insforge 0.3.3 → 1.3.0

package/backend/src/{core/logs/audit.ts → services/logs/audit.service.ts}

@@ -1,20 +1,26 @@
-import { DatabaseManager } from '@/core/database/manager.js';
+import { Pool } from 'pg';
+import { DatabaseManager } from '@/infra/database/database.manager.js';
 import logger from '@/utils/logger.js';
-import { AppError } from '@/api/middleware/error.js';
+import { AppError } from '@/api/middlewares/error.js';
 import { ERROR_CODES } from '@/types/error-constants.js';
 import type { AuditLogEntry, AuditLogQuery } from '@/types/logs.js';
 import { AuditLogSchema, GetAuditLogStatsResponse } from '@insforge/shared-schemas';
 
 export class AuditService {
   private static instance: AuditService;
-  private db: ReturnType<DatabaseManager['getDb']>;
+  private pool: Pool | null = null;
 
   private constructor() {
-    const dbManager = DatabaseManager.getInstance();
-    this.db = dbManager.getDb();
     logger.info('AuditService initialized');
   }
 
+  private getPool(): Pool {
+    if (!this.pool) {
+      this.pool = DatabaseManager.getInstance().getPool();
+    }
+    return this.pool;
+  }
+
   public static getInstance(): AuditService {
     if (!AuditService.instance) {
       AuditService.instance = new AuditService();
@@ -27,19 +33,21 @@ export class AuditService {
    */
   async log(entry: AuditLogEntry): Promise<AuditLogSchema> {
     try {
-      const result = await this.db
-        .prepare(
-          `INSERT INTO _audit_logs (actor, action, module, details, ip_address)
-           VALUES ($1, $2, $3, $4, $5)
-           RETURNING *`
-        )
-        .get(
+      const pool = this.getPool();
+      const result = await pool.query(
+        `INSERT INTO _audit_logs (actor, action, module, details, ip_address)
+         VALUES ($1, $2, $3, $4, $5)
+         RETURNING *`,
+        [
           entry.actor,
           entry.action,
           entry.module,
           entry.details ? JSON.stringify(entry.details) : null,
-          entry.ip_address || null
-        );
+          entry.ip_address || null,
+        ]
+      );
+
+      const row = result.rows[0];
 
       logger.info('Audit log created', {
         actor: entry.actor,
@@ -48,14 +56,14 @@ export class AuditService {
       });
 
       return {
-        id: result.id,
-        actor: result.actor,
-        action: result.action,
-        module: result.module,
-        details: result.details,
-        ipAddress: result.ip_address,
-        createdAt: result.created_at,
-        updatedAt: result.updated_at,
+        id: row.id,
+        actor: row.actor,
+        action: row.action,
+        module: row.module,
+        details: row.details,
+        ipAddress: row.ip_address,
+        createdAt: row.created_at,
+        updatedAt: row.updated_at,
       };
     } catch (error) {
       logger.error('Failed to create audit log', error);
@@ -68,6 +76,8 @@ export class AuditService {
    */
   async query(query: AuditLogQuery): Promise<{ records: AuditLogSchema[]; total: number }> {
     try {
+      const pool = this.getPool();
+
       // Build base WHERE clause
       let whereClause = 'WHERE 1=1';
       const params: unknown[] = [];
@@ -100,8 +110,8 @@ export class AuditService {
 
       // Get total count first
       const countSql = `SELECT COUNT(*) as count FROM _audit_logs ${whereClause}`;
-      const countResult = (await this.db.prepare(countSql).get(...params)) as { count: number };
-      const total = countResult.count;
+      const countResult = await pool.query(countSql, params);
+      const total = parseInt(countResult.rows[0].count, 10);
 
       // Get paginated records
       let dataSql = `SELECT * FROM _audit_logs ${whereClause} ORDER BY created_at DESC`;
@@ -117,10 +127,10 @@ export class AuditService {
         dataParams.push(query.offset);
       }
 
-      const records = await this.db.prepare(dataSql).all(...dataParams);
+      const dataResult = await pool.query(dataSql, dataParams);
 
       return {
-        records: records.map((record) => ({
+        records: dataResult.rows.map((record) => ({
           id: record.id,
           actor: record.actor,
           action: record.action,
@@ -143,18 +153,21 @@ export class AuditService {
    */
   async getById(id: string): Promise<AuditLogSchema | null> {
     try {
-      const result = await this.db.prepare('SELECT * FROM _audit_logs WHERE id = $1').get(id);
+      const pool = this.getPool();
+      const result = await pool.query('SELECT * FROM _audit_logs WHERE id = $1', [id]);
+
+      const row = result.rows[0];
 
-      return result
+      return row
         ? {
-            id: result.id,
-            actor: result.actor,
-            action: result.action,
-            module: result.module,
-            details: result.details,
-            ipAddress: result.ip_address,
-            createdAt: result.created_at,
-            updatedAt: result.updated_at,
+            id: row.id,
+            actor: row.actor,
+            action: row.action,
+            module: row.module,
+            details: row.details,
+            ipAddress: row.ip_address,
+            createdAt: row.created_at,
+            updatedAt: row.updated_at,
           }
         : null;
     } catch (error) {
@@ -168,50 +181,52 @@ export class AuditService {
    */
   async getStats(days: number = 7): Promise<GetAuditLogStatsResponse> {
     try {
+      const pool = this.getPool();
       const startDate = new Date();
       startDate.setDate(startDate.getDate() - days);
 
-      const [totalLogs] = await this.db
-        .prepare('SELECT COUNT(*) as count FROM _audit_logs WHERE created_at >= $1')
-        .get(startDate.toISOString());
-
-      const [uniqueActors] = await this.db
-        .prepare('SELECT COUNT(DISTINCT actor) as count FROM _audit_logs WHERE created_at >= $1')
-        .get(startDate.toISOString());
-
-      const [uniqueModules] = await this.db
-        .prepare('SELECT COUNT(DISTINCT module) as count FROM _audit_logs WHERE created_at >= $1')
-        .get(startDate.toISOString());
-
-      const actionsByModule = await this.db
-        .prepare(
-          `SELECT module, COUNT(*) as count
-           FROM _audit_logs
-           WHERE created_at >= $1
-           GROUP BY module`
-        )
-        .all(startDate.toISOString());
-
-      const recentActivity = await this.db
-        .prepare(
-          `SELECT * FROM _audit_logs
-           WHERE created_at >= $1
-           ORDER BY created_at DESC
-           LIMIT 10`
-        )
-        .all(startDate.toISOString());
+      const totalLogsResult = await pool.query(
+        'SELECT COUNT(*) as count FROM _audit_logs WHERE created_at >= $1',
+        [startDate.toISOString()]
+      );
+
+      const uniqueActorsResult = await pool.query(
+        'SELECT COUNT(DISTINCT actor) as count FROM _audit_logs WHERE created_at >= $1',
+        [startDate.toISOString()]
+      );
+
+      const uniqueModulesResult = await pool.query(
+        'SELECT COUNT(DISTINCT module) as count FROM _audit_logs WHERE created_at >= $1',
+        [startDate.toISOString()]
+      );
+
+      const actionsByModuleResult = await pool.query(
+        `SELECT module, COUNT(*) as count
+         FROM _audit_logs
+         WHERE created_at >= $1
+         GROUP BY module`,
+        [startDate.toISOString()]
+      );
+
+      const recentActivityResult = await pool.query(
+        `SELECT * FROM _audit_logs
+         WHERE created_at >= $1
+         ORDER BY created_at DESC
+         LIMIT 10`,
+        [startDate.toISOString()]
+      );
 
       const moduleStats: Record<string, number> = {};
-      actionsByModule.forEach((row: { module: string; count: string }) => {
-        moduleStats[row.module] = parseInt(row.count);
+      actionsByModuleResult.rows.forEach((row: { module: string; count: string }) => {
+        moduleStats[row.module] = parseInt(row.count, 10);
       });
 
       return {
-        totalLogs: parseInt(totalLogs?.count || 0),
-        uniqueActors: parseInt(uniqueActors?.count || 0),
-        uniqueModules: parseInt(uniqueModules?.count || 0),
+        totalLogs: parseInt(totalLogsResult.rows[0]?.count || '0', 10),
+        uniqueActors: parseInt(uniqueActorsResult.rows[0]?.count || '0', 10),
+        uniqueModules: parseInt(uniqueModulesResult.rows[0]?.count || '0', 10),
         actionsByModule: moduleStats,
-        recentActivity: recentActivity.map((record) => ({
+        recentActivity: recentActivityResult.rows.map((record) => ({
           id: record.id,
           actor: record.actor,
           action: record.action,
@@ -233,14 +248,16 @@ export class AuditService {
    */
   async cleanup(daysToKeep: number = 90): Promise<number> {
     try {
+      const pool = this.getPool();
       const cutoffDate = new Date();
       cutoffDate.setDate(cutoffDate.getDate() - daysToKeep);
 
-      const result = await this.db
-        .prepare('DELETE FROM _audit_logs WHERE created_at < $1 RETURNING id')
-        .all(cutoffDate.toISOString());
+      const result = await pool.query(
+        'DELETE FROM _audit_logs WHERE created_at < $1 RETURNING id',
+        [cutoffDate.toISOString()]
+      );
 
-      const deletedCount = result.length;
+      const deletedCount = result.rows.length;
 
       if (deletedCount > 0) {
         logger.info(`Cleaned up ${deletedCount} audit logs older than ${daysToKeep} days`);

package/backend/src/services/logs/log.service.ts

@@ -0,0 +1,73 @@
+import logger from '@/utils/logger.js';
+import { CloudWatchProvider } from '@/providers/logs/cloudwatch.provider.js';
+import { LocalFileProvider } from '@/providers/logs/local.provider.js';
+import { LogProvider } from '@/providers/logs/base.provider.js';
+import { LogSchema, LogSourceSchema, LogStatsSchema } from '@insforge/shared-schemas';
+import { isCloudEnvironment } from '@/utils/environment.js';
+
+export class LogService {
+  private static instance: LogService;
+  private provider!: LogProvider;
+
+  private constructor() {}
+
+  static getInstance(): LogService {
+    if (!LogService.instance) {
+      LogService.instance = new LogService();
+    }
+    return LogService.instance;
+  }
+
+  async initialize(): Promise<void> {
+    // Use CloudWatch if AWS credentials are available or if it's cloud environment since we provided the permissions in instance profile
+    // otherwise use file-based logging
+    const hasAwsCredentials =
+      (process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY) || isCloudEnvironment();
+
+    if (hasAwsCredentials) {
+      logger.info('Using log provider: CloudWatch');
+      this.provider = new CloudWatchProvider();
+    } else {
+      logger.info('Using log provider: File-based (no AWS credentials required)');
+      this.provider = new LocalFileProvider();
+    }
+
+    await this.provider.initialize();
+  }
+
+  getLogSources(): Promise<LogSourceSchema[]> {
+    return this.provider.getLogSources();
+  }
+
+  getLogsBySource(
+    sourceName: string,
+    limit: number = 100,
+    beforeTimestamp?: string
+  ): Promise<{
+    logs: LogSchema[];
+    total: number;
+    tableName: string;
+  }> {
+    return this.provider.getLogsBySource(sourceName, limit, beforeTimestamp);
+  }
+
+  getLogSourceStats(): Promise<LogStatsSchema[]> {
+    return this.provider.getLogSourceStats();
+  }
+
+  searchLogs(
+    query: string,
+    sourceName?: string,
+    limit: number = 100,
+    offset: number = 0
+  ): Promise<{
+    logs: (LogSchema & { source: string })[];
+    total: number;
+  }> {
+    return this.provider.searchLogs(query, sourceName, limit, offset);
+  }
+
+  async close(): Promise<void> {
+    await this.provider.close();
+  }
+}

package/backend/src/services/realtime/index.ts

@@ -0,0 +1,3 @@
+export { RealtimeChannelService } from './realtime-channel.service.js';
+export { RealtimeAuthService } from './realtime-auth.service.js';
+export { RealtimeMessageService } from './realtime-message.service.js';

package/backend/src/services/realtime/realtime-auth.service.ts

@@ -0,0 +1,104 @@
+import { Pool, PoolClient } from 'pg';
+import { DatabaseManager } from '@/infra/database/database.manager.js';
+import logger from '@/utils/logger.js';
+import { RoleSchema } from '@insforge/shared-schemas';
+
+/**
+ * Handles channel authorization by checking RLS policies on the messages table.
+ *
+ * Permission Model (Supabase pattern):
+ * - SELECT on messages = 'join' permission (can subscribe to channel)
+ * - INSERT on messages = 'send' permission (can publish to channel)
+ *
+ * Developers define RLS policies on realtime.messages that check:
+ * - current_setting('request.jwt.claim.sub', true) = user ID
+ * - current_setting('request.jwt.claim.role', true) = user role
+ * - channel_name for channel-specific access
+ */
+export class RealtimeAuthService {
+  private static instance: RealtimeAuthService;
+  private pool: Pool | null = null;
+
+  private constructor() {}
+
+  static getInstance(): RealtimeAuthService {
+    if (!RealtimeAuthService.instance) {
+      RealtimeAuthService.instance = new RealtimeAuthService();
+    }
+    return RealtimeAuthService.instance;
+  }
+
+  private getPool(): Pool {
+    if (!this.pool) {
+      this.pool = DatabaseManager.getInstance().getPool();
+    }
+    return this.pool;
+  }
+
+  /**
+   * Check if user has permission to subscribe to a channel.
+   * Tests SELECT permission on channels table via RLS.
+   *
+   * @param channelName - The channel to check access for
+   * @param userId - The user ID (undefined for anonymous users)
+   * @param role - The database role to use (authenticated or anon)
+   * @returns true if user can subscribe, false otherwise
+   */
+  async checkSubscribePermission(
+    channelName: string,
+    userId: string | undefined,
+    role: RoleSchema
+  ): Promise<boolean> {
+    const client = await this.getPool().connect();
+    try {
+      // Begin transaction to ensure settings persist across queries
+      await client.query('BEGIN');
+      // Switch to specified role to enforce RLS policies
+      await client.query(`SET LOCAL ROLE ${role}`);
+      await this.setUserContext(client, userId, channelName);
+
+      // Test SELECT permission via RLS on channels table
+      const result = await client.query(
+        `SELECT 1 FROM realtime.channels
+         WHERE enabled = TRUE
+           AND (pattern = $1 OR $1 LIKE pattern)
+         LIMIT 1`,
+        [channelName]
+      );
+
+      // Commit transaction
+      await client.query('COMMIT');
+
+      // If query returns a row, user has permission
+      return result.rowCount !== null && result.rowCount > 0;
+    } catch (error) {
+      // Rollback transaction on error
+      await client.query('ROLLBACK').catch(() => {});
+      logger.debug('Subscribe permission denied', { channelName, userId, error });
+      return false;
+    } finally {
+      // Reset role back to default before releasing connection
+      await client.query('RESET ROLE');
+      client.release();
+    }
+  }
+
+  /**
+   * Set user context variables for RLS policy evaluation.
+   * Can be used by other services that need to execute queries with user context.
+   */
+  async setUserContext(
+    client: PoolClient,
+    userId: string | undefined,
+    channelName: string
+  ): Promise<void> {
+    if (userId) {
+      await client.query("SELECT set_config('request.jwt.claim.sub', $1, true)", [userId]);
+    } else {
+      await client.query("SELECT set_config('request.jwt.claim.sub', '', true)");
+    }
+
+    // Set the channel being accessed (used by realtime.channel_name())
+    await client.query("SELECT set_config('realtime.channel_name', $1, true)", [channelName]);
+  }
+}

package/backend/src/services/realtime/realtime-channel.service.ts

@@ -0,0 +1,237 @@
+import { Pool } from 'pg';
+import { DatabaseManager } from '@/infra/database/database.manager.js';
+import { AppError } from '@/api/middlewares/error.js';
+import { ERROR_CODES } from '@/types/error-constants.js';
+import logger from '@/utils/logger.js';
+import type {
+  RealtimeChannel,
+  CreateChannelRequest,
+  UpdateChannelRequest,
+  RealtimeMetadataSchema,
+  RlsPolicy,
+  RealtimePermissionsResponse,
+} from '@insforge/shared-schemas';
+
+const SYSTEM_POLICIES = ['project_admin_policy'];
+
+export class RealtimeChannelService {
+  private static instance: RealtimeChannelService;
+  private pool: Pool | null = null;
+
+  private constructor() {}
+
+  static getInstance(): RealtimeChannelService {
+    if (!RealtimeChannelService.instance) {
+      RealtimeChannelService.instance = new RealtimeChannelService();
+    }
+    return RealtimeChannelService.instance;
+  }
+
+  private getPool(): Pool {
+    if (!this.pool) {
+      this.pool = DatabaseManager.getInstance().getPool();
+    }
+    return this.pool;
+  }
+
+  async list(): Promise<RealtimeChannel[]> {
+    const result = await this.getPool().query(`
+      SELECT
+        id,
+        pattern,
+        description,
+        webhook_urls as "webhookUrls",
+        enabled,
+        created_at as "createdAt",
+        updated_at as "updatedAt"
+      FROM realtime.channels
+      ORDER BY created_at DESC
+    `);
+    return result.rows;
+  }
+
+  async getById(id: string): Promise<RealtimeChannel | null> {
+    const result = await this.getPool().query(
+      `SELECT
+        id,
+        pattern,
+        description,
+        webhook_urls as "webhookUrls",
+        enabled,
+        created_at as "createdAt",
+        updated_at as "updatedAt"
+      FROM realtime.channels
+      WHERE id = $1`,
+      [id]
+    );
+    return result.rows[0] || null;
+  }
+
+  /**
+   * Find a channel by name (exact match or wildcard pattern match).
+   * For wildcard patterns like "order:%", checks if channelName matches the pattern.
+   * Returns the matching channel if found and enabled, null otherwise.
+   */
+  async getByName(channelName: string): Promise<RealtimeChannel | null> {
+    const result = await this.getPool().query(
+      `SELECT
+        id,
+        pattern,
+        description,
+        webhook_urls as "webhookUrls",
+        enabled,
+        created_at as "createdAt",
+        updated_at as "updatedAt"
+      FROM realtime.channels
+      WHERE enabled = TRUE
+        AND (pattern = $1 OR $1 LIKE pattern)
+      ORDER BY pattern = $1 DESC
+      LIMIT 1`,
+      [channelName]
+    );
+    return result.rows[0] || null;
+  }
+
+  async create(input: CreateChannelRequest): Promise<RealtimeChannel> {
+    this.validateChannelPattern(input.pattern);
+
+    const result = await this.getPool().query(
+      `INSERT INTO realtime.channels (
+        pattern, description, webhook_urls, enabled
+      ) VALUES ($1, $2, $3, $4)
+      RETURNING
+        id,
+        pattern,
+        description,
+        webhook_urls as "webhookUrls",
+        enabled,
+        created_at as "createdAt",
+        updated_at as "updatedAt"`,
+      [input.pattern, input.description || null, input.webhookUrls || null, input.enabled ?? true]
+    );
+
+    logger.info('Realtime channel created', { pattern: input.pattern });
+    return result.rows[0];
+  }
+
+  async update(id: string, input: UpdateChannelRequest): Promise<RealtimeChannel> {
+    const existing = await this.getById(id);
+    if (!existing) {
+      throw new AppError('Channel not found', 404, ERROR_CODES.NOT_FOUND);
+    }
+
+    if (input.pattern) {
+      this.validateChannelPattern(input.pattern);
+    }
+
+    const result = await this.getPool().query(
+      `UPDATE realtime.channels
+       SET
+         pattern = COALESCE($2, pattern),
+         description = COALESCE($3, description),
+         webhook_urls = COALESCE($4, webhook_urls),
+         enabled = COALESCE($5, enabled)
+       WHERE id = $1
+       RETURNING
+         id,
+         pattern,
+         description,
+         webhook_urls as "webhookUrls",
+         enabled,
+         created_at as "createdAt",
+         updated_at as "updatedAt"`,
+      [id, input.pattern, input.description, input.webhookUrls, input.enabled]
+    );
+
+    logger.info('Realtime channel updated', { id });
+    return result.rows[0];
+  }
+
+  async delete(id: string): Promise<void> {
+    const existing = await this.getById(id);
+    if (!existing) {
+      throw new AppError('Channel not found', 404, ERROR_CODES.NOT_FOUND);
+    }
+
+    await this.getPool().query('DELETE FROM realtime.channels WHERE id = $1', [id]);
+    logger.info('Realtime channel deleted', { id, pattern: existing.pattern });
+  }
+
+  /**
+   * Get realtime metadata including channels and permissions
+   */
+  async getMetadata(): Promise<RealtimeMetadataSchema> {
+    const [channels, permissions] = await Promise.all([this.list(), this.getPermissions()]);
+
+    return {
+      channels,
+      permissions,
+    };
+  }
+
+  // ============================================================================
+  // Permissions Methods
+  // ============================================================================
+
+  /**
+   * Get RLS policies for a table in the realtime schema, excluding system policies
+   */
+  private async getPolicies(tableName: string): Promise<RlsPolicy[]> {
+    const result = await this.getPool().query(
+      `SELECT
+         policyname as "policyName",
+         tablename as "tableName",
+         cmd as "command",
+         roles,
+         qual as "using",
+         with_check as "withCheck"
+       FROM pg_policies
+       WHERE schemaname = 'realtime'
+         AND tablename = $1
+       ORDER BY policyname`,
+      [tableName]
+    );
+
+    // Filter out system policies
+    return result.rows.filter((policy) => !SYSTEM_POLICIES.includes(policy.policyName));
+  }
+
+  /**
+   * Get all realtime permissions (RLS policies for channels and messages tables)
+   *
+   * - Subscribe permission: RLS policies on realtime.channels (SELECT)
+   * - Publish permission: RLS policies on realtime.messages (INSERT)
+   */
+  async getPermissions(): Promise<RealtimePermissionsResponse> {
+    const [channelsPolicies, messagesPolicies] = await Promise.all([
+      this.getPolicies('channels'),
+      this.getPolicies('messages'),
+    ]);
+
+    return {
+      subscribe: {
+        policies: channelsPolicies,
+      },
+      publish: {
+        policies: messagesPolicies,
+      },
+    };
+  }
+
+  // ============================================================================
+  // Validation
+  // ============================================================================
+
+  private validateChannelPattern(pattern: string): void {
+    // Allow alphanumeric, colons, hyphens, and % for wildcards
+    // Note: underscore is not allowed as it's a SQL wildcard character
+    const validPattern = /^[a-zA-Z0-9-]+(:[a-zA-Z0-9%:-]+)*$/;
+    if (!validPattern.test(pattern)) {
+      throw new AppError(
+        'Invalid channel pattern. Use alphanumeric characters, colons, hyphens, and % for wildcards.',
+        400,
+        ERROR_CODES.INVALID_INPUT
+      );
+    }
+  }
+}