src/app/api/auth/%5B...all%5D/route.ts

import type { NextRequest } from 'next/server';
import { toNextJsHandler } from 'better-auth/next-js';

import { auth } from '@/lib/auth';
import { createAuditLog } from '@/lib/audit';
import { logger } from '@/lib/logger';

const upstream = toNextJsHandler(auth);

/**
 * Wrap better-auth's `[...all]` handler so we can stamp the audit log on
 * authentication events. Better-auth itself doesn't fire any callback we
 * can hook on sign-in / sign-out / failed-login — we inspect the route
 * + response status after the upstream handler finishes.
 *
 *   Successful sign-in   → action 'login'  (severity info)
 *   Failed sign-in       → action 'login'  (severity warning, ok=false)
 *   Sign-out             → action 'logout' (userId resolved before cookie
 *                                            is cleared)
 *
 * Audit writes are fire-and-forget (createAuditLog never throws).
 */

interface AuthBody {
  user?: { id?: string; email?: string };
  id?: string;
  email?: string;
}

function clientMeta(req: NextRequest): { ipAddress: string; userAgent: string } {
  const ip =
    req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? req.headers.get('x-real-ip') ?? '';
  return { ipAddress: ip, userAgent: req.headers.get('user-agent') ?? '' };
}

function logSignIn(args: {
  req: NextRequest;
  responseBody: string;
  status: number;
  attemptedEmail: string | null;
}) {
  const meta = clientMeta(args.req);
  let parsed: AuthBody | null = null;
  try {
    parsed = JSON.parse(args.responseBody) as AuthBody;
  } catch {
    /* upstream returned non-JSON */
  }
  const userId = parsed?.user?.id ?? parsed?.id ?? null;
  const email = parsed?.user?.email ?? parsed?.email ?? args.attemptedEmail ?? null;
  const ok = args.status >= 200 && args.status < 300;

  // entityId is text/unbounded but indexed; truncate the attempted-
  // email fallback to keep the row predictably sized when the form
  // sends a giant value. The audit metadata still carries the full
  // original attempted email for forensic context.
  const safeAttempted = (args.attemptedEmail ?? '').slice(0, 256);
  void createAuditLog({
    userId,
    portId: null,
    action: 'login',
    entityType: 'session',
    entityId: userId ?? safeAttempted ?? 'unknown',
    metadata: {
      ok,
      status: args.status,
      attemptedEmail: args.attemptedEmail ?? email ?? null,
    },
    ipAddress: meta.ipAddress,
    userAgent: meta.userAgent,
    severity: ok ? 'info' : 'warning',
    source: 'auth',
  });
}

async function logSignOut(req: NextRequest) {
  const meta = clientMeta(req);
  let userId: string | null = null;
  try {
    const session = await auth.api.getSession({ headers: req.headers });
    userId = session?.user?.id ?? null;
  } catch {
    /* unauthenticated or expired */
  }

  void createAuditLog({
    userId,
    portId: null,
    action: 'logout',
    entityType: 'session',
    entityId: userId ?? 'unknown',
    metadata: {},
    ipAddress: meta.ipAddress,
    userAgent: meta.userAgent,
    severity: 'info',
    source: 'auth',
  });
}

async function withAuthAudit(req: NextRequest): Promise<Response> {
  const url = new URL(req.url);
  const path = url.pathname;
  const isSignIn = path.endsWith('/sign-in/email') || path.endsWith('/sign-in');
  const isSignOut = path.endsWith('/sign-out');

  // Read the request body BEFORE forwarding so we can extract the
  // attempted email even when the credentials are wrong (the upstream
  // handler will consume the body stream and we can't read it twice).
  let attemptedEmail: string | null = null;
  let forwardReq: NextRequest = req;
  if (isSignIn && req.method === 'POST') {
    try {
      const raw = await req.text();
      try {
        attemptedEmail = (JSON.parse(raw) as { email?: string }).email ?? null;
      } catch {
        /* form-encoded or non-JSON */
      }
      // Reconstruct a fresh Request so the upstream handler can read it.
      forwardReq = new Request(req.url, {
        method: req.method,
        headers: req.headers,
        body: raw,
      }) as unknown as NextRequest;
    } catch (err) {
      logger.warn({ err }, 'Failed to read sign-in body for audit');
    }
  }

  // Capture sign-out userId BEFORE the upstream handler clears the cookie.
  const signOutPromise = isSignOut ? logSignOut(req) : null;

  const res = await upstream.POST(forwardReq);

  if (isSignIn) {
    try {
      const body = await res.clone().text();
      logSignIn({ req, responseBody: body, status: res.status, attemptedEmail });
    } catch (err) {
      logger.warn({ err }, 'Failed to capture sign-in response for audit');
    }
  }
  if (signOutPromise) void signOutPromise;

  return res;
}

export const GET = upstream.GET;
export async function POST(req: NextRequest): Promise<Response> {
  return withAuthAudit(req);
}
feat(audit): comprehensive logging — auth events, severity, source, IP Audit log was previously silent on authentication and on background work. This wires: - Login (success + failed) and logout via a wrapper around better-auth's [...all] handler. Failed logins are severity 'warning' and carry the attempted email so brute-force attempts surface in the inspector. - New severity (info\|warning\|error\|critical) and source (user\|auth\| system\|webhook\|cron\|job) columns on audit_logs. permission_denied defaults to 'warning', hard_delete to 'critical'. - Webhook delivery success/failure/DLQ/retry now write audit rows alongside the webhook_deliveries detail table. - IP address is now visible as a column in the inspector (was already captured at the helper level). - Audit UI: severity badges per row, severity + source dropdowns, IP column, expanded action filter covering hard-delete, webhook events, job/cron events. Migration 0044 adds the two columns + their port-scoped indexes. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 20:35:34 +02:00			`import type { NextRequest } from 'next/server';`
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`import { toNextJsHandler } from 'better-auth/next-js';`

feat(audit): comprehensive logging — auth events, severity, source, IP Audit log was previously silent on authentication and on background work. This wires: - Login (success + failed) and logout via a wrapper around better-auth's [...all] handler. Failed logins are severity 'warning' and carry the attempted email so brute-force attempts surface in the inspector. - New severity (info\|warning\|error\|critical) and source (user\|auth\| system\|webhook\|cron\|job) columns on audit_logs. permission_denied defaults to 'warning', hard_delete to 'critical'. - Webhook delivery success/failure/DLQ/retry now write audit rows alongside the webhook_deliveries detail table. - IP address is now visible as a column in the inspector (was already captured at the helper level). - Audit UI: severity badges per row, severity + source dropdowns, IP column, expanded action filter covering hard-delete, webhook events, job/cron events. Migration 0044 adds the two columns + their port-scoped indexes. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 20:35:34 +02:00			`import { auth } from '@/lib/auth';`
			`import { createAuditLog } from '@/lib/audit';`
			`import { logger } from '@/lib/logger';`

			`const upstream = toNextJsHandler(auth);`

			`/**`
			* Wrap better-auth's `[...all]` handler so we can stamp the audit log on
			`* authentication events. Better-auth itself doesn't fire any callback we`
			`* can hook on sign-in / sign-out / failed-login — we inspect the route`
			`* + response status after the upstream handler finishes.`
			`*`
			`* Successful sign-in → action 'login' (severity info)`
			`* Failed sign-in → action 'login' (severity warning, ok=false)`
			`* Sign-out → action 'logout' (userId resolved before cookie`
			`* is cleared)`
			`*`
			`* Audit writes are fire-and-forget (createAuditLog never throws).`
			`*/`

			`interface AuthBody {`
			`user?: { id?: string; email?: string };`
			`id?: string;`
			`email?: string;`
			`}`

			`function clientMeta(req: NextRequest): { ipAddress: string; userAgent: string } {`
			`const ip =`
			`req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? req.headers.get('x-real-ip') ?? '';`
			`return { ipAddress: ip, userAgent: req.headers.get('user-agent') ?? '' };`
			`}`

			`function logSignIn(args: {`
			`req: NextRequest;`
			`responseBody: string;`
			`status: number;`
			`attemptedEmail: string \| null;`
			`}) {`
			`const meta = clientMeta(args.req);`
			`let parsed: AuthBody \| null = null;`
			`try {`
			`parsed = JSON.parse(args.responseBody) as AuthBody;`
			`} catch {`
			`/* upstream returned non-JSON */`
			`}`
			`const userId = parsed?.user?.id ?? parsed?.id ?? null;`
			`const email = parsed?.user?.email ?? parsed?.email ?? args.attemptedEmail ?? null;`
			`const ok = args.status >= 200 && args.status < 300;`

fix(audit): LOWs sweep — truncate auth entityId, fix legacy berthId in seed-data L3: failed-login audit's entityId could carry an unbounded attempted-email value (the form lets you type anything). Truncate to 256 chars before using as entityId; full original still in metadata for forensic context. L2: seed-data.ts (the realistic fixture) inserted interests with berthId — that column was dropped in migration 0029 and the realistic seed would fail at insert on a fresh DB. Now inserts via the interestBerths junction (mirrors the synthetic seed's pattern). L1 (no-op): next-in-line notification already gets the 5-min cooldownMs default from createNotification, so retries are idempotent without extra code. Verified. L5 (no-op): import worker comment already explains the stub state adequately; no code change. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 22:40:35 +02:00			`// entityId is text/unbounded but indexed; truncate the attempted-`
			`// email fallback to keep the row predictably sized when the form`
			`// sends a giant value. The audit metadata still carries the full`
			`// original attempted email for forensic context.`
			`const safeAttempted = (args.attemptedEmail ?? '').slice(0, 256);`
feat(audit): comprehensive logging — auth events, severity, source, IP Audit log was previously silent on authentication and on background work. This wires: - Login (success + failed) and logout via a wrapper around better-auth's [...all] handler. Failed logins are severity 'warning' and carry the attempted email so brute-force attempts surface in the inspector. - New severity (info\|warning\|error\|critical) and source (user\|auth\| system\|webhook\|cron\|job) columns on audit_logs. permission_denied defaults to 'warning', hard_delete to 'critical'. - Webhook delivery success/failure/DLQ/retry now write audit rows alongside the webhook_deliveries detail table. - IP address is now visible as a column in the inspector (was already captured at the helper level). - Audit UI: severity badges per row, severity + source dropdowns, IP column, expanded action filter covering hard-delete, webhook events, job/cron events. Migration 0044 adds the two columns + their port-scoped indexes. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 20:35:34 +02:00			`void createAuditLog({`
			`userId,`
			`portId: null,`
			`action: 'login',`
			`entityType: 'session',`
fix(audit): LOWs sweep — truncate auth entityId, fix legacy berthId in seed-data L3: failed-login audit's entityId could carry an unbounded attempted-email value (the form lets you type anything). Truncate to 256 chars before using as entityId; full original still in metadata for forensic context. L2: seed-data.ts (the realistic fixture) inserted interests with berthId — that column was dropped in migration 0029 and the realistic seed would fail at insert on a fresh DB. Now inserts via the interestBerths junction (mirrors the synthetic seed's pattern). L1 (no-op): next-in-line notification already gets the 5-min cooldownMs default from createNotification, so retries are idempotent without extra code. Verified. L5 (no-op): import worker comment already explains the stub state adequately; no code change. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 22:40:35 +02:00			`entityId: userId ?? safeAttempted ?? 'unknown',`
feat(audit): comprehensive logging — auth events, severity, source, IP Audit log was previously silent on authentication and on background work. This wires: - Login (success + failed) and logout via a wrapper around better-auth's [...all] handler. Failed logins are severity 'warning' and carry the attempted email so brute-force attempts surface in the inspector. - New severity (info\|warning\|error\|critical) and source (user\|auth\| system\|webhook\|cron\|job) columns on audit_logs. permission_denied defaults to 'warning', hard_delete to 'critical'. - Webhook delivery success/failure/DLQ/retry now write audit rows alongside the webhook_deliveries detail table. - IP address is now visible as a column in the inspector (was already captured at the helper level). - Audit UI: severity badges per row, severity + source dropdowns, IP column, expanded action filter covering hard-delete, webhook events, job/cron events. Migration 0044 adds the two columns + their port-scoped indexes. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 20:35:34 +02:00			`metadata: {`
			`ok,`
			`status: args.status,`
			`attemptedEmail: args.attemptedEmail ?? email ?? null,`
			`},`
			`ipAddress: meta.ipAddress,`
			`userAgent: meta.userAgent,`
			`severity: ok ? 'info' : 'warning',`
			`source: 'auth',`
			`});`
			`}`

			`async function logSignOut(req: NextRequest) {`
			`const meta = clientMeta(req);`
			`let userId: string \| null = null;`
			`try {`
			`const session = await auth.api.getSession({ headers: req.headers });`
			`userId = session?.user?.id ?? null;`
			`} catch {`
			`/* unauthenticated or expired */`
			`}`

			`void createAuditLog({`
			`userId,`
			`portId: null,`
			`action: 'logout',`
			`entityType: 'session',`
			`entityId: userId ?? 'unknown',`
			`metadata: {},`
			`ipAddress: meta.ipAddress,`
			`userAgent: meta.userAgent,`
			`severity: 'info',`
			`source: 'auth',`
			`});`
			`}`

			`async function withAuthAudit(req: NextRequest): Promise<Response> {`
			`const url = new URL(req.url);`
			`const path = url.pathname;`
			`const isSignIn = path.endsWith('/sign-in/email') \|\| path.endsWith('/sign-in');`
			`const isSignOut = path.endsWith('/sign-out');`

			`// Read the request body BEFORE forwarding so we can extract the`
			`// attempted email even when the credentials are wrong (the upstream`
			`// handler will consume the body stream and we can't read it twice).`
			`let attemptedEmail: string \| null = null;`
			`let forwardReq: NextRequest = req;`
			`if (isSignIn && req.method === 'POST') {`
			`try {`
			`const raw = await req.text();`
			`try {`
			`attemptedEmail = (JSON.parse(raw) as { email?: string }).email ?? null;`
			`} catch {`
			`/* form-encoded or non-JSON */`
			`}`
			`// Reconstruct a fresh Request so the upstream handler can read it.`
			`forwardReq = new Request(req.url, {`
			`method: req.method,`
			`headers: req.headers,`
			`body: raw,`
			`}) as unknown as NextRequest;`
			`} catch (err) {`
			`logger.warn({ err }, 'Failed to read sign-in body for audit');`
			`}`
			`}`

			`// Capture sign-out userId BEFORE the upstream handler clears the cookie.`
			`const signOutPromise = isSignOut ? logSignOut(req) : null;`

			`const res = await upstream.POST(forwardReq);`

			`if (isSignIn) {`
			`try {`
			`const body = await res.clone().text();`
			`logSignIn({ req, responseBody: body, status: res.status, attemptedEmail });`
			`} catch (err) {`
			`logger.warn({ err }, 'Failed to capture sign-in response for audit');`
			`}`
			`}`
			`if (signOutPromise) void signOutPromise;`

			`return res;`
			`}`

			`export const GET = upstream.GET;`
			`export async function POST(req: NextRequest): Promise<Response> {`
			`return withAuthAudit(req);`
			`}`