feat: enable audit logging for authentication and task operations
Add audit_service.log_event() calls to track key user activities: - auth_login: successful and failed login attempts with IP/user agent - auth_logout: single session and all sessions logout - task_delete: task deletion with user context - file_upload: file upload with filename, size, and type - admin_cleanup: manual cleanup trigger with statistics Each event captures client IP (from X-Forwarded-For/X-Real-IP headers), user agent, and relevant metadata for compliance and debugging. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
egg
52
openspec/changes/enable-audit-logging/proposal.md
Normal file
52
openspec/changes/enable-audit-logging/proposal.md
Normal file
@@ -0,0 +1,52 @@
|
||||
# Enable Audit Logging
|
||||
|
||||
## Summary
|
||||
Activate the existing audit logging infrastructure by adding `audit_service.log_event()` calls to key system operations. The audit log table and service already exist but are not being used.
|
||||
|
||||
## Motivation
|
||||
- Audit logs page exists but shows no data because events are not being recorded
|
||||
- Security compliance requires tracking of authentication and administrative actions
|
||||
- Administrators need visibility into system usage and potential security issues
|
||||
|
||||
## Current State
|
||||
- `AuditLog` model exists in `backend/app/models/audit_log.py`
|
||||
- `AuditService` with `log_event()` method exists in `backend/app/services/audit_service.py`
|
||||
- `AuditLogsPage` frontend exists at `/admin/audit-logs`
|
||||
- Admin API endpoint `GET /api/v2/admin/audit-logs` exists
|
||||
- **Problem**: No code calls `audit_service.log_event()` - logs are always empty
|
||||
|
||||
## Proposed Changes
|
||||
|
||||
### Events to Log
|
||||
|
||||
| Event Type | Category | Location | Description |
|
||||
|------------|----------|----------|-------------|
|
||||
| `auth_login` | authentication | auth.py | User login (success/failure) |
|
||||
| `auth_logout` | authentication | auth.py | User logout |
|
||||
| `auth_token_refresh` | authentication | auth.py | Token refresh |
|
||||
| `task_create` | task | tasks.py | Task created |
|
||||
| `task_process` | task | tasks.py | Task processing started |
|
||||
| `task_complete` | task | tasks.py | Task completed |
|
||||
| `task_delete` | task | tasks.py | Task deleted |
|
||||
| `admin_cleanup` | admin | admin.py | Manual cleanup triggered |
|
||||
| `admin_view_users` | admin | admin.py | Admin viewed user list |
|
||||
| `file_upload` | file | main.py | File uploaded |
|
||||
|
||||
### Implementation Approach
|
||||
1. Add helper function to extract client info (IP, user agent) from Request
|
||||
2. Add `audit_service.log_event()` calls to each operation point
|
||||
3. Ensure all events capture: user_id, IP address, user agent, resource info
|
||||
|
||||
## Non-Goals
|
||||
- Creating new audit log model (already exists)
|
||||
- Changing audit log API endpoints (already work)
|
||||
- Modifying frontend audit logs page (already complete)
|
||||
|
||||
## Affected Specs
|
||||
- None (infrastructure already in place)
|
||||
|
||||
## Testing
|
||||
- Verify audit logs appear after login/logout
|
||||
- Verify task operations are logged
|
||||
- Verify admin actions are logged
|
||||
- Check audit logs page displays new entries
|
||||
33
openspec/changes/enable-audit-logging/tasks.md
Normal file
33
openspec/changes/enable-audit-logging/tasks.md
Normal file
@@ -0,0 +1,33 @@
|
||||
# Tasks: Enable Audit Logging
|
||||
|
||||
## 1. Helper Utilities
|
||||
- [x] 1.1 Create helper function to extract client info (IP, user agent) from FastAPI Request
|
||||
|
||||
## 2. Authentication Events
|
||||
- [x] 2.1 Log `auth_login` on successful/failed login in auth.py
|
||||
- [x] 2.2 Log `auth_logout` on logout in auth.py
|
||||
- [ ] 2.3 Log `auth_token_refresh` on token refresh (deferred - low priority)
|
||||
|
||||
## 3. Task Events
|
||||
- [ ] 3.1 Log `task_create` when task is created (deferred - covered by file_upload)
|
||||
- [ ] 3.2 Log `task_process` when task processing starts (deferred - background task)
|
||||
- [ ] 3.3 Log `task_complete` when task completes (deferred - background task)
|
||||
- [x] 3.4 Log `task_delete` when task is deleted
|
||||
|
||||
## 4. Admin Events
|
||||
- [x] 4.1 Log `admin_cleanup` when manual cleanup is triggered
|
||||
- [ ] 4.2 Log `admin_view_users` when admin views user list (deferred - low priority)
|
||||
|
||||
## 5. File Events
|
||||
- [x] 5.1 Log `file_upload` when file is uploaded
|
||||
|
||||
## 6. Testing
|
||||
- [ ] 6.1 Verify login creates audit log entry
|
||||
- [ ] 6.2 Verify task operations create audit log entries
|
||||
- [ ] 6.3 Verify audit logs page shows entries
|
||||
- [x] 6.4 Test backend module imports
|
||||
|
||||
## Notes
|
||||
- Core audit events implemented: login, logout, task delete, file upload, admin cleanup
|
||||
- Background task events (task_process, task_complete) deferred - would require significant refactoring
|
||||
- Low priority admin events deferred for future implementation
|
||||
Reference in New Issue
Block a user