geolba/tethys.backend
geolba/tethys.backend
2
0
Fork 2
Code Issues Pull requests Projects Releases 3 Packages Wiki Activity Actions

feat: implement activity logging for user actions and create activities table
All checks were successful
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 44s
Details

Browse source
This commit is contained in:
Kaimbacher 2026-06-24 15:03:17 +02:00
commit 7e2f320b4f
12 changed files with 420 additions and 160 deletions
Download patch file Download diff file Expand all files Collapse all files

153
app/Controllers/Http/Auth/AuthController.ts
View file

@ -1,100 +1,68 @@
import type { HttpContext } from '@adonisjs/core/http';
import User from '#models/user';
import BackupCode from '#models/backup_code';
// import Hash from '@ioc:Adonis/Core/Hash';
// import InvalidCredentialException from 'App/Exceptions/InvalidCredentialException';
import { authValidator } from '#validators/auth';
import hash from '@adonisjs/core/services/hash';
import db from '@adonisjs/lucid/services/db';
import TwoFactorAuthProvider from '#app/services/TwoFactorAuthProvider';
// import { Authenticator } from '@adonisjs/auth';
// import { LoginState } from 'Contracts/enums';
// import { StatusCodes } from 'http-status-codes';
import ActivityLogger from '#services/activity_logger';
import logger from '@adonisjs/core/services/logger';
// interface MyHttpsContext extends HttpContext {
// auth: Authenticator<User>
// }
export default class AuthController {
// login function{ request, auth, response }:HttpContext
public async login({ request, response, auth, session }: HttpContext) {
// console.log({
// registerBody: request.body(),
// });
// await request.validate(AuthValidator);
await request.validateUsing(authValidator);
// const plainPassword = await request.input('password');
// const email = await request.input('email');
// grab uid and password values off request body
const { email, password } = request.only(['email', 'password']);
try {
await db.connection().rawQuery('SELECT 1')
// // attempt to verify credential and login user
// await auth.use('web').attempt(email, plainPassword);
await db.connection().rawQuery('SELECT 1');
// const user = await auth.use('web').verifyCredentials(email, password);
const user = await User.verifyCredentials(email, password);
if (user.isTwoFactorEnabled) {
// session.put("login.id", user.id);
// return view.render("pages/two-factor-challenge");
// Noch KEIN abgeschlossenes Login -> nicht loggen.
session.flash('user_id', user.id);
return response.redirect().back();
// let state = LoginState.STATE_VALIDATED;
// return response.status(StatusCodes.OK).json({
// state: state,
// new_user_id: user.id,
// });
}
await auth.use('web').login(user);
} catch (error) {
this.recordAuthEvent('auth.login', { user, ip: request.ip() });
} catch (error: any) {
// DB nicht erreichbar -> kein fehlgeschlagener Login-Versuch, weiterwerfen
if (error.code === 'ECONNREFUSED') {
throw error
throw error;
}
// if login fails, return vague form message and redirect back
// Echter Credential-Fehler -> als fehlgeschlagenen Versuch protokollieren
this.recordAuthEvent('auth.login_failed', { email, ip: request.ip() });
session.flash('message', 'Your username, email, or password is incorrect');
return response.redirect().back();
}
// otherwise, redirect todashboard
response.redirect('/apps/dashboard');
return response.redirect('/apps/dashboard');
}
public async twoFactorChallenge({ request, session, auth, response }: HttpContext) {
const { code, backup_code, login_id } = request.only(['code', 'backup_code', 'login_id']);
const { code, backup_code, login_id } = request.only(['code', 'backup_code', 'login_id']);
const user = await User.query().where('id', login_id).firstOrFail();
if (code) {
const isValid = await TwoFactorAuthProvider.validate(user, code);
if (isValid) {
// login user and redirect to dashboard
await auth.use('web').login(user);
response.redirect('/apps/dashboard');
} else {
session.flash('message', 'Your two-factor code is incorrect');
return response.redirect().back();
this.recordAuthEvent('auth.login', { user, email: user.email, ip: request.ip(), method: '2fa_totp' });
return response.redirect('/apps/dashboard');
}
} else if (backup_code) {
const codes: BackupCode[] = await user.getBackupCodes();
// const verifiedBackupCodes = await Promise.all(
// codes.map(async (backupCode) => {
// let isVerified = await hash.verify(backupCode.code, backup_code);
// if (isVerified) {
// return backupCode;
// }
// }),
// );
// const backupCodeToDelete = verifiedBackupCodes.find(Boolean);
let backupCodeToDelete = null;
session.flash('message', 'Your two-factor code is incorrect');
return response.redirect().back();
}
if (backup_code) {
const codes: BackupCode[] = await user.getBackupCodes();
let backupCodeToDelete: BackupCode | null = null;
for (const backupCode of codes) {
const isVerified = await hash.verify(backupCode.code, backup_code);
if (isVerified) {
@ -103,29 +71,68 @@ export default class AuthController {
}
}
if (backupCodeToDelete) {
if (backupCodeToDelete.used === false) {
backupCodeToDelete.used = true;
await backupCodeToDelete.save();
console.log(`BackupCode with id ${backupCodeToDelete.id} has been marked as used.`);
await auth.use('web').login(user);
response.redirect('/apps/dashboard');
} else {
session.flash('message', 'BackupCode already used');
return response.redirect().back();
}
} else {
if (!backupCodeToDelete) {
session.flash('message', 'BackupCode not found');
return response.redirect().back();
}
}
if (backupCodeToDelete.used) {
session.flash('message', 'BackupCode already used');
return response.redirect().back();
}
backupCodeToDelete.used = true;
await backupCodeToDelete.save();
await auth.use('web').login(user);
this.recordAuthEvent('auth.login', { user, email: user.email, ip: request.ip(), method: '2fa_backup_code' });
return response.redirect('/apps/dashboard');
}
// Weder code noch backup_code übergeben
session.flash('message', 'No verification code provided');
return response.redirect().back();
}
// logout function
public async logout({ auth, response }: HttpContext) {
// await auth.logout();
public async logout({ auth, request, response }: HttpContext) {
// Session auflösen -> füllt auth.user, falls eingeloggt
await auth.use('web').check();
const user = auth.use('web').user;
await auth.use('web').logout();
if (user) {
this.recordAuthEvent('auth.logout', { user, email: user.email, ip: request.ip() });
}
return response.redirect('/app/login');
// return response.status(200);
}
/**
* Zentraler Audit-Logger für Auth-Events.
* Fire-and-forget: ein Fehler beim Schreiben darf Login/Logout nie blockieren.
*/
private recordAuthEvent(
type: 'auth.login' | 'auth.logout' | 'auth.login_failed',
opts: { user?: User; email?: string; ip: string; method?: string },
) {
const { user, email, ip, method } = opts;
const description =
type === 'auth.login'
? `${user!.firstName} ${user!.lastName} signed in`
: type === 'auth.logout'
? `${user!.firstName} ${user!.lastName} signed out`
: `Failed login attempt for ${email ?? 'unknown'}`;
void ActivityLogger.log({
type,
description,
userId: user?.id ?? null,
subjectType: user ? 'User' : null,
subjectId: user?.id ?? null,
properties: { ip, ...(method ? { method } : {}) },
}).catch((err) => logger.error({ err }, `failed to record ${type} activity`));
}
}

37
app/Controllers/Http/Submitter/DatasetController.ts
View file

@ -40,6 +40,8 @@ import type { Multipart } from '@adonisjs/bodyparser';
import * as fs from 'fs';
import { parseBytesSize, getConfigFor, getTmpPath, formatBytes, errorMessage } from '#app/utils/utility-functions';
import validation from '#services/validation_service';
import ActivityLogger from '#services/activity_logger';
import logger from '@adonisjs/core/services/logger';
interface Dictionary {
[index: string]: string;
@ -469,9 +471,7 @@ export default class DatasetController {
console.error('Error cleaning up temporary file:', cleanupError);
}
});
request.multipart.abort(
validation.make('files', `Upload limit of ${formatBytes(aggregatedLimit)} exceeded.`, 'limit')
);
request.multipart.abort(validation.make('files', `Upload limit of ${formatBytes(aggregatedLimit)} exceeded.`, 'limit'));
}
});
@ -513,10 +513,21 @@ export default class DatasetController {
trx = await db.transaction();
const user = (await User.find(auth.user?.id)) as User;
await this.createDatasetAndAssociations(user, request, trx);
// await this.createDatasetAndAssociations(user, request, trx);
const { dataset, mainTitle } = await this.createDatasetAndAssociations(user, request, trx);
await trx.commit();
console.log('Dataset and related models created successfully');
// NACH dem Commit: Dataset ist garantiert persistiert, keine Waisen-Gefahr.
// Fire-and-forget, damit ein Log-Fehler den bereits erfolgreichen Upload nicht kippt.
void ActivityLogger.log({
type: 'dataset.uploaded',
description: `New publication uploaded: ${mainTitle ?? 'Untitled'}`,
userId: user.id,
subjectType: 'Dataset',
subjectId: dataset.id,
}).catch((err) => logger.error({ err }, 'failed to record dataset.uploaded activity'));
} catch (error) {
// Clean up temporary files if validation or later steps fail
uploadedTmpFiles.forEach((tmpPath) => {
@ -564,6 +575,15 @@ export default class DatasetController {
await this.savePersons(dataset, request.input('contributors', []), 'contributor', trx);
//save main and additional titles
// const titles = request.input('titles', []);
// for (const titleData of titles) {
// const title = new Title();
// title.value = titleData.value;
// title.language = titleData.language;
// title.type = titleData.type;
// await dataset.useTransaction(trx).related('titles').save(title);
// }
let mainTitle: string | null = null;
const titles = request.input('titles', []);
for (const titleData of titles) {
const title = new Title();
@ -571,6 +591,11 @@ export default class DatasetController {
title.language = titleData.language;
title.type = titleData.type;
await dataset.useTransaction(trx).related('titles').save(title);
if (titleData.type === 'Main') {
// <-- an eure Typ-Konvention anpassen
mainTitle = titleData.value;
}
}
// save descriptions
@ -664,6 +689,8 @@ export default class DatasetController {
await dataset.useTransaction(trx).related('files').save(newFile);
await newFile.createHashValues(trx);
}
return { dataset, mainTitle }; // <-- statt void
}
private generateRandomString(length: number): string {
@ -1095,7 +1122,7 @@ export default class DatasetController {
}
});
const error = new errors.E_VALIDATION_ERROR({
'files': `Aggregated upload limit of ${formatBytes(aggregatedLimit)} exceeded. The total size of files being uploaded would exceed the limit.`,
files: `Aggregated upload limit of ${formatBytes(aggregatedLimit)} exceeded. The total size of files being uploaded would exceed the limit.`,
});
request.multipart.abort(error);
}

43
app/controllers/activities_controller.ts Normal file
View file

@ -0,0 +1,43 @@
// app/controllers/activities_controller.ts
import type { HttpContext } from '@adonisjs/core/http';
import Activity from '#models/activity';
export default class ActivitiesController {
async index({ response }: HttpContext) {
// const activities = await Activity.query()
// .preload('user', (q) => q.select('id', 'login'))
// .orderBy('created_at', 'desc')
// .limit(10);
// return response.json(
// activities.map((a) => ({
// id: a.id,
// type: a.type,
// description: a.description,
// user: a.user?.login ?? null,
// created_at: a.createdAt.toISO(), // relativeTime() expects ISO
// })),
// );
try {
const activities = await Activity.query()
.preload('user', (q) => q.select('id', 'login'))
.orderBy('created_at', 'desc')
.limit(10);
return response.json(
activities.map((a) => ({
id: a.id,
type: a.type,
description: a.description,
user: a.user?.login ?? null,
created_at: a.createdAt.toISO(), // relativeTime() expects ISO
})),
);
} catch (error) {
console.error('Error fetching activities:', error);
return response.status(500).json({ error: 'Internal Server Error' });
}
}
}

57
app/models/activity.ts Normal file
View file

@ -0,0 +1,57 @@
// app/models/activity.ts
import { DateTime } from 'luxon';
import { belongsTo, column } from '@adonisjs/lucid/orm';
import BaseModel from './base_model.js';
import type { BelongsTo } from '@adonisjs/lucid/types/relations';
import User from '#models/user';
import { SnakeCaseNamingStrategy } from '@adonisjs/lucid/orm';
export default class Activity extends BaseModel {
public static namingStrategy = new SnakeCaseNamingStrategy();
public static primaryKey = 'id';
public static table = 'activities';
@column({ isPrimary: true })
declare id: number;
@column()
declare type: string;
@column()
declare userId: number | null;
@column()
declare subjectType: string | null;
@column()
declare subjectId: number | null;
@column()
declare description: string;
// Manual JSON (de)serialization keeps this working on SQLite/MySQL.
// On Postgres json/jsonb the driver already parses — drop the `consume`
// JSON.parse there to avoid double-handling.
// @column({
// prepare: (value: Record<string, any> | null) => (value ? JSON.stringify(value) : null),
// consume: (value: string | null) => (value ? JSON.parse(value) : null),
// })
// declare properties: Record<string, any> | null;
@column()
declare properties: Record<string, any> | null;
@column.dateTime({ autoCreate: true })
declare createdAt: DateTime;
@column.dateTime({ autoCreate: true, autoUpdate: true })
declare updatedAt: DateTime;
// @belongsTo(() => User)
// declare user: BelongsTo<typeof User>;
@belongsTo(() => User, {
foreignKey: 'userId',
})
declare user: BelongsTo<typeof User>;
}

56
app/models/dataset.ts
View file

@ -5,7 +5,10 @@ import {
belongsTo,
hasMany,
computed,
hasOne
hasOne,
afterCreate,
beforeUpdate,
afterUpdate,
} from '@adonisjs/lucid/orm';
import { DateTime } from 'luxon';
import dayjs from 'dayjs';
@ -23,10 +26,11 @@ import DatasetIdentifier from './dataset_identifier.js';
import Project from './project.js';
import DocumentXmlCache from './DocumentXmlCache.js';
import DatasetExtension from '#models/traits/dataset_extension';
import type { ManyToMany } from "@adonisjs/lucid/types/relations";
import type { BelongsTo } from "@adonisjs/lucid/types/relations";
import type { HasMany } from "@adonisjs/lucid/types/relations";
import type { HasOne } from "@adonisjs/lucid/types/relations";
import type { ManyToMany } from '@adonisjs/lucid/types/relations';
import type { BelongsTo } from '@adonisjs/lucid/types/relations';
import type { HasMany } from '@adonisjs/lucid/types/relations';
import type { HasOne } from '@adonisjs/lucid/types/relations';
import ActivityLogger from '#services/activity_logger';
export default class Dataset extends DatasetExtension {
public static namingStrategy = new SnakeCaseNamingStrategy();
@ -46,7 +50,7 @@ export default class Dataset extends DatasetExtension {
@column({ columnName: 'creating_corporation' })
public creating_corporation: string;
@column.dateTime({
@column.dateTime({
columnName: 'embargo_date',
serialize: (value: Date | null) => {
return value ? dayjs(value).format('YYYY-MM-DD') : value;
@ -60,7 +64,7 @@ export default class Dataset extends DatasetExtension {
@column({})
public language: string;
@column({columnName: 'publish_id'})
@column({ columnName: 'publish_id' })
public publish_id: number | null = null;
@column({})
@ -266,10 +270,12 @@ export default class Dataset extends DatasetExtension {
return model || null;
}
static async getMax (column: string) {
let dataset = await this.query().max(column + ' as max_publish_id').firstOrFail();
static async getMax(column: string) {
let dataset = await this.query()
.max(column + ' as max_publish_id')
.firstOrFail();
return dataset.$extras.max_publish_id;
}
}
@computed({
serializeAs: 'remaining_time',
@ -284,4 +290,34 @@ export default class Dataset extends DatasetExtension {
return 0;
}
}
// @afterCreate()
// static async logUploaded(dataset: Dataset) {
// await dataset.preload('titles');
// await ActivityLogger.log({
// type: 'dataset.uploaded',
// description: `New publication uploaded: ${dataset.mainTitle ?? 'Untitled'}`,
// subjectType: 'Dataset',
// subjectId: dataset.id,
// });
// }
@beforeUpdate()
static capturePublish(dataset: Dataset) {
// $dirty is populated here, before persistence
(dataset as any).$becamePublished = dataset.$dirty.status !== undefined && dataset.status === 'published';
}
@afterUpdate()
static async logPublished(dataset: Dataset) {
if ((dataset as any).$becamePublished) {
await ActivityLogger.log({
type: 'dataset.published',
description: `Publication published: ${dataset.mainTitle}`,
subjectType: 'Dataset',
subjectId: dataset.id,
});
}
}
}

6
app/models/user.ts
View file

@ -14,6 +14,7 @@ import type { ManyToMany } from '@adonisjs/lucid/types/relations';
import type { HasMany } from '@adonisjs/lucid/types/relations';
import { compose } from '@adonisjs/core/helpers';
import BackupCode from './backup_code.js';
import Activity from './activity.js';
const AuthFinder = withAuthFinder(() => hash.use('laravel'), {
uids: ['email'],
@ -111,6 +112,11 @@ export default class User extends compose(BaseModel, AuthFinder) {
})
public backupcodes: HasMany<typeof BackupCode>;
@hasMany(() => Activity, {
foreignKey: 'user_id',
})
public activities: HasMany<typeof Activity>;
@computed({
serializeAs: 'is_admin',
})

27
app/services/activity_logger.ts Normal file
View file

@ -0,0 +1,27 @@
// app/services/activity_logger.ts
import Activity from '#models/activity'
interface LogOptions {
type: string
description: string
userId?: number | null
subjectType?: string | null
subjectId?: number | string | null
properties?: Record<string, any>
}
export default class ActivityLogger {
static async log(options: LogOptions): Promise<void> {
await Activity.create({
type: options.type,
description: options.description,
userId: options.userId ?? null,
subjectType: options.subjectType ?? null,
subjectId: options.subjectId != null ? Number(options.subjectId) : null,
properties: options.properties ?? null,
})
// Invalidate the cache if you add one (see Redis section).
// await redis.del('activities:recent')
}
}