diff --git a/03_source/cms_backend/src/app/api/party-user-auth/me/route.ts b/03_source/cms_backend/src/app/api/party-user-auth/me/route.ts index 235afaa..0f282e7 100644 --- a/03_source/cms_backend/src/app/api/party-user-auth/me/route.ts +++ b/03_source/cms_backend/src/app/api/party-user-auth/me/route.ts @@ -7,6 +7,14 @@ // - Log all access attempts (success/failure) // - Validate token structure and user existence // +// RULES: +// - Must validate Bearer token format before processing +// - All errors must be logged via access-log service +// - User existence must be verified after token validation +// - Sensitive data must be filtered from responses +// - Mock JWT_SECRET should be replaced in production +// - Debug info should be included in error logs +// import type { NextRequest } from 'next/server'; import type { PartyUser } from '@prisma/client'; @@ -23,14 +31,6 @@ import { flattenNextjsRequest } from '../sign-in/flattenNextjsRequest'; // ---------------------------------------------------------------------- -/** - * This API is used for demo purpose only - * You should use a real database - * You should hash the password before saving to database - * You should not save the password in the database - * You should not expose the JWT_SECRET in the client side - */ - const ERR_USER_TOKEN_CHECK_FAILED = 'user token check failed'; const ERR_INVALID_AUTH_TOKEN = 'Invalid authorization token'; const ERR_USER_ID_NOT_FOUND = 'userId not found'; diff --git a/03_source/cms_backend/src/app/services/access-log.service.ts b/03_source/cms_backend/src/app/services/access-log.service.ts index 061ffb5..099fbc0 100644 --- a/03_source/cms_backend/src/app/services/access-log.service.ts +++ b/03_source/cms_backend/src/app/services/access-log.service.ts @@ -1,28 +1,23 @@ -// src/app/services/AccessLog.service.ts +// src/app/services/access-log.service.ts // // PURPOSE: -// Service for handling AccessLog records +// - Core service for audit logging and access tracking +// - Records all authentication attempts and system access +// - Provides query capabilities for audit trails +// - Integrates with Prisma ORM for database operations // // RULES: -// - All methods return Promises -// - Input validation should be done at controller level -// - Errors should be propagated to caller +// - All methods return Promises for async operations +// - Input validation must be done at controller level +// - Errors should be propagated to caller with context +// - Audit records should never be modified after creation +// - Sensitive data should be hashed before logging +// - Metadata should be stored as JSON for flexibility import type { AccessLog } from '@prisma/client'; import prisma from '../lib/prisma'; -// type CreateAccessLog = { -// userId?: string; -// message?: string; -// metadata?: Record; -// }; - -// type UpdateAccessLog = { -// status?: number; -// metadata?: object; -// }; - async function listAccessLogs(): Promise { return prisma.accessLog.findMany({ orderBy: { timestamp: 'desc' },