feat(security): add phase8 hardening with rate limits, audit logs, and auth-first simulator flow

2026-01-24 18:45:00 +00:00
parent 6d6c77f77e
commit f6d66c3650
11 changed files with 355 additions and 5 deletions
--- a/Backend/routes/audit.ts
+++ b/Backend/routes/audit.ts
@@ -0,0 +1,66 @@
+import { and, desc, eq } from 'drizzle-orm';
+import { Router } from 'express';
+import { z } from 'zod';
+
+import { db } from '../db/client';
+import { auditLogs } from '../db/schema';
+import { requireDeviceAuth } from '../middleware/device-auth';
+
+const router = Router();
+
+const querySchema = z.object({
+  limit: z.coerce.number().int().min(1).max(100).default(50),
+  action: z.string().optional(),
+});
+
+router.get('/me', requireDeviceAuth, async (req, res) => {
+  const parsed = querySchema.safeParse(req.query);
+
+  if (!parsed.success) {
+    res.status(400).json({ message: 'Invalid query params', errors: parsed.error.flatten() });
+    return;
+  }
+
+  const deviceAuth = req.deviceAuth;
+
+  if (!deviceAuth) {
+    res.status(401).json({ message: 'Unauthorized' });
+    return;
+  }
+
+  const result = await db.query.auditLogs.findMany({
+    where: eq(auditLogs.ownerUserId, deviceAuth.userId),
+    orderBy: [desc(auditLogs.createdAt)],
+    limit: parsed.data.limit,
+  });
+
+  const filtered = parsed.data.action ? result.filter((item) => item.action === parsed.data.action) : result;
+
+  res.json({ count: filtered.length, logs: filtered });
+});
+
+router.get('/device', requireDeviceAuth, async (req, res) => {
+  const parsed = querySchema.safeParse(req.query);
+
+  if (!parsed.success) {
+    res.status(400).json({ message: 'Invalid query params', errors: parsed.error.flatten() });
+    return;
+  }
+
+  const deviceAuth = req.deviceAuth;
+
+  if (!deviceAuth) {
+    res.status(401).json({ message: 'Unauthorized' });
+    return;
+  }
+
+  const result = await db.query.auditLogs.findMany({
+    where: and(eq(auditLogs.ownerUserId, deviceAuth.userId), eq(auditLogs.actorDeviceId, deviceAuth.deviceId)),
+    orderBy: [desc(auditLogs.createdAt)],
+    limit: parsed.data.limit,
+  });
+
+  res.json({ count: result.length, logs: result });
+});
+
+export default router;