = t.procedure.use(isAuthenticated).use(withMutationAudit)
Reference in New Issue View Git Blame Copy Permalink