feat(audit): wider coverage — sensitive views, cron, jobs, portal abuse

Builds on the audit infra split (severity/source) by emitting events from every place a security or operations review would want to see: Sensitive data views (severity=warning): - GDPR export download URL issued - Audit log page opened (watch-the-watchers; first page only) - CSV export of expenses - Webhook secret regenerated Authentication abuse (severity=warning, source=auth): - Portal sign-in: success + failed-credentials + portal-disabled - Portal password reset: unknown email + portal-disabled + bad token - Portal activation: bad/expired token Inbound webhook hardening: - Documenso webhook with invalid X-Documenso-Secret now writes webhook_failed instead of being silently logged Background work (source=cron / job): - New attachWorkerAudit() helper wires every BullMQ worker to emit job_failed (severity=error) on .on('failed') and cron_run on .on('completed') for any job whose name matches the recurring scheduler list. Applied across all 10 workers. 1175/1175 vitest passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 20:44:38 +02:00
parent d2171ea79b
commit 9890d065f8
17 changed files with 261 additions and 0 deletions
--- a/src/app/api/v1/admin/audit/route.ts
+++ b/src/app/api/v1/admin/audit/route.ts
@@ -8,6 +8,7 @@ import { searchAuditLogs } from '@/lib/services/audit-search.service';
 import { db } from '@/lib/db';
 import { user } from '@/lib/db/schema/users';
 import { errorResponse } from '@/lib/errors';
+import { createAuditLog } from '@/lib/audit';

 const auditQuerySchema = z.object({
  limit: z.coerce.number().int().min(1).max(200).default(50),
@@ -67,6 +68,34 @@ export const GET = withAuth(
        actor: r.userId ? (userMap.get(r.userId) ?? null) : null,
      }));

+      // Watch-the-watchers: record that an operator opened the audit log
+      // page. Only fire on the first page (no cursor) so paginating
+      // through doesn't spam the log; use 'view' at warning severity so
+      // the entry stands out in the inspector.
+      if (!cursor) {
+        void createAuditLog({
+          userId: ctx.userId,
+          portId: ctx.portId,
+          action: 'view',
+          entityType: 'audit_log',
+          entityId: 'list',
+          metadata: {
+            filters: {
+              entityType: query.entityType,
+              action: query.action,
+              severity: query.severity,
+              source: query.source,
+              userId: query.userId,
+              entityId: query.entityId,
+              search: query.search,
+            },
+          },
+          ipAddress: ctx.ipAddress,
+          userAgent: ctx.userAgent,
+          severity: 'warning',
+        });
+      }
+
      return NextResponse.json({
        data,
        pagination: {