Assist_Design/apps/bff/src/infra/audit/audit.service.ts

import { Injectable, Inject } from "@nestjs/common";
import { Prisma, AuditAction } from "@prisma/client";
import { PrismaService } from "../database/prisma.service.js";
import { extractErrorMessage } from "@bff/core/utils/error.util.js";
import { Logger } from "nestjs-pino";
import { extractClientIp, extractUserAgent } from "@bff/core/http/request-context.util.js";

// Re-export AuditAction from Prisma for consumers
export { AuditAction } from "@prisma/client";

export interface AuditLogData {
  userId?: string | undefined;
  action: AuditAction;
  resource?: string | undefined;
  details?: Record<string, unknown> | string | number | boolean | null | undefined;
  ipAddress?: string | undefined;
  userAgent?: string | undefined;
  success?: boolean | undefined;
  error?: string | undefined;
}

/**
 * Minimal request shape for audit logging.
 * Compatible with Express Request but only requires the fields needed for IP/UA extraction.
 * Must be compatible with RequestContextLike from request-context.util.ts.
 */
export type AuditRequest = {
  headers?: Record<string, string | string[] | undefined> | undefined;
  ip?: string | undefined;
  connection?: { remoteAddress?: string | undefined } | undefined;
  socket?: { remoteAddress?: string | undefined } | undefined;
};

@Injectable()
export class AuditService {
  constructor(
    private readonly prisma: PrismaService,
    @Inject(Logger) private readonly logger: Logger
  ) {}

  async log(data: AuditLogData): Promise<void> {
    try {
      const createData: Parameters<typeof this.prisma.auditLog.create>[0]["data"] = {
        action: data.action,
        success: data.success ?? true,
      };

      if (data.userId !== undefined) createData.userId = data.userId;
      if (data.resource !== undefined) createData.resource = data.resource;
      if (data.ipAddress !== undefined) createData.ipAddress = data.ipAddress;
      if (data.userAgent !== undefined) createData.userAgent = data.userAgent;
      if (data.error !== undefined) createData.error = data.error;
      if (data.details !== undefined) {
        createData.details =
          data.details === null
            ? Prisma.JsonNull
            : (JSON.parse(JSON.stringify(data.details)) as Prisma.InputJsonValue);
      }

      await this.prisma.auditLog.create({ data: createData });
    } catch (error) {
      this.logger.error("Audit logging failed", {
        errorType: error instanceof Error ? error.constructor.name : "Unknown",
        message: extractErrorMessage(error),
      });
    }
  }

  async logAuthEvent(
    action: AuditAction,
    userId?: string,
    details?: Record<string, unknown> | string | number | boolean | null,
    request?: AuditRequest,
    success: boolean = true,
    error?: string
  ): Promise<void> {
    const ipAddress = extractClientIp(request);
    const userAgent = extractUserAgent(request);

    await this.log({
      userId,
      action,
      resource: "auth",
      details,
      ipAddress,
      userAgent,
      success,
      error,
    });
  }

  async getAuditLogs({
    page,
    limit,
    action,
    userId,
  }: {
    page: number;
    limit: number;
    action?: AuditAction;
    userId?: string;
  }) {
    const skip = (page - 1) * limit;
    const where: Prisma.AuditLogWhereInput = {};
    if (action) where.action = action;
    if (userId) where.userId = userId;

    const [logs, total] = await Promise.all([
      this.prisma.auditLog.findMany({
        where,
        include: {
          user: {
            select: {
              id: true,
              email: true,
            },
          },
        },
        orderBy: { createdAt: "desc" },
        skip,
        take: limit,
      }),
      this.prisma.auditLog.count({ where }),
    ]);

    return { logs, total };
  }

  async getSecurityStats() {
    const today = new Date(new Date().setHours(0, 0, 0, 0));

    const [totalUsers, lockedAccounts, failedLoginsToday, successfulLoginsToday] =
      await Promise.all([
        this.prisma.user.count(),
        this.prisma.user.count({
          where: {
            lockedUntil: {
              gt: new Date(),
            },
          },
        }),
        this.prisma.auditLog.count({
          where: {
            action: AuditAction.LOGIN_FAILED,
            createdAt: {
              gte: today,
            },
          },
        }),
        this.prisma.auditLog.count({
          where: {
            action: AuditAction.LOGIN_SUCCESS,
            createdAt: {
              gte: today,
            },
          },
        }),
      ]);

    return {
      totalUsers,
      lockedAccounts,
      failedLoginsToday,
      successfulLoginsToday,
      securityEventsToday: failedLoginsToday + successfulLoginsToday,
    };
  }
}
clean up 2025-08-22 17:02:49 +09:00			`import { Injectable, Inject } from "@nestjs/common";`
fix: resolve BFF TypeScript errors and improve mobile UX BFF fixes: - Fix pino-http type import by using Params from nestjs-pino - Use Prisma-generated AuditAction enum instead of local duplicate - Add null check for sfAccountId in mapping mapper Portal mobile UX improvements: - DataTable: Add responsive card view for mobile with stacked layout - Header: Increase touch targets to 44px minimum, better spacing - PageLayout: Optimize padding and make breadcrumbs scrollable - PublicShell: Add iOS safe area support, slide animation, language switcher and sign-in button visible in mobile header Also removes "Trusted by Leading Companies" section from AboutUsView. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-04 18:23:58 +09:00			`import { Prisma, AuditAction } from "@prisma/client";`
Update TypeScript configurations, improve module imports, and clean up Dockerfiles - Adjusted TypeScript settings in tsconfig files for better alignment with ESNext standards. - Updated pnpm-lock.yaml to reflect dependency changes and improve package management. - Cleaned up Dockerfiles for both BFF and Portal applications to enhance build processes. - Modified import statements across various modules to include file extensions for consistency. - Removed outdated SHA256 files for backend and frontend tarballs to streamline project structure. - Enhanced health check mechanisms in Dockerfiles for improved application startup reliability. 2025-12-10 16:08:34 +09:00			`import { PrismaService } from "../database/prisma.service.js";`
Enhance Error Handling and Logging Consistency Across Services - Replaced instances of `getErrorMessage` with `extractErrorMessage` in various services to ensure consistent error handling and improve clarity in logging. - Updated error logging in the Whmcs, Salesforce, and subscription services to utilize the new error extraction method, enhancing maintainability and debugging capabilities. - Adjusted ESLint configuration to prevent the use of `console.log` in production code, promoting the use of a centralized logging solution. - Refactored error handling in the Agentforce widget and other components to align with the updated logging practices, ensuring a consistent approach to error management across the application. - Cleaned up unused imports and optimized code structure for better maintainability. 2025-12-29 15:07:11 +09:00			`import { extractErrorMessage } from "@bff/core/utils/error.util.js";`
clean up 2025-08-22 17:02:49 +09:00			`import { Logger } from "nestjs-pino";`
Enhance Error Handling and Logging Consistency Across Services - Replaced instances of `getErrorMessage` with `extractErrorMessage` in various services to ensure consistent error handling and improve clarity in logging. - Updated error logging in the Whmcs, Salesforce, and subscription services to utilize the new error extraction method, enhancing maintainability and debugging capabilities. - Adjusted ESLint configuration to prevent the use of `console.log` in production code, promoting the use of a centralized logging solution. - Refactored error handling in the Agentforce widget and other components to align with the updated logging practices, ensuring a consistent approach to error management across the application. - Cleaned up unused imports and optimized code structure for better maintainability. 2025-12-29 15:07:11 +09:00			`import { extractClientIp, extractUserAgent } from "@bff/core/http/request-context.util.js";`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00
fix: resolve BFF TypeScript errors and improve mobile UX BFF fixes: - Fix pino-http type import by using Params from nestjs-pino - Use Prisma-generated AuditAction enum instead of local duplicate - Add null check for sfAccountId in mapping mapper Portal mobile UX improvements: - DataTable: Add responsive card view for mobile with stacked layout - Header: Increase touch targets to 44px minimum, better spacing - PageLayout: Optimize padding and make breadcrumbs scrollable - PublicShell: Add iOS safe area support, slide animation, language switcher and sign-in button visible in mobile header Also removes "Trusted by Leading Companies" section from AboutUsView. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-04 18:23:58 +09:00			`// Re-export AuditAction from Prisma for consumers`
			`export { AuditAction } from "@prisma/client";`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00
			`export interface AuditLogData {`
feat: add eligibility check flow with form, OTP, and success steps - Implemented FormStep component for user input (name, email, address). - Created OtpStep component for OTP verification. - Developed SuccessStep component to display success messages based on account creation. - Introduced eligibility-check.store for managing state throughout the eligibility check process. - Added commitlint configuration for standardized commit messages. - Configured knip for workspace management and project structure. 2026-01-15 11:28:25 +09:00			`userId?: string \| undefined;`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00			`action: AuditAction;`
feat: add eligibility check flow with form, OTP, and success steps - Implemented FormStep component for user input (name, email, address). - Created OtpStep component for OTP verification. - Developed SuccessStep component to display success messages based on account creation. - Introduced eligibility-check.store for managing state throughout the eligibility check process. - Added commitlint configuration for standardized commit messages. - Configured knip for workspace management and project structure. 2026-01-15 11:28:25 +09:00			`resource?: string \| undefined;`
			`details?: Record<string, unknown> \| string \| number \| boolean \| null \| undefined;`
			`ipAddress?: string \| undefined;`
			`userAgent?: string \| undefined;`
			`success?: boolean \| undefined;`
			`error?: string \| undefined;`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00			`}`

feat: add eligibility check flow with form, OTP, and success steps - Implemented FormStep component for user input (name, email, address). - Created OtpStep component for OTP verification. - Developed SuccessStep component to display success messages based on account creation. - Introduced eligibility-check.store for managing state throughout the eligibility check process. - Added commitlint configuration for standardized commit messages. - Configured knip for workspace management and project structure. 2026-01-15 11:28:25 +09:00			`/**`
			`* Minimal request shape for audit logging.`
			`* Compatible with Express Request but only requires the fields needed for IP/UA extraction.`
			`* Must be compatible with RequestContextLike from request-context.util.ts.`
			`*/`
			`export type AuditRequest = {`
			`headers?: Record<string, string \| string[] \| undefined> \| undefined;`
			`ip?: string \| undefined;`
			`connection?: { remoteAddress?: string \| undefined } \| undefined;`
			`socket?: { remoteAddress?: string \| undefined } \| undefined;`
			`};`

Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00			`@Injectable()`
			`export class AuditService {`
clean up 2025-08-22 17:02:49 +09:00			`constructor(`
			`private readonly prisma: PrismaService,`
			`@Inject(Logger) private readonly logger: Logger`
			`) {}`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00
			`async log(data: AuditLogData): Promise<void> {`
			`try {`
feat: add eligibility check flow with form, OTP, and success steps - Implemented FormStep component for user input (name, email, address). - Created OtpStep component for OTP verification. - Developed SuccessStep component to display success messages based on account creation. - Introduced eligibility-check.store for managing state throughout the eligibility check process. - Added commitlint configuration for standardized commit messages. - Configured knip for workspace management and project structure. 2026-01-15 11:28:25 +09:00			`const createData: Parameters<typeof this.prisma.auditLog.create>[0]["data"] = {`
			`action: data.action,`
			`success: data.success ?? true,`
			`};`

			`if (data.userId !== undefined) createData.userId = data.userId;`
			`if (data.resource !== undefined) createData.resource = data.resource;`
			`if (data.ipAddress !== undefined) createData.ipAddress = data.ipAddress;`
			`if (data.userAgent !== undefined) createData.userAgent = data.userAgent;`
			`if (data.error !== undefined) createData.error = data.error;`
			`if (data.details !== undefined) {`
			`createData.details =`
			`data.details === null`
			`? Prisma.JsonNull`
			`: (JSON.parse(JSON.stringify(data.details)) as Prisma.InputJsonValue);`
			`}`

			`await this.prisma.auditLog.create({ data: createData });`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00			`} catch (error) {`
clean up 2025-08-22 17:02:49 +09:00			`this.logger.error("Audit logging failed", {`
			`errorType: error instanceof Error ? error.constructor.name : "Unknown",`
Enhance Error Handling and Logging Consistency Across Services - Replaced instances of `getErrorMessage` with `extractErrorMessage` in various services to ensure consistent error handling and improve clarity in logging. - Updated error logging in the Whmcs, Salesforce, and subscription services to utilize the new error extraction method, enhancing maintainability and debugging capabilities. - Adjusted ESLint configuration to prevent the use of `console.log` in production code, promoting the use of a centralized logging solution. - Refactored error handling in the Agentforce widget and other components to align with the updated logging practices, ensuring a consistent approach to error management across the application. - Cleaned up unused imports and optimized code structure for better maintainability. 2025-12-29 15:07:11 +09:00			`message: extractErrorMessage(error),`
clean up 2025-08-22 17:02:49 +09:00			`});`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00			`}`
			`}`

			`async logAuthEvent(`
			`action: AuditAction,`
			`userId?: string,`
order fix 2025-08-27 10:54:05 +09:00			`details?: Record<string, unknown> \| string \| number \| boolean \| null,`
feat: add eligibility check flow with form, OTP, and success steps - Implemented FormStep component for user input (name, email, address). - Created OtpStep component for OTP verification. - Developed SuccessStep component to display success messages based on account creation. - Introduced eligibility-check.store for managing state throughout the eligibility check process. - Added commitlint configuration for standardized commit messages. - Configured knip for workspace management and project structure. 2026-01-15 11:28:25 +09:00			`request?: AuditRequest,`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00			`success: boolean = true,`
clean up 2025-08-22 17:02:49 +09:00			`error?: string`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00			`): Promise<void> {`
Enhance Error Handling and Logging Consistency Across Services - Replaced instances of `getErrorMessage` with `extractErrorMessage` in various services to ensure consistent error handling and improve clarity in logging. - Updated error logging in the Whmcs, Salesforce, and subscription services to utilize the new error extraction method, enhancing maintainability and debugging capabilities. - Adjusted ESLint configuration to prevent the use of `console.log` in production code, promoting the use of a centralized logging solution. - Refactored error handling in the Agentforce widget and other components to align with the updated logging practices, ensuring a consistent approach to error management across the application. - Cleaned up unused imports and optimized code structure for better maintainability. 2025-12-29 15:07:11 +09:00			`const ipAddress = extractClientIp(request);`
			`const userAgent = extractUserAgent(request);`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00
			`await this.log({`
			`userId,`
			`action,`
structure changes 2025-08-21 15:24:40 +09:00			`resource: "auth",`
Initial Customer Portal setup - production ready 2025-08-20 18:02:50 +09:00			`details,`
			`ipAddress,`
			`userAgent,`
			`success,`
			`error,`
			`});`
			`}`

Refactor AuditService and AuthAdminController to streamline audit log retrieval and security statistics. Introduce new methods in AuditService for fetching audit logs and security stats, and update AuthAdminController to utilize these methods. Remove redundant code and improve error handling in InvoicesService. Clean up unused DTOs and API routes in the portal. Enhance query keys for better organization in billing and catalog features. 2025-09-18 17:49:43 +09:00			`async getAuditLogs({`
			`page,`
			`limit,`
			`action,`
			`userId,`
			`}: {`
			`page: number;`
			`limit: number;`
			`action?: AuditAction;`
			`userId?: string;`
			`}) {`
			`const skip = (page - 1) * limit;`
			`const where: Prisma.AuditLogWhereInput = {};`
			`if (action) where.action = action;`
			`if (userId) where.userId = userId;`

			`const [logs, total] = await Promise.all([`
			`this.prisma.auditLog.findMany({`
			`where,`
			`include: {`
			`user: {`
			`select: {`
			`id: true,`
			`email: true,`
			`},`
			`},`
			`},`
			`orderBy: { createdAt: "desc" },`
			`skip,`
			`take: limit,`
			`}),`
			`this.prisma.auditLog.count({ where }),`
			`]);`

			`return { logs, total };`
			`}`

			`async getSecurityStats() {`
			`const today = new Date(new Date().setHours(0, 0, 0, 0));`

			`const [totalUsers, lockedAccounts, failedLoginsToday, successfulLoginsToday] =`
			`await Promise.all([`
			`this.prisma.user.count(),`
			`this.prisma.user.count({`
			`where: {`
			`lockedUntil: {`
			`gt: new Date(),`
			`},`
			`},`
			`}),`
			`this.prisma.auditLog.count({`
			`where: {`
			`action: AuditAction.LOGIN_FAILED,`
			`createdAt: {`
			`gte: today,`
			`},`
			`},`
			`}),`
			`this.prisma.auditLog.count({`
			`where: {`
			`action: AuditAction.LOGIN_SUCCESS,`
			`createdAt: {`
			`gte: today,`
			`},`
			`},`
			`}),`
			`]);`

			`return {`
			`totalUsers,`
			`lockedAccounts,`
			`failedLoginsToday,`
			`successfulLoginsToday,`
			`securityEventsToday: failedLoginsToday + successfulLoginsToday,`
			`};`
			`}`
			`}`