feat: security and auditing

api/src/app/routes/manga/index.ts

@@ -5,10 +5,12 @@
  */
 
 import { FastifyPluginAsync } from "fastify";
-import { Manga, CreateMangaDto, UpdateMangaDto, Comment, CreateCommentDto } from "@library/shared-types";
+import { Manga, CreateMangaDto, UpdateMangaDto, Comment, CreateCommentDto, AuditAction, AuditCategory } from "@library/shared-types";
 import { MangaService } from "../../services/manga.service";
 import { CommentService } from "../../services/comment.service";
+import { AuditService } from "../../services/audit.service";
 import { adminGuard } from "../../middleware/admin-guard";
+import { bannedGuard } from "../../middleware/banned-guard";
 
 const mangaRoutes: FastifyPluginAsync = async (app) => {
   const mangaService = new MangaService();
@@ -30,9 +32,18 @@ const mangaRoutes: FastifyPluginAsync = async (app) => {
     "/",
     {
       preValidation: [app.authenticate, adminGuard],
+      preHandler: [app.csrfProtection],
     },
     async (request) => {
-      return mangaService.createManga(request.body);
+      const manga = await mangaService.createManga(request.body);
+      await AuditService.logFromRequest(request, {
+        action: AuditAction.ENTRY_CREATE,
+        category: AuditCategory.CONTENT,
+        resourceType: "manga",
+        resourceId: manga.id,
+        details: `Created manga: ${manga.title}`,
+      });
+      return manga;
     }
   );
 
@@ -44,10 +55,21 @@ const mangaRoutes: FastifyPluginAsync = async (app) => {
     "/:id",
     {
       preValidation: [app.authenticate, adminGuard],
+      preHandler: [app.csrfProtection],
     },
     async (request) => {
       const { id } = request.params;
-      return mangaService.updateManga(id, request.body);
+      const manga = await mangaService.updateManga(id, request.body);
+      if (manga) {
+        await AuditService.logFromRequest(request, {
+          action: AuditAction.ENTRY_UPDATE,
+          category: AuditCategory.CONTENT,
+          resourceType: "manga",
+          resourceId: id,
+          details: `Updated manga: ${manga.title}`,
+        });
+      }
+      return manga;
     }
   );
 
@@ -55,10 +77,18 @@ const mangaRoutes: FastifyPluginAsync = async (app) => {
     "/:id",
     {
       preValidation: [app.authenticate, adminGuard],
+      preHandler: [app.csrfProtection],
     },
     async (request) => {
       const { id } = request.params;
       await mangaService.deleteManga(id);
+      await AuditService.logFromRequest(request, {
+        action: AuditAction.ENTRY_DELETE,
+        category: AuditCategory.CONTENT,
+        resourceType: "manga",
+        resourceId: id,
+        details: `Deleted manga with ID: ${id}`,
+      });
       return { success: true };
     }
   );
@@ -74,12 +104,21 @@ const mangaRoutes: FastifyPluginAsync = async (app) => {
   app.post<{ Params: { id: string }; Body: CreateCommentDto; Reply: Comment }>(
     "/:id/comments",
     {
-      preValidation: [app.authenticate],
+      preValidation: [app.authenticate, bannedGuard],
+      preHandler: [app.csrfProtection],
     },
     async (request) => {
       const { id } = request.params;
       const userId = request.user.id;
-      return commentService.createCommentForManga(id, userId, request.body);
+      const comment = await commentService.createCommentForManga(id, userId, request.body);
+      await AuditService.logFromRequest(request, {
+        action: AuditAction.COMMENT_CREATE,
+        category: AuditCategory.CONTENT,
+        resourceType: "manga",
+        resourceId: id,
+        details: `Added comment to manga`,
+      });
+      return comment;
     }
   );
 
@@ -87,10 +126,18 @@ const mangaRoutes: FastifyPluginAsync = async (app) => {
     "/:id/comments/:commentId",
     {
       preValidation: [app.authenticate, adminGuard],
+      preHandler: [app.csrfProtection],
     },
     async (request) => {
-      const { commentId } = request.params;
+      const { id, commentId } = request.params;
       await commentService.deleteComment(commentId);
+      await AuditService.logFromRequest(request, {
+        action: AuditAction.COMMENT_DELETE,
+        category: AuditCategory.ADMIN,
+        resourceType: "manga",
+        resourceId: id,
+        details: `Deleted comment ${commentId} from manga`,
+      });
       return { success: true };
     }
   );