louiscklaw/HKSingleParty
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: enhance party user auth endpoint with token validation, error logging, and security improvements

Browse Source
This commit is contained in:
louiscklaw
2025-06-18 12:34:48 +08:00
parent 3ed3f2fecb
commit 99fafda624
2 changed files with 19 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
03_source/cms_backend/src/app/api/party-user-auth/me/route.ts
View File

@@ -7,6 +7,14 @@
// - Log all access attempts (success/failure)
// - Validate token structure and user existence
//
// RULES:
// - Must validate Bearer token format before processing
// - All errors must be logged via access-log service
// - User existence must be verified after token validation
// - Sensitive data must be filtered from responses
// - Mock JWT_SECRET should be replaced in production
// - Debug info should be included in error logs
//
import type { NextRequest } from 'next/server';
import type { PartyUser } from '@prisma/client';
@@ -23,14 +31,6 @@ import { flattenNextjsRequest } from '../sign-in/flattenNextjsRequest';
// ----------------------------------------------------------------------
/**
* This API is used for demo purpose only
* You should use a real database
* You should hash the password before saving to database
* You should not save the password in the database
* You should not expose the JWT_SECRET in the client side
*/
const ERR_USER_TOKEN_CHECK_FAILED = 'user token check failed';
const ERR_INVALID_AUTH_TOKEN = 'Invalid authorization token';
const ERR_USER_ID_NOT_FOUND = 'userId not found';

27
03_source/cms_backend/src/app/services/access-log.service.ts
View File

@@ -1,28 +1,23 @@
// src/app/services/AccessLog.service.ts
// src/app/services/access-log.service.ts
//
// PURPOSE:
// Service for handling AccessLog records
// - Core service for audit logging and access tracking
// - Records all authentication attempts and system access
// - Provides query capabilities for audit trails
// - Integrates with Prisma ORM for database operations
//
// RULES:
// - All methods return Promises
// - Input validation should be done at controller level
// - Errors should be propagated to caller
// - All methods return Promises for async operations
// - Input validation must be done at controller level
// - Errors should be propagated to caller with context
// - Audit records should never be modified after creation
// - Sensitive data should be hashed before logging
// - Metadata should be stored as JSON for flexibility
import type { AccessLog } from '@prisma/client';
import prisma from '../lib/prisma';
// type CreateAccessLog = {
// userId?: string;
// message?: string;
// metadata?: Record<string, any>;
// };
// type UpdateAccessLog = {
// status?: number;
// metadata?: object;
// };
async function listAccessLogs(): Promise<AccessLog[]> {
return prisma.accessLog.findMany({
orderBy: { timestamp: 'desc' },