feat(4-5/4-6): audit logging + zero-data-retention headers
Audit Logging (story 4-6): - Nouveau modèle AuditLog (userId, action, resource, metadata, ip, createdAt) - Migration 20260529143000_add_audit_log appliquée - lib/audit-log.ts : logAuditEvent (fire-and-forget) + logAuditEventAsync + getClientIp - auth.ts : LOG LOGIN / LOGOUT / USER_CREATED sur chaque event NextAuth - /api/chat : log AI_REQUEST avec tokens + byok flag dans onFinish - /api/agents/run-for-note : log AI_REQUEST avec featureKey + noteId Zero-data-retention (story 4-5): - OpenAI provider : header OpenAI-No-Training: 1 - Anthropic provider : header Anthropic-No-Train: 1 - DeepSeek provider : header X-No-Train: 1 sprint-status: 4-5 et 4-6 → done Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
@@ -3,6 +3,7 @@ import { PrismaAdapter } from '@auth/prisma-adapter';
|
||||
import { authConfig } from './auth.config';
|
||||
import prisma from '@/lib/prisma';
|
||||
import { buildAuthProviders } from '@/lib/auth-providers';
|
||||
import { logAuditEvent } from '@/lib/audit-log';
|
||||
|
||||
export const { auth, signIn, signOut, handlers } = NextAuth({
|
||||
...authConfig,
|
||||
@@ -12,12 +13,14 @@ export const { auth, signIn, signOut, handlers } = NextAuth({
|
||||
async createUser({ user }) {
|
||||
const adminEmail = process.env.ADMIN_EMAIL?.toLowerCase();
|
||||
if (!adminEmail || !user.id || user.email?.toLowerCase() !== adminEmail) {
|
||||
logAuditEvent({ userId: user.id, action: 'USER_CREATED', metadata: { email: user.email } });
|
||||
return;
|
||||
}
|
||||
await prisma.user.update({
|
||||
where: { id: user.id },
|
||||
data: { role: 'ADMIN', emailVerified: new Date() },
|
||||
});
|
||||
logAuditEvent({ userId: user.id, action: 'USER_CREATED', metadata: { email: user.email, role: 'ADMIN' } });
|
||||
},
|
||||
async signOut(message) {
|
||||
const userId =
|
||||
@@ -29,6 +32,8 @@ export const { auth, signIn, signOut, handlers } = NextAuth({
|
||||
|
||||
if (!userId) return;
|
||||
|
||||
logAuditEvent({ userId, action: 'LOGOUT' });
|
||||
|
||||
await prisma.$transaction([
|
||||
prisma.user.update({
|
||||
where: { id: userId },
|
||||
@@ -52,6 +57,11 @@ export const { auth, signIn, signOut, handlers } = NextAuth({
|
||||
});
|
||||
}
|
||||
}
|
||||
logAuditEvent({
|
||||
userId: user.id,
|
||||
action: 'LOGIN',
|
||||
metadata: { provider: account?.provider ?? 'credentials', email: user.email },
|
||||
});
|
||||
return true;
|
||||
},
|
||||
async jwt({ token, user, trigger, session }) {
|
||||
|
||||
Reference in New Issue
Block a user