Implement auditing functionality with history tracking and agent reference in the Audits module

Author: tacxou

src/_common/plugins/mongoose/history.plugin.ts

@@ -0,0 +1,180 @@
+import microdiff, { Difference } from "microdiff"
+import { Query, Schema, Model, Document, Types } from 'mongoose'
+import { Audits } from '~/core/audits/_schemas/audits.schema'
+import * as _ from 'radash'
+import { RequestContext } from "nestjs-request-context"
+import { Logger } from "@nestjs/common"
+
+export const HISTORY_PLUGIN_BEFORE_KEY = '_auditBefore'
+
+export type ChangesType = Difference & {
+  type: "REMOVE" | "CHANGE" | "CREATE"
+  path: string
+  oldValue?: any
+  value?: any
+}
+
+export enum AuditOperation {
+  INSERT = 'insert',
+  UPDATE = 'update',
+  DELETE = 'delete',
+  REPLACE = 'replace',
+}
+
+type QueryResultType<T> = T extends Query<infer ResultType, any> ? ResultType : never;
+
+export interface HistoryPluginOptions {
+  /**
+   * The name of the MongoDB collection; defaults to the Mongoose model's collection name
+   */
+  collectionName: string
+
+  /**
+   * The Mongoose model name for audits; defaults to the Nest model name for Audits
+   */
+  auditsModelName?: string
+
+  /**
+   * Fields to ignore when determining if changes should be audited.
+   * If only these fields changed, the audit event will be skipped.
+   */
+  ignoredFields?: string[]
+}
+
+function detectChanges<T = Query<any, any>>(
+  before: QueryResultType<T> & { toObject?: Function },
+  after: QueryResultType<T> & { toObject?: Function },
+  options?: HistoryPluginOptions,
+): [boolean, ChangesType[]] {
+  before = before ?? {} as any
+  after = after ?? {} as any
+  const ignoredFields = options?.ignoredFields || []
+
+  const beforeForComparison = JSON.parse(JSON.stringify(
+    before?.toObject ? before.toObject() : before,
+  ))
+  const afterForComparison = JSON.parse(JSON.stringify(
+    after?.toObject ? after.toObject() : after,
+  ))
+
+  const diff = microdiff(beforeForComparison, afterForComparison)
+
+  const changes = diff.filter(change => {
+    // Deal with nested ignored fields
+    const key = change.path.join('.')
+    for (const ignoredField of ignoredFields) {
+      if (key === ignoredField || key.startsWith(ignoredField + '.')) {
+        return false
+      }
+    }
+    return true
+  }).map(change => {
+    return <ChangesType>{
+      ...change,
+      path: change.path.join('.'),
+    }
+  })
+  const hasChanged = changes.length > 0
+
+  return [hasChanged, changes]
+}
+
+function resolveAgent(): any {
+  const user = RequestContext.currentContext.req?.user
+
+  return {
+    $ref: user.$ref ?? 'System',
+    id: Types.ObjectId.createFromHexString(user._id ?? '000000000000000000000000'),
+    name: user.username ?? 'console',
+  }
+}
+
+export function historyPlugin(schema: Schema, options: HistoryPluginOptions) {
+  const defaultOptions = {
+    auditsModelName: Audits.name,
+    ignoredFields: ['metadata'],
+  }
+  const mergedOptions = {
+    ...defaultOptions,
+    ...options,
+    ignoredFields: [...(defaultOptions.ignoredFields || []), ...(options.ignoredFields || [])],
+  }
+
+  const logger = new Logger('HistoryPlugin')
+
+  schema.pre('save', async function () {
+    if (this.isNew) {
+      this.$locals[HISTORY_PLUGIN_BEFORE_KEY] = null
+      return
+    }
+
+    const before = await this.model().findById(this._id)
+    Logger.verbose(`Audit before state: ${JSON.stringify(before)}`)
+    this.$locals[HISTORY_PLUGIN_BEFORE_KEY] = before
+  })
+
+  schema.post('save', async function (after: Document | null) {
+    const before: Document | null = this.$locals[HISTORY_PLUGIN_BEFORE_KEY] as Document | null
+    console.log('post save fired', before)
+    const [hasChanged, changes] = detectChanges(before, after, mergedOptions)
+    logger.verbose(`Audit after state: ${JSON.stringify(after)}`)
+
+    if (!hasChanged) {
+      logger.debug(`No significant changes detected for ${mergedOptions.collectionName} ${after?._id ?? before?._id}, skipping audit log.`)
+      return
+    }
+
+    logger.log(`Creating audit log for ${mergedOptions.collectionName} ${after?._id ?? before?._id}`)
+    const agent = resolveAgent()
+    const AuditsModel: Model<any> = this.model(mergedOptions.auditsModelName!)
+    await AuditsModel.create({
+      coll: mergedOptions.collectionName,
+      documentId: after?._id ?? before?._id,
+      op: before ? AuditOperation.UPDATE : AuditOperation.INSERT,
+      agent,
+      data: after,
+      changes,
+      metadata: {
+        'metadata.createdBy': agent.name || 'anonymous',
+        'metadata.createdAt': new Date(),
+      },
+    })
+  })
+
+  schema.pre('findOneAndUpdate', { query: true, document: false }, async function () {
+    const before = await this.model.findOne(this.getFilter())
+    logger.verbose(`Audit before state: ${JSON.stringify(before)}`)
+    this.setOptions({ [HISTORY_PLUGIN_BEFORE_KEY]: before })
+  })
+
+  schema.post('findOneAndUpdate', async function (this: Query<any, any>, after: Document | null) {
+    const before: Document | null = this.getOptions()[HISTORY_PLUGIN_BEFORE_KEY]
+    const [hasChanged, changes] = detectChanges(before, after, mergedOptions)
+    logger.verbose(`Audit after state: ${JSON.stringify(after)}`)
+
+    if (!hasChanged) {
+      logger.debug(`No significant changes detected for ${mergedOptions.collectionName} ${after?._id ?? before?._id}, skipping audit log.`)
+      return
+    }
+
+    logger.log(`Creating audit log for ${mergedOptions.collectionName} ${after?._id ?? before?._id}`)
+    const agent = resolveAgent()
+    const AuditsModel: Model<any> = this.model.db.model(mergedOptions.auditsModelName!)
+    await AuditsModel.create({
+      coll: mergedOptions.collectionName,
+      documentId: after?._id ?? before?._id,
+      op: before ? AuditOperation.UPDATE : AuditOperation.INSERT,
+      agent,
+      data: after,
+      changes,
+      metadata: {
+        'metadata.createdBy': agent.name || 'anonymous',
+        'metadata.createdAt': new Date(),
+      },
+    })
+  })
+
+  schema.post('findOneAndDelete', async function (res: any) {
+    //TODO: handle delete
+  })
+}

src/core/audits/_schemas/_parts/agent.parts.schema.ts

@@ -0,0 +1,16 @@
+import { Prop, Schema, SchemaFactory } from '@nestjs/mongoose';
+import { Document, Types } from 'mongoose';
+
+@Schema({ _id: false })
+export class AgentPart extends Document {
+  @Prop({ type: String, required: true })
+  public $ref: string;
+
+  @Prop({ type: Types.ObjectId, required: true })
+  public id: Types.ObjectId;
+
+  @Prop({ type: String })
+  public name?: string;
+}
+
+export const AgentPartSchema = SchemaFactory.createForClass(AgentPart);

src/core/audits/_schemas/audits.schema.ts

@@ -0,0 +1,50 @@
+import { Prop, Schema, SchemaFactory } from '@nestjs/mongoose';
+import { Document, Types } from 'mongoose';
+import { AbstractSchema } from '~/_common/abstracts/schemas/abstract.schema';
+import { AgentPart, AgentPartSchema } from './_parts/agent.parts.schema';
+import { ChangesType } from '~/_common/plugins/mongoose/history.plugin';
+
+export enum AuditOperation {
+  INSERT = 'insert',
+  UPDATE = 'update',
+  DELETE = 'delete',
+  REPLACE = 'replace',
+}
+
+export type AuditsDocument = Audits & Document;
+
+@Schema({ versionKey: false, collection: 'audits' })
+export class Audits extends AbstractSchema {
+  @Prop({
+    type: String,
+    required: true,
+  })
+  public coll!: string;
+
+  @Prop({
+    type: Types.ObjectId,
+    required: true,
+  })
+  public documentId!: Types.ObjectId;
+
+  @Prop({
+    type: String,
+    required: true,
+    enum: AuditOperation,
+  })
+  public op!: 'insert' | 'update' | 'delete' | 'replace';
+
+  @Prop({
+    type: AgentPartSchema,
+    required: true,
+  })
+  public agent!: AgentPart;
+
+  @Prop({ type: Object })
+  public data?: Document;
+
+  @Prop({ type: Array, of: Object })
+  public changes?: ChangesType[];
+}
+
+export const AuditsSchema = SchemaFactory.createForClass(Audits);

src/core/audits/audits.controller.ts

@@ -0,0 +1,15 @@
+import { Controller } from '@nestjs/common';
+import { AbstractController } from '~/_common/abstracts/abstract.controller';
+import { ApiTags } from '@nestjs/swagger';
+import { PartialProjectionType } from '~/_common/types/partial-projection.type';
+import { AuditsService } from '~/core/audits/audits.service';
+
+@ApiTags('core/audits')
+@Controller('audits')
+export class AuditsController extends AbstractController {
+  protected static readonly projection: PartialProjectionType<any> = {};
+
+  public constructor(private readonly _service: AuditsService) {
+    super();
+  }
+}

src/core/audits/audits.module.ts

@@ -0,0 +1,20 @@
+import { Module } from '@nestjs/common';
+import { MongooseModule } from '@nestjs/mongoose';
+import { AuditsSchema, Audits } from '~/core/audits/_schemas/audits.schema';
+import { AuditsService } from './audits.service';
+import { AuditsController } from './audits.controller';
+
+@Module({
+  imports: [
+    MongooseModule.forFeatureAsync([
+      {
+        name: Audits.name,
+        useFactory: () => AuditsSchema,
+      },
+    ]),
+  ],
+  providers: [AuditsService],
+  controllers: [AuditsController],
+  exports: [AuditsService],
+})
+export class AuditsModule { }

src/core/audits/audits.service.ts

@@ -0,0 +1,12 @@
+import { Injectable } from '@nestjs/common';
+import { InjectModel } from '@nestjs/mongoose';
+import { Audits } from '~/core/audits/_schemas/audits.schema';
+import { Model } from 'mongoose';
+import { AbstractServiceSchema } from '~/_common/abstracts/abstract.service.schema';
+
+@Injectable()
+export class AuditsService extends AbstractServiceSchema {
+  constructor(@InjectModel(Audits.name) protected _model: Model<Audits>) {
+    super();
+  }
+}

src/core/auth/_strategies/jwt.strategy.ts

@@ -6,6 +6,8 @@ import { AuthService } from '../auth.service';
 import { Request } from 'express';
 import { AgentType } from '~/_common/types/agent.type';
 import { JwtPayload } from 'jsonwebtoken';
+import { Keyrings } from '~/core/keyrings/_schemas/keyrings.schema';
+import { Agents } from '~/core/agents/_schemas/agents.schema';
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
@@ -34,6 +36,11 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
     const user = await this.auth.verifyIdentity(payload);
 
     if (!user) return done(new ForbiddenException(), false);
-    return done(null, payload?.identity);
+    return done(null, {
+      $ref: !payload.scopes.includes('api')
+        ? Agents.name
+        : Keyrings.name,
+      ...payload?.identity,
+    });
   }
 }

src/core/core.module.ts

@@ -10,6 +10,7 @@ import { KeyringsModule } from './keyrings/keyrings.module';
 import { LoggerModule } from './logger/logger.module';
 import { TasksModule } from './tasks/tasks.module';
 import { FilestorageModule } from './filestorage/filestorage.module';
+import { AuditsModule } from './audits/audits.module';
 
 @Module({
   imports: [
@@ -21,6 +22,7 @@ import { FilestorageModule } from './filestorage/filestorage.module';
     JobsModule,
     TasksModule,
     FilestorageModule,
+    AuditsModule,
   ],
   providers: [CoreService],
   controllers: [CoreController],

src/management/identities/_schemas/identities.schema.ts

@@ -11,6 +11,7 @@ import { MixedValue } from '~/_common/types/mixed-value.type';
 import { AutoIncrementPlugin } from '~/_common/plugins/mongoose/auto-increment.plugin';
 import { AutoIncrementPluginOptions } from '~/_common/plugins/mongoose/auto-increment.interface';
 import { DataStatusEnum } from '~/management/identities/_enums/data-status';
+import { historyPlugin } from '~/_common/plugins/mongoose/history.plugin';
 
 export type IdentitiesDocument = Identities & Document;
 
@@ -70,6 +71,13 @@ export class Identities extends AbstractSchema {
 }
 
 export const IdentitiesSchema = SchemaFactory.createForClass(Identities)
+  .plugin(historyPlugin, {
+    collectionName: Identities.name,
+    ignoredFields: [
+      'lastSync',
+      'fingerprint',
+    ],
+  })
   .plugin(AutoIncrementPlugin, <AutoIncrementPluginOptions>{
     incrementBy: 1,
     field: 'inetOrgPerson.employeeNumber',