sonamu 0.9.1 → 0.9.3

package/dist/ui-web/index.html

@@ -5,8 +5,8 @@
     <link rel="icon" type="image/svg+xml" href="/sonamu-ui/setting.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>{{projectName}}: Sonamu UI</title>
-    <script type="module" crossorigin src="/sonamu-ui/assets/index-C8qhvZbs.js"></script>
-    <link rel="stylesheet" crossorigin href="/sonamu-ui/assets/index-DqgrO7Za.css">
+    <script type="module" crossorigin src="/sonamu-ui/assets/index-DrTfl0Ts.js"></script>
+    <link rel="stylesheet" crossorigin href="/sonamu-ui/assets/index-Dr8pRJC_.css">
   </head>
   <body>
     <div id="root"></div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sonamu",
-  "version": "0.9.1",
+  "version": "0.9.3",
   "description": "Sonamu — TypeScript Fullstack API Framework",
   "keywords": [
     "framework",
@@ -85,6 +85,7 @@
     "@aws-sdk/lib-storage": "^3.971.0",
     "@aws-sdk/s3-request-presigner": "^3.958.0",
     "@better-auth/api-key": "~1.6.0",
+    "@better-auth/infra": "~0.1.14",
     "@better-auth/passkey": "~1.6.0",
     "@better-auth/sso": "~1.6.0",
     "@faker-js/faker": "^9.2.0",
@@ -125,11 +126,11 @@
     "qs": "^6.14.1",
     "radashi": "^12.2.0",
     "tsicli": "^1.0.5",
-    "vite": "8.0.3",
+    "vite": "8.0.5",
     "vitest": "^4.1.2",
     "@sonamu-kit/hmr-hook": "^0.5.1",
-    "@sonamu-kit/hmr-runner": "^0.2.0",
     "@sonamu-kit/tasks": "^0.3.0",
+    "@sonamu-kit/hmr-runner": "^0.2.0",
     "@sonamu-kit/ts-loader": "^2.2.0"
   },
   "devDependencies": {

package/src/api/config.ts

@@ -198,20 +198,27 @@ export type SonamuServerOptions = {
         }
       >;
     };
+    /**
+     * AuditLog 활성화 여부
+     * true로 설정하면 Better Auth dash() 플러그인을 자동 주입하고
+     * /api/audit-log/events/track 엔드포인트에서 이벤트를 수신하여
+     * audit_events 테이블에 적재합니다.
+     * 사전에 `sonamu auth generate --plugins audit-log`로 엔티티를 생성해야 합니다.
+     */
+    auditLog?: boolean;
   };
 
   apiConfig: SonamuFastifyConfig;
 
   /**
    * Storage 드라이버 설정.
-   * DRIVE_DISK 환경변수로 사용할 드라이버를 선택합니다. (기본값: default 키)
+   * saveToDisk(diskName, key) 호출 시 드라이버를 명시적으로 지정합니다.
    *
    * @example
    * ```typescript
    * import { drivers } from "sonamu/storage";
    *
    * storage: {
-   *   default: process.env.DRIVE_DISK ?? "fs",
    *   drivers: {
    *     fs: drivers.fs({ location: "./uploads", urlBuilder: { ... } }),
    *     s3: drivers.s3({ bucket: "my-bucket", region: "ap-northeast-2", ... }),

package/src/api/sonamu.ts

@@ -5,13 +5,15 @@ import { type IncomingMessage, type Server, type ServerResponse } from "http";
 import os from "os";
 import path from "path";
 
-import { dispose as logtapeDispose } from "@logtape/logtape";
+import { dispose as logtapeDispose, getLogger } from "@logtape/logtape";
 import { type Auth, type BetterAuthOptions } from "better-auth";
 import { type FSWatcher } from "chokidar";
 import { type FastifyInstance, type FastifyReply, type FastifyRequest } from "fastify";
 import mime, { lookup as mimeLookup } from "mime-types";
 import { type ZodObject } from "zod";
 
+import { ingestAuditEvent } from "../auth/audit-log-ingestor";
+import { type AuditLogEvent } from "../auth/audit-log-proxy-types";
 import { BASE_FIELD_MAPPINGS } from "../auth/better-auth-entities";
 import { applyCacheHeaders, CachePresets } from "../cache-control/cache-control";
 import { type CacheControlConfig, type CacheControlRequest } from "../cache-control/types";
@@ -233,6 +235,15 @@ class SonamuClass {
       // 사용자 설정과 기본값을 merge
       const mergedFieldMappings = merge(BASE_FIELD_MAPPINGS, authConfig);
 
+      // auth.auditLog: true인 경우 dash() 플러그인 자동 주입
+      if (authConfig.auditLog) {
+        const { dash } = await import("@better-auth/infra");
+        const auditLogBasePath = "/api/audit-log";
+        const apiUrl = `${authConfig.baseURL}${auditLogBasePath}`;
+        const existingPlugins = mergedFieldMappings.plugins ?? [];
+        mergedFieldMappings.plugins = [...existingPlugins, dash({ apiUrl })];
+      }
+
       // better-auth 인스턴스 생성
       const { betterAuth } = await import("better-auth");
       const { sonamuKnexAdapter } = await import("../auth/knex-adapter");
@@ -314,6 +325,10 @@ class SonamuClass {
       await this.registerBetterAuth(server, options.auth);
     }
 
+    if (options.auth?.auditLog) {
+      this.registerAuditLogProxy(server);
+    }
+
     // API 라우팅 설정
     await this.withFastify(server, options.apiConfig, {
       enableSync: initOptions?.enableSync,
@@ -1259,6 +1274,20 @@ class SonamuClass {
       handler: async (request, reply) => {
         const url = new URL(request.url, `http://${request.headers.host}`);
         const headers = convertFastifyHeadersToStandard(request.headers);
+
+        // IP 헤더 fallback: 프록시가 표준 IP 헤더를 주입하지 않는 환경에서도
+        // better-auth/infra의 getClientIpFromRequest()가 IP를 인식할 수 있도록
+        // Fastify가 resolve한 request.ip를 x-real-ip로 주입한다.
+        const IP_HEADERS = [
+          "cf-connecting-ip",
+          "x-forwarded-for",
+          "x-real-ip",
+          "x-vercel-forwarded-for",
+        ];
+        if (request.ip && !IP_HEADERS.some((h) => headers.has(h))) {
+          headers.set("x-real-ip", request.ip);
+        }
+
         const req = new Request(url.toString(), {
           method: request.method,
           headers,
@@ -1276,6 +1305,38 @@ class SonamuClass {
     });
   }
 
+  private registerAuditLogProxy(server: FastifyInstance) {
+    const logger = getLogger(["sonamu", "audit-log"]);
+    const basePath = "/api/audit-log";
+
+    server.route<{ Body: AuditLogEvent }>({
+      method: "POST",
+      url: `${basePath}/events/track`,
+      handler: async (request, reply) => {
+        const event = request.body;
+
+        logger.info(
+          "Audit event received: {eventType} {eventKey} {eventDisplayName} from {ipAddress} ({country})",
+          {
+            eventType: event.eventType,
+            eventKey: event.eventKey,
+            eventDisplayName: event.eventDisplayName,
+            ipAddress: event.ipAddress,
+            country: event.country,
+          },
+        );
+
+        try {
+          await ingestAuditEvent(DB.getDB("w"), event);
+        } catch (err) {
+          logger.error("audit event ingest failed: {error}", { error: err });
+        }
+
+        return reply.status(200).send({ ok: true });
+      },
+    });
+  }
+
   private async printStartupSummary() {
     const chalk = (await import("chalk")).default;
     const env = process.env.NODE_ENV ?? "development";
@@ -1311,6 +1372,9 @@ class SonamuClass {
       const basePath = this.config.server.auth.basePath ?? "/api/auth";
       dim(`Auth: better-auth at ${basePath}/*`);
     }
+    if (this.config.server.auth?.auditLog) {
+      dim(`AuditLog: proxy at /api/audit-log/events/track`);
+    }
     if (this.config.api.timezone) {
       dim(`Timezone: ${this.config.api.timezone}`);
     }

package/src/auth/audit-log-ingestor.ts

@@ -0,0 +1,234 @@
+import { createHash } from "node:crypto";
+
+import { type Knex } from "knex";
+
+import { type AuditLogEvent } from "./audit-log-proxy-types";
+
+const AUDIT_EVENT_SOURCE = "better_auth";
+const AUDIT_EVENT_SOURCE_VERSION = "better-auth|@better-auth/infra";
+
+const SESSION_EVENT_TYPES = new Set<string>([
+  "user_signed_in",
+  "user_signed_out",
+  "user_sign_in_failed",
+  "session_created",
+  "session_revoked",
+  "all_sessions_revoked",
+  "user_impersonated",
+  "user_impersonated_stopped",
+]);
+
+const ACCOUNT_EVENT_TYPES = new Set<string>([
+  "account_linked",
+  "account_unlinked",
+  "password_changed",
+
+  // @better-auth/infra@0.1.14 기준 EVENT_TYPES 상수에는 정의되어 있으나 실제 trackEvent() 호출이 없는 미구현 이벤트임
+  // 향후 버전에서 emit될 경우를 대비해 account로 임시 등록
+  "two_factor_enabled",
+  "two_factor_disabled",
+  "two_factor_verified",
+]);
+
+const VERIFICATION_EVENT_TYPES = new Set<string>([
+  "email_verification_sent",
+  "password_reset_requested",
+  "password_reset_completed",
+]);
+
+const SECURITY_EVENT_TYPES = new Set<string>([
+  "security_blocked",
+  "security_allowed",
+  "security_challenged",
+  "security_stale_account",
+]);
+
+const USER_EVENT_TYPES = new Set<string>([
+  "user_created",
+  "profile_updated",
+  "profile_image_updated",
+  "email_verified",
+  "email_changed",
+  "user_banned",
+  "user_unbanned",
+  "user_deleted",
+]);
+
+function pickString(source: Record<string, unknown>, key: string): string | null {
+  const value = source[key];
+  return typeof value === "string" ? value : null;
+}
+
+function pickFirstString(source: Record<string, unknown>, keys: readonly string[]): string | null {
+  for (const key of keys) {
+    const value = pickString(source, key);
+    if (value !== null) {
+      return value;
+    }
+  }
+  return null;
+}
+
+function parseOccurredAt(raw: unknown): Date {
+  if (raw instanceof Date && !Number.isNaN(raw.getTime())) {
+    return raw;
+  }
+  if (typeof raw === "string") {
+    const parsed = new Date(raw);
+    if (!Number.isNaN(parsed.getTime())) {
+      return parsed;
+    }
+  }
+  return new Date();
+}
+
+function classifyCategory(
+  eventType: string,
+): "user" | "session" | "account" | "verification" | "organization" | "security" {
+  if (eventType.startsWith("organization_")) {
+    return "organization";
+  }
+  if (SESSION_EVENT_TYPES.has(eventType)) {
+    return "session";
+  }
+  if (ACCOUNT_EVENT_TYPES.has(eventType)) {
+    return "account";
+  }
+  if (VERIFICATION_EVENT_TYPES.has(eventType)) {
+    return "verification";
+  }
+  if (SECURITY_EVENT_TYPES.has(eventType)) {
+    return "security";
+  }
+  if (USER_EVENT_TYPES.has(eventType)) {
+    return "user";
+  }
+  return "user";
+}
+
+function computeDedupeKey(parts: {
+  source: string;
+  event_type: string;
+  event_key: string;
+  actor_user_id: string | null;
+  subject_user_id: string | null;
+  organization_id: string | null;
+  team_id: string | null;
+  session_id: string | null;
+  identifier: string | null;
+  reason: string | null;
+  action: string | null;
+  occurred_at: Date;
+}): string {
+  const norm = (v: string | null): string => v ?? "";
+  const raw = [
+    parts.source,
+    parts.event_type,
+    parts.event_key,
+    norm(parts.actor_user_id),
+    norm(parts.subject_user_id),
+    norm(parts.organization_id),
+    norm(parts.team_id),
+    norm(parts.session_id),
+    norm(parts.identifier),
+    norm(parts.reason),
+    norm(parts.action),
+    parts.occurred_at.toISOString(),
+  ].join("|");
+  return createHash("sha256").update(raw).digest("hex");
+}
+
+/**
+ * Better Auth dash() 이벤트를 audit_events 테이블에 적재합니다.
+ * ON CONFLICT (dedupe_key) DO NOTHING으로 중복을 silent 무시합니다.
+ * auth.auditLog: true 설정 시 sonamu 내부에서 자동으로 호출됩니다.
+ */
+export async function ingestAuditEvent(db: Knex, event: AuditLogEvent): Promise<void> {
+  const eventData = event.eventData;
+  const occurred_at = parseOccurredAt(eventData["occurredAt"]);
+
+  const actor_user_id = pickString(eventData, "triggeredBy");
+  const subject_user_id = pickFirstString(eventData, [
+    "userId",
+    "userid",
+    "acceptedById",
+    "rejectedById",
+  ]);
+  const organization_id = pickString(eventData, "organizationId");
+  const team_id = pickFirstString(eventData, ["teamId", "inviteeTeamId"]);
+  const session_id = pickString(eventData, "sessionId");
+  const provider_id = pickString(eventData, "providerId");
+  const login_method = pickString(eventData, "loginMethod");
+  const identifier = pickFirstString(eventData, [
+    "identifier",
+    "userEmail",
+    "memberEmail",
+    "inviteeEmail",
+    "acceptedByEmail",
+    "rejectedByEmail",
+  ]);
+  const visitor_id = pickString(eventData, "visitorId");
+  const reason = pickFirstString(eventData, ["reason", "banReason"]);
+  const action = pickString(eventData, "action");
+  const trigger_context = pickString(eventData, "triggerContext");
+  const user_agent = pickString(eventData, "userAgent");
+
+  const ip_address = event.ipAddress ?? null;
+  const city = event.city ?? null;
+  const country = event.country ?? null;
+  const country_code = event.countryCode ?? null;
+
+  const category = classifyCategory(event.eventType);
+  const dedupe_key = computeDedupeKey({
+    source: AUDIT_EVENT_SOURCE,
+    event_type: event.eventType,
+    event_key: event.eventKey,
+    actor_user_id,
+    subject_user_id,
+    organization_id,
+    team_id,
+    session_id,
+    identifier,
+    reason,
+    action,
+    occurred_at,
+  });
+
+  // ON CONFLICT DO NOTHING: dedupe_key UNIQUE 위반을 silent 무시.
+  // try/catch 방식은 PG 커넥션을 aborted 상태로 만드므로 사용하지 않는다.
+  const inserted = await db("audit_events")
+    .insert({
+      source: AUDIT_EVENT_SOURCE,
+      source_version: AUDIT_EVENT_SOURCE_VERSION,
+      category,
+      event_type: event.eventType,
+      event_key: event.eventKey,
+      dedupe_key,
+      actor_user_id,
+      subject_user_id,
+      organization_id,
+      team_id,
+      session_id,
+      provider_id,
+      login_method,
+      identifier,
+      visitor_id,
+      reason,
+      action,
+      trigger_context,
+      ip_address,
+      country_code,
+      country,
+      city,
+      user_agent,
+      payload_json: eventData,
+      occurred_at,
+    })
+    .onConflict("dedupe_key")
+    .ignore()
+    .returning("dedupe_key");
+
+  if (inserted.length === 0) {
+    return; // silent dedupe
+  }
+}

package/src/auth/audit-log-proxy-types.ts

@@ -0,0 +1,23 @@
+/**
+ * Better Auth dash() 플러그인이 POST ${apiUrl}/events/track으로 전송하는 이벤트 body 타입
+ */
+export type AuditLogEvent = {
+  eventType: string;
+  eventData: Record<string, unknown>;
+  eventKey: string;
+  eventDisplayName?: string;
+  ipAddress?: string;
+  city?: string;
+  country?: string;
+  countryCode?: string;
+};
+
+/**
+ * AuditLog 프록시 옵션
+ */
+export type AuditLogProxyOptions = {
+  /** 프록시 base path (기본값: "/api/audit-log") */
+  basePath?: string;
+  /** 이벤트 수신 시 콜백 (향후 DB 적재 확장 포인트) */
+  onEvent?: (event: AuditLogEvent) => void | Promise<void>;
+};

package/src/auth/index.ts

@@ -1,5 +1,6 @@
 export type { GenerateBetterAuthEntitiesOptions } from "./auth-generator";
 export { generateBetterAuthEntities } from "./auth-generator";
+export { ingestAuditEvent } from "./audit-log-ingestor";
 export { BASE_FIELD_MAPPINGS, betterAuthV1 } from "./better-auth-entities";
 export { sonamuKnexAdapter } from "./knex-adapter";
 

package/src/auth/plugins/entity-definitions/audit-log.ts

@@ -0,0 +1,171 @@
+import { type BetterAuthEntityDef } from "./types";
+
+/**
+ * better-auth AuditLog 플러그인 엔티티 정의
+ *
+ * auth.auditLog: true 로 활성화되며 audit_events 테이블을 생성합니다.
+ * - Better Auth dash() 플러그인이 전송하는 이벤트를 1건씩 적재합니다.
+ * - dedupe_key(sha256 hex)로 중복 적재를 방지합니다.
+ *
+ * 생성 방법: pnpm sonamu auth generate --plugins audit-log
+ */
+export const auditLogEntityDef: BetterAuthEntityDef = {
+  id: "audit-log",
+  name: "AuditLog",
+  entities: [
+    {
+      id: "AuditEvent",
+      table: "audit_events",
+      title: "감사이벤트",
+      props: [
+        { name: "id", type: "integer", desc: "ID" },
+        { name: "source", type: "string", length: 32, desc: "이벤트 소스" },
+        { name: "source_version", type: "string", length: 96, nullable: true, desc: "소스 버전" },
+        { name: "category", type: "enum", id: "AuditEventCategory", desc: "카테고리" },
+        { name: "event_type", type: "string", length: 64, desc: "이벤트 타입" },
+        { name: "event_key", type: "string", length: 191, desc: "이벤트 키" },
+        { name: "dedupe_key", type: "string", length: 64, desc: "중복 제거 키" },
+        {
+          name: "actor_user_id",
+          type: "string",
+          length: 191,
+          nullable: true,
+          desc: "액터 사용자 ID",
+        },
+        {
+          name: "subject_user_id",
+          type: "string",
+          length: 191,
+          nullable: true,
+          desc: "대상 사용자 ID",
+        },
+        {
+          name: "organization_id",
+          type: "string",
+          length: 191,
+          nullable: true,
+          desc: "조직 ID",
+        },
+        { name: "team_id", type: "string", length: 191, nullable: true, desc: "팀 ID" },
+        { name: "session_id", type: "string", length: 191, nullable: true, desc: "세션 ID" },
+        { name: "provider_id", type: "string", length: 64, nullable: true, desc: "프로바이더 ID" },
+        { name: "login_method", type: "string", length: 64, nullable: true, desc: "로그인 방식" },
+        { name: "identifier", type: "string", length: 255, nullable: true, desc: "식별자" },
+        { name: "visitor_id", type: "string", length: 191, nullable: true, desc: "방문자 ID" },
+        { name: "reason", type: "string", length: 128, nullable: true, desc: "사유" },
+        { name: "action", type: "string", length: 64, nullable: true, desc: "액션" },
+        {
+          name: "trigger_context",
+          type: "string",
+          length: 64,
+          nullable: true,
+          desc: "트리거 컨텍스트",
+        },
+        { name: "ip_address", type: "string", length: 45, nullable: true, desc: "IP 주소" },
+        { name: "country_code", type: "string", length: 8, nullable: true, desc: "국가 코드" },
+        { name: "country", type: "string", length: 100, nullable: true, desc: "국가" },
+        { name: "city", type: "string", length: 100, nullable: true, desc: "도시" },
+        { name: "user_agent", type: "string", nullable: true, desc: "User-Agent" },
+        { name: "payload_json", type: "json", id: "AuditEventPayload", desc: "원본 payload" },
+        { name: "occurred_at", type: "date", desc: "발생 시각" },
+        {
+          name: "ingested_at",
+          type: "date",
+          dbDefault: "CURRENT_TIMESTAMP",
+          desc: "적재 시각",
+        },
+      ],
+      indexes: [
+        {
+          type: "unique",
+          name: "audit_events_dedupe_key_unique",
+          columns: [{ name: "dedupe_key" }],
+        },
+        {
+          type: "index",
+          name: "audit_events_occurred_at_index",
+          columns: [{ name: "occurred_at" }],
+        },
+        {
+          type: "index",
+          name: "audit_events_event_type_occurred_at_index",
+          columns: [{ name: "event_type" }, { name: "occurred_at" }],
+        },
+        {
+          type: "index",
+          name: "audit_events_subject_user_id_occurred_at_index",
+          columns: [{ name: "subject_user_id" }, { name: "occurred_at" }],
+        },
+        {
+          type: "index",
+          name: "audit_events_actor_user_id_occurred_at_index",
+          columns: [{ name: "actor_user_id" }, { name: "occurred_at" }],
+        },
+        {
+          type: "index",
+          name: "audit_events_organization_id_occurred_at_index",
+          columns: [{ name: "organization_id" }, { name: "occurred_at" }],
+        },
+        {
+          type: "index",
+          name: "audit_events_team_id_occurred_at_index",
+          columns: [{ name: "team_id" }, { name: "occurred_at" }],
+        },
+        {
+          type: "index",
+          name: "audit_events_session_id_index",
+          columns: [{ name: "session_id" }],
+        },
+        {
+          type: "index",
+          name: "audit_events_reason_occurred_at_index",
+          columns: [{ name: "reason" }, { name: "occurred_at" }],
+        },
+      ],
+      subsets: {
+        A: [
+          "id",
+          "source",
+          "source_version",
+          "category",
+          "event_type",
+          "event_key",
+          "dedupe_key",
+          "actor_user_id",
+          "subject_user_id",
+          "organization_id",
+          "team_id",
+          "session_id",
+          "provider_id",
+          "login_method",
+          "identifier",
+          "visitor_id",
+          "reason",
+          "action",
+          "trigger_context",
+          "ip_address",
+          "country_code",
+          "country",
+          "city",
+          "user_agent",
+          "payload_json",
+          "occurred_at",
+          "ingested_at",
+        ],
+      },
+      enums: {
+        AuditEventOrderBy: { "id-desc": "ID최신순" },
+        AuditEventSearchField: { id: "ID" },
+        AuditEventCategory: {
+          user: "사용자",
+          session: "세션",
+          account: "계정",
+          verification: "인증",
+          organization: "조직",
+          security: "보안",
+        },
+      },
+    },
+  ],
+  additionalProps: {},
+};

package/src/auth/plugins/entity-definitions/index.ts

@@ -1,6 +1,7 @@
 export { adminEntityDef } from "./admin";
 export { anonymousEntityDef } from "./anonymous";
 export { apiKeyEntityDef } from "./api-key";
+export { auditLogEntityDef } from "./audit-log";
 export { jwtEntityDef } from "./jwt";
 export { organizationEntityDef } from "./organization";
 export { passkeyEntityDef } from "./passkey";
@@ -13,6 +14,7 @@ export { usernameEntityDef } from "./username";
 import { adminEntityDef } from "./admin";
 import { anonymousEntityDef } from "./anonymous";
 import { apiKeyEntityDef } from "./api-key";
+import { auditLogEntityDef } from "./audit-log";
 import { jwtEntityDef } from "./jwt";
 import { organizationEntityDef } from "./organization";
 import { passkeyEntityDef } from "./passkey";
@@ -37,6 +39,7 @@ export const ENTITY_DEFINITIONS: Record<BetterAuthPluginId, BetterAuthEntityDef>
   "api-key": apiKeyEntityDef,
   jwt: jwtEntityDef,
   anonymous: anonymousEntityDef,
+  "audit-log": auditLogEntityDef,
 };
 
 /**

package/src/auth/plugins/entity-definitions/types.ts

@@ -14,7 +14,8 @@ export type BetterAuthPluginId =
   | "organization"
   | "api-key"
   | "jwt"
-  | "anonymous";
+  | "anonymous"
+  | "audit-log";
 
 /**
  * better-auth 엔티티 정의