feat(security): add phase8 hardening with rate limits, audit logs, and auth-first simulator flow

2026-01-24 18:45:00 +00:00
parent 6d6c77f77e
commit f6d66c3650
11 changed files with 355 additions and 5 deletions
--- a/Backend/db/schema.ts
+++ b/Backend/db/schema.ts
@@ -150,6 +150,18 @@ export const pushNotifications = pgTable('push_notifications', {
  updatedAt: timestamp('updated_at', { withTimezone: true }).defaultNow().notNull(),
 });

+export const auditLogs = pgTable('audit_logs', {
+  id: uuid('id').defaultRandom().primaryKey(),
+  ownerUserId: uuid('owner_user_id').notNull().references(() => users.id),
+  actorDeviceId: uuid('actor_device_id').references(() => devices.id),
+  action: varchar('action', { length: 128 }).notNull(),
+  targetType: varchar('target_type', { length: 64 }).notNull(),
+  targetId: varchar('target_id', { length: 255 }).notNull(),
+  metadata: jsonb('metadata').$type<Record<string, unknown> | null>().default(null),
+  ipAddress: text('ip_address'),
+  createdAt: timestamp('created_at', { withTimezone: true }).defaultNow().notNull(),
+});
+
 export const accounts = pgTable('account', {
  id: uuid('id').defaultRandom().primaryKey(),
  userId: uuid('user_id').notNull().references(() => users.id),
@@ -197,6 +209,7 @@ export const schema = {
  videos,
  notifications,
  pushNotifications,
+  auditLogs,
  accounts,
  sessions,
  verifications,
--- a/Backend/drizzle/0011_security_audit_logs.sql
+++ b/Backend/drizzle/0011_security_audit_logs.sql
@@ -0,0 +1,14 @@
+CREATE TABLE "audit_logs" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+  "owner_user_id" uuid NOT NULL,
+  "actor_device_id" uuid,
+  "action" varchar(128) NOT NULL,
+  "target_type" varchar(64) NOT NULL,
+  "target_id" varchar(255) NOT NULL,
+  "metadata" jsonb DEFAULT 'null'::jsonb,
+  "ip_address" text,
+  "created_at" timestamp with time zone DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_owner_user_id_users_id_fk" FOREIGN KEY ("owner_user_id") REFERENCES "public"."users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_actor_device_id_devices_id_fk" FOREIGN KEY ("actor_device_id") REFERENCES "public"."devices"("id") ON DELETE no action ON UPDATE no action;
--- a/Backend/drizzle/meta/_journal.json
+++ b/Backend/drizzle/meta/_journal.json
@@ -78,6 +78,13 @@
      "when": 1770417956419,
      "tag": "0010_push_notifications_queue",
      "breakpoints": true
+    },
+    {
+      "idx": 11,
+      "version": "7",
+      "when": 1770418956419,
+      "tag": "0011_security_audit_logs",
+      "breakpoints": true
    }
  ]
 }
--- a/Backend/index.ts
+++ b/Backend/index.ts
@@ -1,6 +1,8 @@
 import express from 'express';
 import { createServer } from 'http';
 import { toNodeHandler } from 'better-auth/node';
+import cors from 'cors';
+import helmet from 'helmet';
 import swaggerUi from 'swagger-ui-express';

 import { auth } from './auth';
@@ -14,6 +16,8 @@ import eventsRoutes from './routes/events';
 import streamsRoutes from './routes/streams';
 import recordingsRoutes from './routes/recordings';
 import pushNotificationsRoutes from './routes/push-notifications';
+import auditRoutes from './routes/audit';
+import { rateLimit } from './middleware/security';
 import { setupRealtimeGateway } from './realtime/gateway';
 import { ensureMinioBucket } from './utils/minio';
 import { startRecordingsWorker } from './workers/recordings';
@@ -21,6 +25,9 @@ import { startPushWorker } from './services/push';

 const app = express();
 const openApiDocument = buildOpenApiDocument();
+const trustedOrigins = process.env.BETTER_AUTH_TRUSTED_ORIGINS
+  ? process.env.BETTER_AUTH_TRUSTED_ORIGINS.split(',').map((origin) => origin.trim()).filter(Boolean)
+  : [];

 app.get('/', (_req, res) => {
  res.send('API is running');
@@ -34,17 +41,26 @@ app.use('/docs', swaggerUi.serve, swaggerUi.setup(openApiDocument));

 app.all('/api/auth/*splat', toNodeHandler(auth));

+app.use(helmet());
+app.use(
+  cors({
+    origin: trustedOrigins.length > 0 ? trustedOrigins : true,
+    credentials: true,
+  }),
+);
+app.use(rateLimit({ keyPrefix: 'global', windowMs: 60_000, max: 400 }));
 app.use(express.json());
 app.use('/sim', express.static('public'));
 app.use('/videos', videosRoutes);
 app.use('/admin', adminRoutes);
-app.use('/devices', devicesRoutes);
+app.use('/devices', rateLimit({ keyPrefix: 'devices', windowMs: 60_000, max: 120 }), devicesRoutes);
 app.use('/device-links', deviceLinksRoutes);
-app.use('/commands', commandsRoutes);
-app.use('/events', eventsRoutes);
-app.use('/streams', streamsRoutes);
-app.use('/recordings', recordingsRoutes);
+app.use('/commands', rateLimit({ keyPrefix: 'commands', windowMs: 60_000, max: 120 }), commandsRoutes);
+app.use('/events', rateLimit({ keyPrefix: 'events', windowMs: 60_000, max: 120 }), eventsRoutes);
+app.use('/streams', rateLimit({ keyPrefix: 'streams', windowMs: 60_000, max: 120 }), streamsRoutes);
+app.use('/recordings', rateLimit({ keyPrefix: 'recordings', windowMs: 60_000, max: 120 }), recordingsRoutes);
 app.use('/push-notifications', pushNotificationsRoutes);
+app.use('/audit', auditRoutes);

 app.use((err: unknown, _req: express.Request, res: express.Response, _next: express.NextFunction) => {
  console.error(err);
--- a/Backend/middleware/security.ts
+++ b/Backend/middleware/security.ts
@@ -0,0 +1,31 @@
+import type { NextFunction, Request, Response } from 'express';
+
+type Bucket = {
+  count: number;
+  windowStart: number;
+};
+
+const buckets = new Map<string, Bucket>();
+
+export const rateLimit = (options: { keyPrefix: string; windowMs: number; max: number }) => {
+  return (req: Request, res: Response, next: NextFunction): void => {
+    const key = `${options.keyPrefix}:${req.ip ?? 'unknown'}`;
+    const now = Date.now();
+    const current = buckets.get(key);
+
+    if (!current || now - current.windowStart > options.windowMs) {
+      buckets.set(key, { count: 1, windowStart: now });
+      next();
+      return;
+    }
+
+    if (current.count >= options.max) {
+      res.status(429).json({ message: 'Rate limit exceeded. Try again later.' });
+      return;
+    }
+
+    current.count += 1;
+    buckets.set(key, current);
+    next();
+  };
+};
--- a/Backend/public/mobile-sim.html
+++ b/Backend/public/mobile-sim.html
@@ -123,6 +123,25 @@
      </p>

      <div class="grid">
+        <section class="panel">
+          <h2>Auth</h2>
+          <label>Name</label>
+          <input id="authName" placeholder="optional display name" />
+          <label>Email</label>
+          <input id="authEmail" placeholder="you@example.com" />
+          <label>Password</label>
+          <input id="authPassword" type="password" placeholder="password" />
+          <div class="row">
+            <button id="signUpBtn" class="alt">Sign Up</button>
+            <button id="signInBtn">Sign In</button>
+          </div>
+          <div class="row">
+            <button id="sessionBtn" class="alt">Check Session</button>
+            <button id="signOutBtn" class="danger">Sign Out</button>
+          </div>
+          <pre id="authState"></pre>
+        </section>
+
        <section class="panel">
          <h2>Device Bootstrap</h2>
          <label>Device Name</label>
@@ -186,6 +205,7 @@
    <script src="/socket.io/socket.io.js"></script>
    <script>
      const state = {
+        session: null,
        device: null,
        deviceToken: null,
        socket: null,
@@ -209,6 +229,7 @@
      };

      const render = () => {
+        $('authState').textContent = JSON.stringify({ session: state.session }, null, 2);
        $('deviceState').textContent = JSON.stringify({ device: state.device, hasToken: Boolean(state.deviceToken) }, null, 2);
        $('clientState').textContent = JSON.stringify({ lastStreamSessionId: state.lastStreamSessionId }, null, 2);
        $('cameraState').textContent = JSON.stringify(
@@ -222,6 +243,64 @@
        );
      };

+      const getAuthPayload = () => ({
+        name: $('authName').value.trim() || undefined,
+        email: $('authEmail').value.trim(),
+        password: $('authPassword').value,
+      });
+
+      $('signUpBtn').addEventListener('click', async () => {
+        try {
+          const authPayload = getAuthPayload();
+          const payload = await authFetch('/api/auth/sign-up/email', {
+            method: 'POST',
+            body: JSON.stringify(authPayload),
+          });
+          log('sign up', payload);
+          $('sessionBtn').click();
+        } catch (error) {
+          log('sign up failed', { error: error.message });
+        }
+      });
+
+      $('signInBtn').addEventListener('click', async () => {
+        try {
+          const authPayload = getAuthPayload();
+          const payload = await authFetch('/api/auth/sign-in/email', {
+            method: 'POST',
+            body: JSON.stringify({ email: authPayload.email, password: authPayload.password }),
+          });
+          log('sign in', payload);
+          $('sessionBtn').click();
+        } catch (error) {
+          log('sign in failed', { error: error.message });
+        }
+      });
+
+      $('sessionBtn').addEventListener('click', async () => {
+        try {
+          const payload = await authFetch('/api/auth/get-session');
+          state.session = payload?.session ? payload : null;
+          render();
+          log('session check', payload);
+        } catch (error) {
+          state.session = null;
+          render();
+          log('session check failed', { error: error.message });
+        }
+      });
+
+      $('signOutBtn').addEventListener('click', async () => {
+        try {
+          const payload = await authFetch('/api/auth/sign-out', { method: 'POST', body: JSON.stringify({}) });
+          state.session = null;
+          render();
+          log('sign out', payload);
+        } catch (error) {
+          log('sign out failed', { error: error.message });
+        }
+      });
+
      const authFetch = async (url, options = {}) => {
        const response = await fetch(url, {
          credentials: 'include',
@@ -337,6 +416,7 @@

      $('registerBtn').addEventListener('click', async () => {
        try {
+          if (!state.session) throw new Error('Authenticate first');
          const role = $('role').value;
          const name = $('deviceName').value.trim();
          const payload = await authFetch('/devices/register', {
@@ -370,6 +450,24 @@
        log('loaded saved device', parsed);
      });

+      const auditPanel = document.createElement('section');
+      auditPanel.className = 'panel';
+      auditPanel.style.marginTop = '16px';
+      auditPanel.innerHTML = `
+        <h2>Audit Logs</h2>
+        <button id="fetchAuditBtn" class="alt">Fetch My Device Audit Logs</button>
+      `;
+      document.querySelector('.page').appendChild(auditPanel);
+
+      $('fetchAuditBtn').addEventListener('click', async () => {
+        try {
+          const payload = await deviceFetch('/audit/device');
+          log('audit logs', payload);
+        } catch (error) {
+          log('audit fetch failed', { error: error.message });
+        }
+      });
+
      $('loadSavedBtn').addEventListener('click', async () => {
        try {
          if (!state.device?.id) return;
--- a/Backend/routes/audit.ts
+++ b/Backend/routes/audit.ts
@@ -0,0 +1,66 @@
+import { and, desc, eq } from 'drizzle-orm';
+import { Router } from 'express';
+import { z } from 'zod';
+
+import { db } from '../db/client';
+import { auditLogs } from '../db/schema';
+import { requireDeviceAuth } from '../middleware/device-auth';
+
+const router = Router();
+
+const querySchema = z.object({
+  limit: z.coerce.number().int().min(1).max(100).default(50),
+  action: z.string().optional(),
+});
+
+router.get('/me', requireDeviceAuth, async (req, res) => {
+  const parsed = querySchema.safeParse(req.query);
+
+  if (!parsed.success) {
+    res.status(400).json({ message: 'Invalid query params', errors: parsed.error.flatten() });
+    return;
+  }
+
+  const deviceAuth = req.deviceAuth;
+
+  if (!deviceAuth) {
+    res.status(401).json({ message: 'Unauthorized' });
+    return;
+  }
+
+  const result = await db.query.auditLogs.findMany({
+    where: eq(auditLogs.ownerUserId, deviceAuth.userId),
+    orderBy: [desc(auditLogs.createdAt)],
+    limit: parsed.data.limit,
+  });
+
+  const filtered = parsed.data.action ? result.filter((item) => item.action === parsed.data.action) : result;
+
+  res.json({ count: filtered.length, logs: filtered });
+});
+
+router.get('/device', requireDeviceAuth, async (req, res) => {
+  const parsed = querySchema.safeParse(req.query);
+
+  if (!parsed.success) {
+    res.status(400).json({ message: 'Invalid query params', errors: parsed.error.flatten() });
+    return;
+  }
+
+  const deviceAuth = req.deviceAuth;
+
+  if (!deviceAuth) {
+    res.status(401).json({ message: 'Unauthorized' });
+    return;
+  }
+
+  const result = await db.query.auditLogs.findMany({
+    where: and(eq(auditLogs.ownerUserId, deviceAuth.userId), eq(auditLogs.actorDeviceId, deviceAuth.deviceId)),
+    orderBy: [desc(auditLogs.createdAt)],
+    limit: parsed.data.limit,
+  });
+
+  res.json({ count: result.length, logs: result });
+});
+
+export default router;
--- a/Backend/routes/events.ts
+++ b/Backend/routes/events.ts
@@ -7,6 +7,7 @@ import { deviceLinks, devices, events, notifications } from '../db/schema';
 import { requireAuth } from '../middleware/auth';
 import { requireDeviceAuth } from '../middleware/device-auth';
 import { sendRealtimeToDevice } from '../realtime/gateway';
+import { writeAuditLog } from '../services/audit';
 import { enqueuePushNotification } from '../services/push';

 const router = Router();
@@ -126,6 +127,16 @@ router.post('/motion/start', requireDeviceAuth, async (req, res) => {
    event,
    notifiedClients: activeLinks.length,
  });
+
+  await writeAuditLog({
+    ownerUserId: deviceAuth.userId,
+    actorDeviceId: cameraDevice.id,
+    action: 'event.motion_started',
+    targetType: 'event',
+    targetId: event.id,
+    metadata: { notifiedClients: activeLinks.length },
+    ipAddress: req.ip,
+  });
 });

 router.post('/:eventId/motion/end', requireDeviceAuth, async (req, res) => {
@@ -210,6 +221,16 @@ router.post('/:eventId/motion/end', requireDeviceAuth, async (req, res) => {
  }

  res.json({ message: 'Motion event ended', event: updated, notifiedClients: activeLinks.length });
+
+  await writeAuditLog({
+    ownerUserId: deviceAuth.userId,
+    actorDeviceId: deviceAuth.deviceId,
+    action: 'event.motion_ended',
+    targetType: 'event',
+    targetId: event.id,
+    metadata: { status: parsed.data.status, notifiedClients: activeLinks.length },
+    ipAddress: req.ip,
+  });
 });

 router.get('/', requireAuth, async (req, res) => {
--- a/Backend/routes/recordings.ts
+++ b/Backend/routes/recordings.ts
@@ -5,6 +5,7 @@ import { z } from 'zod';
 import { db } from '../db/client';
 import { recordings, streamSessions } from '../db/schema';
 import { requireDeviceAuth } from '../middleware/device-auth';
+import { writeAuditLog } from '../services/audit';
 import { minioBucket, minioClient, minioPresignedExpirySeconds } from '../utils/minio';

 const router = Router();
@@ -105,6 +106,16 @@ router.post('/:recordingId/finalize', requireDeviceAuth, async (req, res) => {
    .returning();

  res.json({ message: 'Recording finalized', recording: updated });
+
+  await writeAuditLog({
+    ownerUserId: recording.ownerUserId,
+    actorDeviceId: recording.cameraDeviceId,
+    action: 'recording.finalized',
+    targetType: 'recording',
+    targetId: recording.id,
+    metadata: { objectKey: parsed.data.objectKey, bucket: parsed.data.bucket },
+    ipAddress: req.ip,
+  });
 });

 router.get('/:recordingId/download-url', requireDeviceAuth, async (req, res) => {
@@ -156,6 +167,16 @@ router.get('/:recordingId/download-url', requireDeviceAuth, async (req, res) =>
    downloadUrl,
    expiresInSeconds: minioPresignedExpirySeconds,
  });
+
+  await writeAuditLog({
+    ownerUserId: recording.ownerUserId,
+    actorDeviceId: deviceAuth.deviceId,
+    action: 'recording.download_url_issued',
+    targetType: 'recording',
+    targetId: recording.id,
+    metadata: { objectKey: recording.objectKey, bucket: recording.bucket },
+    ipAddress: req.ip,
+  });
 });

 // Internal helper used by stream lifecycle to create recording placeholder rows.
--- a/Backend/routes/streams.ts
+++ b/Backend/routes/streams.ts
@@ -9,6 +9,7 @@ import { deviceCommands, deviceLinks, devices, streamSessions } from '../db/sche
 import { mediaProvider } from '../media/service';
 import { requireDeviceAuth } from '../middleware/device-auth';
 import { dispatchCommandById, sendRealtimeToDevice } from '../realtime/gateway';
+import { writeAuditLog } from '../services/audit';
 import { enqueuePushNotification } from '../services/push';
 import { createRecordingForStream } from './recordings';

@@ -192,6 +193,16 @@ router.post('/request', requireDeviceAuth, async (req, res) => {
    streamSession: session,
    command: refreshedCommand ?? command,
  });
+
+  await writeAuditLog({
+    ownerUserId: sourceDevice.userId,
+    actorDeviceId: sourceDevice.id,
+    action: 'stream.requested',
+    targetType: 'stream_session',
+    targetId: session.id,
+    metadata: { cameraDeviceId: cameraDevice.id, reason: session.reason },
+    ipAddress: req.ip,
+  });
 });

 router.post('/:streamSessionId/accept', requireDeviceAuth, async (req, res) => {
@@ -287,6 +298,16 @@ router.post('/:streamSessionId/accept', requireDeviceAuth, async (req, res) => {
  }

  res.json({ message: 'Stream accepted', streamSession: updated });
+
+  await writeAuditLog({
+    ownerUserId: session.ownerUserId,
+    actorDeviceId: session.cameraDeviceId,
+    action: 'stream.accepted',
+    targetType: 'stream_session',
+    targetId: session.id,
+    metadata: { mediaSessionId: updated.mediaSessionId, mediaProvider: updated.mediaProvider },
+    ipAddress: req.ip,
+  });
 });

 router.get('/:streamSessionId/publish-credentials', requireDeviceAuth, async (req, res) => {
@@ -330,6 +351,16 @@ router.get('/:streamSessionId/publish-credentials', requireDeviceAuth, async (re
  });

  res.json(credentials);
+
+  await writeAuditLog({
+    ownerUserId: session.ownerUserId,
+    actorDeviceId: session.cameraDeviceId,
+    action: 'stream.publish_credentials_issued',
+    targetType: 'stream_session',
+    targetId: session.id,
+    metadata: { mediaProvider: credentials.provider },
+    ipAddress: req.ip,
+  });
 });

 router.get('/:streamSessionId/subscribe-credentials', requireDeviceAuth, async (req, res) => {
@@ -376,6 +407,16 @@ router.get('/:streamSessionId/subscribe-credentials', requireDeviceAuth, async (
  });

  res.json(credentials);
+
+  await writeAuditLog({
+    ownerUserId: session.ownerUserId,
+    actorDeviceId: deviceAuth.deviceId,
+    action: 'stream.subscribe_credentials_issued',
+    targetType: 'stream_session',
+    targetId: session.id,
+    metadata: { mediaProvider: credentials.provider },
+    ipAddress: req.ip,
+  });
 });

 router.post('/:streamSessionId/end', requireDeviceAuth, async (req, res) => {
--- a/Backend/services/audit.ts
+++ b/Backend/services/audit.ts
@@ -0,0 +1,22 @@
+import { db } from '../db/client';
+import { auditLogs } from '../db/schema';
+
+export const writeAuditLog = async (entry: {
+  ownerUserId: string;
+  action: string;
+  targetType: string;
+  targetId: string;
+  actorDeviceId?: string;
+  metadata?: Record<string, unknown>;
+  ipAddress?: string;
+}): Promise<void> => {
+  await db.insert(auditLogs).values({
+    ownerUserId: entry.ownerUserId,
+    actorDeviceId: entry.actorDeviceId,
+    action: entry.action,
+    targetType: entry.targetType,
+    targetId: entry.targetId,
+    metadata: entry.metadata ?? null,
+    ipAddress: entry.ipAddress,
+  });
+};