wip api to fetch audits

Author: msukkari

packages/db/prisma/migrations/20250613223529_add_audit_table/migration.sql renamed to packages/db/prisma/migrations/20250617031335_add_audit_table/migration.sql

@@ -9,9 +9,13 @@ CREATE TABLE "Audit" (
     "targetType" TEXT NOT NULL,
     "sourcebotVersion" TEXT NOT NULL,
     "metadata" JSONB,
+    "orgId" INTEGER NOT NULL,
 
     CONSTRAINT "Audit_pkey" PRIMARY KEY ("id")
 );
 
 -- CreateIndex
-CREATE INDEX "Audit_actorId_actorType_targetId_targetType_idx" ON "Audit"("actorId", "actorType", "targetId", "targetType");
+CREATE INDEX "Audit_actorId_actorType_targetId_targetType_orgId_idx" ON "Audit"("actorId", "actorType", "targetId", "targetType", "orgId");
+
+-- AddForeignKey
+ALTER TABLE "Audit" ADD CONSTRAINT "Audit_orgId_fkey" FOREIGN KEY ("orgId") REFERENCES "Org"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/db/prisma/schema.prisma

@@ -172,6 +172,8 @@ model Org {
   /// List of pending invites to this organization
   invites Invite[]
 
+  audits Audit[]
+
   accountRequests AccountRequest[]
 
   searchContexts SearchContext[]
@@ -239,7 +241,10 @@ model Audit {
   sourcebotVersion String
   metadata Json?
 
-  @@index([actorId, actorType, targetId, targetType])
+  org   Org @relation(fields: [orgId], references: [id], onDelete: Cascade)
+  orgId Int
+
+  @@index([actorId, actorType, targetId, targetType, orgId])
 }
 
 // @see : https://authjs.dev/concepts/database-models#user

packages/web/src/actions.ts

@@ -473,6 +473,7 @@ export const createApiKey = async (name: string, domain: string): Promise<{ key:
                         id: org.id.toString(),
                         type: "org"
                     },
+                    orgId: org.id,
                     metadata: {
                         message: `API key ${name} already exists`,
                         api_key: name
@@ -505,6 +506,7 @@ export const createApiKey = async (name: string, domain: string): Promise<{ key:
                     id: apiKey.hash,
                     type: "api_key"
                 },
+                orgId: org.id,
                 metadata: {
                     api_key: name
                 }
@@ -517,7 +519,7 @@ export const createApiKey = async (name: string, domain: string): Promise<{ key:
 
 export const deleteApiKey = async (name: string, domain: string): Promise<{ success: boolean } | ServiceError> => sew(() =>
     withAuth((userId) =>
-        withOrgMembership(userId, domain, async () => {
+        withOrgMembership(userId, domain, async ({ org }) => {
             const apiKey = await prisma.apiKey.findFirst({
                 where: {
                     name,
@@ -536,6 +538,7 @@ export const deleteApiKey = async (name: string, domain: string): Promise<{ succ
                         id: domain,
                         type: "org"
                     },
+                    orgId: org.id,
                     metadata: {
                         message: `API key ${name} not found for user ${userId}`,
                         api_key: name
@@ -564,6 +567,7 @@ export const deleteApiKey = async (name: string, domain: string): Promise<{ succ
                     id: apiKey.hash,
                     type: "api_key"
                 },
+                orgId: org.id,
                 metadata: {
                     api_key: name
                 }
@@ -978,6 +982,7 @@ export const createInvites = async (emails: string[], domain: string): Promise<{
                         id: org.id.toString(),
                         type: "org"
                     },
+                    orgId: org.id,
                     metadata: {
                         message: error,
                         emails: emails.join(", ")
@@ -1001,6 +1006,7 @@ export const createInvites = async (emails: string[], domain: string): Promise<{
                         id: org.id.toString(),
                         type: "org"
                     },
+                    orgId: org.id,
                     metadata: {
                         message: "Organization has reached maximum number of seats",
                         emails: emails.join(", ")
@@ -1130,6 +1136,7 @@ export const createInvites = async (emails: string[], domain: string): Promise<{
                     id: org.id.toString(),
                     type: "org"
                 },
+                orgId: org.id,
                 metadata: {
                     emails: emails.join(", ")
                 }
@@ -1206,6 +1213,19 @@ export const redeemInvite = async (inviteId: string): Promise<{ success: boolean
             return user;
         }
 
+        const invite = await prisma.invite.findUnique({
+            where: {
+                id: inviteId,
+            },
+            include: {
+                org: true,
+            }
+        });
+
+        if (!invite) {
+            return notFound();
+        }
+
         const failAuditCallback = async (error: string) => {
             await auditService.createAudit({
                 action: "user.invite_accept_failed",
@@ -1217,23 +1237,13 @@ export const redeemInvite = async (inviteId: string): Promise<{ success: boolean
                     id: inviteId,
                     type: "invite"
                 },
+                orgId: invite.org.id,
                 metadata: {
                     message: error
                 }
             });
         }
-        const invite = await prisma.invite.findUnique({
-            where: {
-                id: inviteId,
-            },
-            include: {
-                org: true,
-            }
-        });
 
-        if (!invite) {
-            return notFound();
-        }
 
         const hasAvailability = await orgHasAvailability(invite.org.domain);
         if (!hasAvailability) {
@@ -1293,6 +1303,7 @@ export const redeemInvite = async (inviteId: string): Promise<{ success: boolean
                         id: user.id,
                         type: "user"
                     },
+                    orgId: invite.org.id,
                     target: {
                         id: accountRequest.id,
                         type: "account_join_request"
@@ -1325,6 +1336,7 @@ export const redeemInvite = async (inviteId: string): Promise<{ success: boolean
                 id: user.id,
                 type: "user"
             },
+            orgId: invite.org.id,
             target: {
                 id: inviteId,
                 type: "invite"
@@ -1394,6 +1406,7 @@ export const transferOwnership = async (newOwnerId: string, domain: string): Pro
                         id: org.id.toString(),
                         type: "org"
                     },
+                    orgId: org.id,
                     metadata: {
                         message: error
                     }
@@ -1461,6 +1474,7 @@ export const transferOwnership = async (newOwnerId: string, domain: string): Pro
                     id: org.id.toString(),
                     type: "org"
                 },
+                orgId: org.id,
                 metadata: {
                     message: `Ownership transferred from ${currentUserId} to ${newOwnerId}`
                 }
@@ -1780,6 +1794,7 @@ export const approveAccountRequest = async (requestId: string, domain: string) =
                         id: requestId,
                         type: "account_join_request"
                     },
+                    orgId: org.id,
                     metadata: {
                         message: error,
                     }
@@ -1894,6 +1909,7 @@ export const approveAccountRequest = async (requestId: string, domain: string) =
                     id: userId,
                     type: "user"
                 },
+                orgId: org.id,
                 target: {
                     id: requestId,
                     type: "account_join_request"
@@ -1930,6 +1946,7 @@ export const rejectAccountRequest = async (requestId: string, domain: string) =>
                     id: userId,
                     type: "user"
                 },
+                orgId: org.id,
                 target: {
                     id: requestId,
                     type: "account_join_request"

packages/web/src/app/api/(server)/ee/audit/route.ts

@@ -0,0 +1,27 @@
+'use server';
+
+import { NextRequest } from "next/server";
+import { fetchAuditRecords } from "@/ee/features/audit/utils";
+import { isServiceError } from "@/lib/utils";
+import { serviceErrorResponse } from "@/lib/serviceError";
+import { StatusCodes } from "http-status-codes";
+import { ErrorCode } from "@/lib/errorCodes";
+
+export const GET = async (request: NextRequest) => {
+  const domain = request.headers.get("X-Org-Domain");
+  const apiKey = request.headers.get("X-Sourcebot-Api-Key") ?? undefined;
+
+  if (!domain) {
+    return serviceErrorResponse({
+      statusCode: StatusCodes.BAD_REQUEST,
+      errorCode: ErrorCode.MISSING_ORG_DOMAIN_HEADER,
+      message: "Missing X-Org-Domain header",
+    });
+  } 
+  
+  const result = await fetchAuditRecords(domain, apiKey);
+  if (isServiceError(result)) {
+    return serviceErrorResponse(result);
+  }
+  return Response.json(result);
+}; 

packages/web/src/auth.ts

@@ -17,6 +17,7 @@ import { getSSOProviders } from '@/ee/features/sso/sso';
 import { hasEntitlement } from '@/features/entitlements/server';
 import { onCreateUser } from '@/lib/authUtils';
 import { getAuditService } from '@/ee/features/audit/factory';
+import { SINGLE_TENANT_ORG_ID } from './lib/constants';
 
 const auditService = getAuditService();
 
@@ -148,6 +149,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
                         id: user.id,
                         type: "user"
                     },
+                    orgId: SINGLE_TENANT_ORG_ID, // TODO(mt)
                     target: {
                         id: user.id,
                         type: "user"
@@ -164,6 +166,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
                         id: token.token.userId,
                         type: "user"
                     },
+                    orgId: SINGLE_TENANT_ORG_ID, // TODO(mt)
                     target: {
                         id: token.token.userId,
                         type: "user"

packages/web/src/ee/features/audit/auditService.ts

@@ -14,6 +14,7 @@ export class AuditService implements IAuditService {
         targetType: event.target.type,
         sourcebotVersion,
         metadata: event.metadata,
+        orgId: event.orgId,
       },
     });
 

packages/web/src/ee/features/audit/types.ts

@@ -26,6 +26,7 @@ export const auditEventSchema = z.object({
   actor: auditActorSchema,
   target: auditTargetSchema,
   sourcebotVersion: z.string(),
+  orgId: z.number(),
   metadata: auditMetadataSchema.optional()
 })
 export type AuditEvent = z.infer<typeof auditEventSchema>;

packages/web/src/ee/features/audit/utils.ts

@@ -0,0 +1,31 @@
+import { prisma } from "@/prisma";
+import { serviceErrorResponse } from "@/lib/serviceError";
+import { ErrorCode } from "@/lib/errorCodes";
+import { StatusCodes } from "http-status-codes";
+import { sew, withAuth, withOrgMembership } from "@/actions";
+import { OrgRole } from "@sourcebot/db";
+
+export const fetchAuditRecords = async (domain: string, apiKey: string | undefined = undefined) => sew(() =>
+  withAuth((userId) =>
+    withOrgMembership(userId, domain, async ({ org }) => {
+      try {
+        const auditRecords = await prisma.audit.findMany({
+          where: {
+            orgId: org.id,
+          },
+          orderBy: {
+            timestamp: 'desc'
+          }
+        });
+
+        return auditRecords;
+      } catch (error) {
+        console.error('Error fetching audit logs:', error);
+        return serviceErrorResponse({
+          statusCode: StatusCodes.INTERNAL_SERVER_ERROR,
+          errorCode: ErrorCode.UNEXPECTED_ERROR,
+          message: "Failed to fetch audit logs",
+        });
+      }
+    }, /* minRequiredRole = */ OrgRole.OWNER), /* allowSingleTenantUnauthedAccess = */ true, apiKey ? { apiKey, domain } : undefined)
+);

packages/web/src/features/search/fileSourceApi.ts

@@ -16,7 +16,7 @@ const auditService = getAuditService();
 
 export const getFileSource = async ({ fileName, repository, branch }: FileSourceRequest, domain: string, apiKey: string | undefined = undefined): Promise<FileSourceResponse | ServiceError> => sew(() =>
     withAuth((userId) =>
-        withOrgMembership(userId, domain, async () => {
+        withOrgMembership(userId, domain, async ({ org }) => {
             const escapedFileName = escapeStringRegexp(fileName);
             const escapedRepository = escapeStringRegexp(repository);
 
@@ -51,6 +51,7 @@ export const getFileSource = async ({ fileName, repository, branch }: FileSource
                     id: apiKey ? apiKey : userId,
                     type: apiKey ? "api_key" : "user"
                 },
+                orgId: org.id,
                 target: {
                     id: `${escapedRepository}/${escapedFileName}${branch ? `:${branch}` : ''}`,
                     type: "file"

packages/web/src/features/search/listReposApi.ts

@@ -57,6 +57,7 @@ export const listRepositories = async (domain: string, apiKey: string | undefine
                     id: org.id.toString(),
                     type: "org"
                 },
+                orgId: org.id,
                 metadata: {
                     message: result.repos.map((repo) => repo.name).join(", ")
                 }