UNPKG

autotel

Version:

Write Once, Observe Anywhere

github.com/jagreehal/autotel

jagreehal/autotel

197 lines (164 loc) 5.27 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
# Framework wiring for audit trails Each handler below records an authorization decision (allow and deny) and emits one audit span. They assume the `audit()` / `withAuthz()` helpers from Step 12 of the skill, or the `withAudit` helper from `autotel-audit`. Keep the audit call inside the traced request so it inherits the trace context. The rule across every framework is the same: wrap the authorization decision so both branches reach the audit pipeline, and never put raw payloads on the span. ## Next.js (App Router) ```typescript // app/admin/users/[id]/route.ts import { withAuthz } from '@/lib/audit'; export async function DELETE( req: Request, { params }: { params: { id: string } }, ) { return withAuthz( { action: 'user.delete', resource: { type: 'user', id: params.id }, actor: { id: req.headers.get('x-user-id')!, role: 'admin' }, }, async () => ({ allow: await canDelete(req, params.id) }), async () => { await db.user.delete({ where: { id: params.id } }); return Response.json({ ok: true }); }, ); } ``` ## Nuxt / Nitro ```typescript // server/api/secrets/[id].delete.ts import { withAuthz } from '~/server/utils/audit'; export default defineEventHandler((event) => withAuthz( { action: 'secret.delete', resource: { type: 'secret', id: getRouterParam(event, 'id')! }, actor: { id: event.context.user.id, role: event.context.user.role }, }, async () => ({ allow: await canManageSecret(event) }), async () => { await secrets.delete(getRouterParam(event, 'id')!); return { ok: true }; }, ), ); ``` ## NestJS Wrap the audited work inside the service or an interceptor. The decision lives next to the business logic: ```typescript @Injectable() export class UsersService { async remove(id: string, actor: Actor) { return withAuthz( { action: 'user.delete', resource: { type: 'user', id }, actor }, async () => ({ allow: actor.role === 'admin' }), async () => this.repo.delete(id), ); } } ``` ## Express ```typescript import { withAuthz } from './audit'; app.delete('/admin/users/:id', async (req, res, next) => { try { await withAuthz( { action: 'user.delete', resource: { type: 'user', id: req.params.id }, actor: { id: req.user.id, role: req.user.role }, }, async () => ({ allow: req.user.role === 'admin' }), async () => db.user.delete({ where: { id: req.params.id } }), ); res.json({ ok: true }); } catch (err) { next(err); } }); ``` ## Fastify ```typescript import { withAuthz } from './audit'; fastify.delete('/admin/users/:id', async (request, reply) => { await withAuthz( { action: 'user.delete', resource: { type: 'user', id: (request.params as { id: string }).id }, actor: { id: request.user.id, role: request.user.role }, }, async () => ({ allow: request.user.role === 'admin' }), async () => db.user.delete({ where: { id: (request.params as { id: string }).id } }), ); return { ok: true }; }); ``` ## Hono ```typescript import { withAuthz } from './audit'; app.post('/secrets/:id/read', (c) => withAuthz( { action: 'secret.read', resource: { type: 'secret', id: c.req.param('id') }, actor: { id: c.var.user.id, role: c.var.user.role }, }, () => requireScope(c, 'secrets:read'), async () => c.json({ value: await secrets.read(c.req.param('id')) }), ), ); ``` ## Cloudflare Workers Audit from inside `defineWorkerFetch` so `ctx.waitUntil` exports the audit span before the response returns: ```typescript import { defineWorkerFetch } from 'autotel-cloudflare'; import { withAuthz } from './audit'; export default defineWorkerFetch( { service: { name: 'admin-api' } }, async (request, env, ctx, log) => withAuthz( { action: 'data.export', resource: { type: 'project', id: 'p_123' }, actor: { id: 'usr_42' }, }, async () => ({ allow: true }), async () => Response.json({ ok: true }), ), ); ``` ## AWS Lambda Wrap the traced handler; the audit span is flushed when the handler settles: ```typescript import { withAuthz } from './audit'; export const handler = async (event: APIGatewayProxyEventV2) => withAuthz( { action: 'invoice.void', resource: { type: 'invoice', id: event.pathParameters!.id! }, actor: { id: event.requestContext.authorizer!.userId }, }, async () => ({ allow: await canVoid(event) }), async () => { await invoices.void(event.pathParameters!.id!); return { statusCode: 200, body: JSON.stringify({ ok: true }) }; }, ); ``` ## Standalone scripts and cron jobs Outside a request there is no ambient trace context. Wrap the job in `trace()` first so the audit span has a parent, and set the actor to the system principal: ```typescript import { trace } from 'autotel'; import { withAudit } from 'autotel-audit'; export const nightlyPurge = trace(async function nightlyPurge() { await withAudit( { action: 'data.purge', resource: 'expired-sessions', actorId: 'system:cron', category: 'maintenance', }, async () => sessions.purgeExpired(), ); }); ```