feat: security and auditing

2026-02-04 16:48:08 -08:00
parent 11be34cd21
commit 0a654f423a
42 changed files with 2195 additions and 160 deletions
@@ -1,14 +1,48 @@
 import * as path from 'path';
-import { FastifyInstance } from 'fastify';
+import { FastifyInstance, FastifyError } from 'fastify';
 import AutoLoad from '@fastify/autoload';
+import { AuditService } from './services/audit.service';
+import { AuditAction, AuditCategory } from '@library/shared-types';

 /* eslint-disable-next-line */
 export interface AppOptions {}

 export async function app(fastify: FastifyInstance, opts: AppOptions) {
-  // Place here your custom code!
+  // Add global error handler for security event logging
+  fastify.setErrorHandler(async (error: FastifyError, request, reply) => {
+    // Log CSRF validation failures
+    if (error.code === 'FST_CSRF_INVALID_TOKEN' || error.code === 'FST_CSRF_MISSING_SECRET') {
+      await AuditService.log({
+        action: AuditAction.CSRF_VALIDATION_FAILED,
+        category: AuditCategory.SECURITY,
+        details: `CSRF validation failed: ${error.message}, URL: ${request.url}`,
+        success: false,
+      }, request).catch(() => {
+        // Ignore logging errors
+      });
+    }

-  // Do not touch the following lines
+    // Log unauthorized access attempts
+    if (error.statusCode === 401 || error.statusCode === 403) {
+      await AuditService.log({
+        action: AuditAction.UNAUTHORIZED_ACCESS,
+        category: AuditCategory.SECURITY,
+        details: `Unauthorized access attempt: ${error.message}, URL: ${request.url}`,
+        success: false,
+      }, request).catch(() => {
+        // Ignore logging errors
+      });
+    }
+
+    // Send the error response (don't leak internal details for server errors)
+    const statusCode = error.statusCode ?? 500;
+
+    reply.status(statusCode).send({
+      statusCode,
+      error: statusCode >= 500 ? "Internal Server Error" : error.name,
+      message: statusCode >= 500 ? "An unexpected error occurred" : error.message,
+    });
+  });

  // This loads all plugins defined in plugins
  // those should be support plugins that are reused