archicore 0.2.0 → 0.2.1

package/dist/server/routes/admin.js

@@ -2,14 +2,33 @@
  * Admin API Routes for ArchiCore
  */
 import { Router } from 'express';
+import rateLimit from 'express-rate-limit';
 import { AuthService } from '../services/auth-service.js';
+import { auditService } from '../services/audit-service.js';
 import { authMiddleware, adminMiddleware } from './auth.js';
 import { Logger } from '../../utils/logger.js';
 export const adminRouter = Router();
 const authService = AuthService.getInstance();
-// All admin routes require authentication and admin role
+// Stricter rate limiting for admin routes (30 requests per minute)
+const adminRateLimiter = rateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 30, // 30 requests per minute
+    message: { error: 'Too many admin requests, please slow down', retryAfter: 60 },
+    standardHeaders: true,
+    legacyHeaders: false,
+    handler: (_req, res) => {
+        Logger.warn('Admin rate limit exceeded');
+        res.status(429).json({
+            error: 'Too many admin requests',
+            message: 'Please wait before making more admin API calls',
+            retryAfter: 60
+        });
+    }
+});
+// All admin routes require authentication, admin role, and rate limiting
 adminRouter.use(authMiddleware);
 adminRouter.use(adminMiddleware);
+adminRouter.use(adminRateLimiter);
 /**
  * GET /api/admin/users
  * Get all users
@@ -49,6 +68,8 @@ adminRouter.get('/users/:id', async (req, res) => {
  * Update user's subscription tier
  */
 adminRouter.put('/users/:id/tier', async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
     try {
         const { id } = req.params;
         const { tier } = req.body;
@@ -57,11 +78,28 @@ adminRouter.put('/users/:id/tier', async (req, res) => {
             res.status(400).json({ error: 'Invalid tier. Valid tiers: ' + validTiers.join(', ') });
             return;
         }
+        // Get old tier for audit
+        const oldUser = await authService.getUser(id);
+        const oldTier = oldUser?.tier;
         const updated = await authService.updateUserTier(id, tier);
         if (!updated) {
             res.status(404).json({ error: 'User not found' });
             return;
         }
+        // Audit log
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.tier_change',
+            ip,
+            userAgent,
+            details: {
+                targetUserId: id,
+                targetUsername: oldUser?.username,
+                oldTier,
+                newTier: tier
+            }
+        });
         res.json({ success: true });
     }
     catch (error) {
@@ -74,13 +112,30 @@ adminRouter.put('/users/:id/tier', async (req, res) => {
  * Delete user
  */
 adminRouter.delete('/users/:id', async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
     try {
         const { id } = req.params;
+        // Get user info before deletion for audit
+        const userToDelete = await authService.getUser(id);
         const deleted = await authService.deleteUser(id);
         if (!deleted) {
             res.status(400).json({ error: 'Cannot delete user (admin or not found)' });
             return;
         }
+        // Audit log
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.user_delete',
+            ip,
+            userAgent,
+            details: {
+                deletedUserId: id,
+                deletedUsername: userToDelete?.username,
+                deletedEmail: userToDelete?.email
+            }
+        });
         res.json({ success: true });
     }
     catch (error) {
@@ -120,4 +175,97 @@ adminRouter.get('/stats', async (_req, res) => {
         res.status(500).json({ error: 'Failed to get statistics' });
     }
 });
+// ===== AUDIT LOGS =====
+/**
+ * GET /api/admin/audit
+ * Get audit logs with filtering and pagination
+ */
+adminRouter.get('/audit', async (req, res) => {
+    try {
+        const { userId, action, severity, success, startDate, endDate, limit = '50', offset = '0' } = req.query;
+        // Log that admin is viewing audit logs
+        const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+        const userAgent = req.headers['user-agent'];
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.view_logs',
+            ip,
+            userAgent,
+            details: { filters: { userId, action, severity } }
+        });
+        const result = await auditService.query({
+            userId: userId,
+            action: action,
+            severity: severity,
+            success: success ? success === 'true' : undefined,
+            startDate: startDate ? new Date(startDate) : undefined,
+            endDate: endDate ? new Date(endDate) : undefined,
+            limit: parseInt(limit, 10),
+            offset: parseInt(offset, 10)
+        });
+        res.json(result);
+    }
+    catch (error) {
+        Logger.error('Failed to get audit logs:', error);
+        res.status(500).json({ error: 'Failed to get audit logs' });
+    }
+});
+/**
+ * GET /api/admin/audit/stats
+ * Get audit statistics
+ */
+adminRouter.get('/audit/stats', async (req, res) => {
+    try {
+        const days = parseInt(req.query.days || '7', 10);
+        const stats = await auditService.getStats(days);
+        res.json(stats);
+    }
+    catch (error) {
+        Logger.error('Failed to get audit stats:', error);
+        res.status(500).json({ error: 'Failed to get audit statistics' });
+    }
+});
+/**
+ * GET /api/admin/audit/user/:userId
+ * Get audit logs for specific user
+ */
+adminRouter.get('/audit/user/:userId', async (req, res) => {
+    try {
+        const { userId } = req.params;
+        const limit = parseInt(req.query.limit || '50', 10);
+        const logs = await auditService.getUserLogs(userId, limit);
+        res.json({ logs });
+    }
+    catch (error) {
+        Logger.error('Failed to get user audit logs:', error);
+        res.status(500).json({ error: 'Failed to get user audit logs' });
+    }
+});
+/**
+ * POST /api/admin/audit/cleanup
+ * Clean up old audit logs (retention policy)
+ */
+adminRouter.post('/audit/cleanup', async (req, res) => {
+    try {
+        const retentionDays = parseInt(req.body.retentionDays || '90', 10);
+        const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+        const userAgent = req.headers['user-agent'];
+        // Log cleanup action
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'admin.view_logs',
+            ip,
+            userAgent,
+            details: { operation: 'cleanup', retentionDays }
+        });
+        const removed = await auditService.cleanup(retentionDays);
+        res.json({ success: true, removed });
+    }
+    catch (error) {
+        Logger.error('Failed to cleanup audit logs:', error);
+        res.status(500).json({ error: 'Failed to cleanup audit logs' });
+    }
+});
 //# sourceMappingURL=admin.js.map

package/dist/server/routes/auth.js

@@ -3,6 +3,7 @@
  */
 import { Router } from 'express';
 import { AuthService } from '../services/auth-service.js';
+import { auditService } from '../services/audit-service.js';
 import { Logger } from '../../utils/logger.js';
 export const authRouter = Router();
 const authService = AuthService.getInstance();
@@ -35,6 +36,8 @@ export async function adminMiddleware(req, res, next) {
  * Register new user
  */
 authRouter.post('/register', async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
     try {
         const { email, username, password } = req.body;
         if (!email || !username || !password) {
@@ -46,6 +49,17 @@ authRouter.post('/register', async (req, res) => {
             return;
         }
         const result = await authService.register(email, username, password);
+        // Audit log
+        if (result.success && result.user) {
+            await auditService.log({
+                userId: result.user.id,
+                username: result.user.username,
+                action: 'auth.register',
+                ip,
+                userAgent,
+                details: { email }
+            });
+        }
         res.json(result);
     }
     catch (error) {
@@ -58,6 +72,8 @@ authRouter.post('/register', async (req, res) => {
  * Login with email/password
  */
 authRouter.post('/login', async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
     try {
         const { email, password } = req.body;
         if (!email || !password) {
@@ -65,10 +81,30 @@ authRouter.post('/login', async (req, res) => {
             return;
         }
         const result = await authService.login(email, password);
+        // Audit log
+        await auditService.log({
+            userId: result.user?.id,
+            username: result.user?.username,
+            action: 'auth.login',
+            ip,
+            userAgent,
+            details: { email },
+            success: result.success,
+            errorMessage: result.success ? undefined : result.error
+        });
         res.json(result);
     }
     catch (error) {
         Logger.error('Login error:', error);
+        // Audit failed login attempt
+        await auditService.log({
+            action: 'auth.login',
+            ip,
+            userAgent,
+            details: { email: req.body.email },
+            success: false,
+            errorMessage: 'Login failed'
+        });
         res.status(500).json({ success: false, error: 'Login failed' });
     }
 });
@@ -77,11 +113,21 @@ authRouter.post('/login', async (req, res) => {
  * Logout current user
  */
 authRouter.post('/logout', authMiddleware, async (req, res) => {
+    const ip = req.ip || req.headers['x-forwarded-for'] || 'unknown';
+    const userAgent = req.headers['user-agent'];
     try {
         const token = req.headers.authorization?.substring(7);
         if (token) {
             await authService.logout(token);
         }
+        // Audit log
+        await auditService.log({
+            userId: req.user?.id,
+            username: req.user?.username,
+            action: 'auth.logout',
+            ip,
+            userAgent
+        });
         res.json({ success: true });
     }
     catch (error) {

package/dist/server/routes/github.js

@@ -449,7 +449,7 @@ githubRouter.post('/repositories/:id/analyze', authMiddleware, async (req, res)
 githubRouter.post('/webhook', async (req, res) => {
     try {
         const event = req.headers['x-github-event'];
-        // signature available at req.headers['x-hub-signature-256'] for verification
+        const signature = req.headers['x-hub-signature-256'];
         const payload = req.body;
         if (!event || !payload) {
             res.status(400).json({ error: 'Invalid webhook' });
@@ -467,9 +467,22 @@ githubRouter.post('/webhook', async (req, res) => {
             res.status(200).json({ message: 'Repository not connected' });
             return;
         }
-        // Verify signature (if webhook secret is set)
-        // Note: In production, you'd verify the signature properly using:
-        // githubService.verifyWebhookSignature(JSON.stringify(req.body), signature, secret)
+        // Verify webhook signature (HMAC-SHA256)
+        if (repo.webhookSecret) {
+            if (!signature) {
+                Logger.warn(`Webhook missing signature for ${fullName}`);
+                res.status(401).json({ error: 'Missing signature' });
+                return;
+            }
+            const secret = githubService.getWebhookSecret(repo.webhookSecret);
+            const payloadBody = JSON.stringify(payload);
+            if (!githubService.verifyWebhookSignature(payloadBody, signature, secret)) {
+                Logger.warn(`Invalid webhook signature for ${fullName}`);
+                res.status(401).json({ error: 'Invalid signature' });
+                return;
+            }
+            Logger.debug(`Webhook signature verified for ${fullName}`);
+        }
         Logger.info(`Webhook received: ${event} for ${fullName}`);
         // Handle different events
         switch (event) {

package/dist/server/services/audit-service.d.ts

@@ -0,0 +1,88 @@
+/**
+ * Audit Log Service for ArchiCore
+ *
+ * Logs user actions for security and compliance purposes
+ * Supports PostgreSQL (primary) with JSON file fallback
+ */
+export type AuditAction = 'auth.login' | 'auth.logout' | 'auth.register' | 'auth.password_change' | 'auth.device_login' | 'user.update' | 'user.tier_change' | 'user.delete' | 'project.create' | 'project.delete' | 'project.analyze' | 'project.simulate' | 'project.ask' | 'project.docs' | 'github.connect' | 'github.disconnect' | 'github.repo_connect' | 'github.repo_disconnect' | 'github.webhook_received' | 'api.key_create' | 'api.key_revoke' | 'api.request' | 'admin.login' | 'admin.user_update' | 'admin.user_delete' | 'admin.tier_change' | 'admin.view_logs';
+export type AuditSeverity = 'info' | 'warning' | 'critical';
+export interface AuditLogEntry {
+    id: string;
+    timestamp: Date;
+    userId?: string;
+    username?: string;
+    action: AuditAction;
+    severity: AuditSeverity;
+    ip?: string;
+    userAgent?: string;
+    details?: Record<string, any>;
+    success: boolean;
+    errorMessage?: string;
+}
+export interface AuditLogQuery {
+    userId?: string;
+    action?: AuditAction;
+    severity?: AuditSeverity;
+    startDate?: Date;
+    endDate?: Date;
+    success?: boolean;
+    limit?: number;
+    offset?: number;
+}
+export declare class AuditService {
+    private dataDir;
+    private logs;
+    private jsonInitialized;
+    private saveTimeout;
+    constructor(dataDir?: string);
+    private useDatabase;
+    private ensureJsonInitialized;
+    private saveJson;
+    private generateId;
+    private getSeverity;
+    private rowToEntry;
+    /**
+     * Log an action
+     */
+    log(params: {
+        userId?: string;
+        username?: string;
+        action: AuditAction;
+        ip?: string;
+        userAgent?: string;
+        details?: Record<string, any>;
+        success?: boolean;
+        errorMessage?: string;
+    }): Promise<AuditLogEntry>;
+    /**
+     * Query audit logs
+     */
+    query(params?: AuditLogQuery): Promise<{
+        logs: AuditLogEntry[];
+        total: number;
+    }>;
+    /**
+     * Get recent logs for a user
+     */
+    getUserLogs(userId: string, limit?: number): Promise<AuditLogEntry[]>;
+    /**
+     * Get failed login attempts for an IP
+     */
+    getFailedLogins(ip: string, since: Date): Promise<number>;
+    /**
+     * Get statistics
+     */
+    getStats(days?: number): Promise<{
+        totalActions: number;
+        uniqueUsers: number;
+        failedLogins: number;
+        criticalEvents: number;
+        actionCounts: Record<string, number>;
+    }>;
+    /**
+     * Clear old logs (retention policy)
+     */
+    cleanup(retentionDays?: number): Promise<number>;
+}
+export declare const auditService: AuditService;
+//# sourceMappingURL=audit-service.d.ts.map