feat: Events / audit log (#1008)

* feat: Record events in DB * feat: events API * First pass, hacky activity feed * WIP * Reset dashboard * feat: audit log UI feat: store ip address * chore: Document events.list api * fix: command specs * await event create * fix: backlinks service * tidy * fix: Hide audit log menu item if not admin
2019-08-05 20:38:31 -07:00
parent 75b03fdba2
commit fb4f6822a4
37 changed files with 911 additions and 148 deletions
--- a/server/api/snapshots/events.test.js.snap
+++ b/server/api/snapshots/events.test.js.snap
@@ -0,0 +1,10 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`#events.list should require authentication 1`] = `
+Object {
+  "error": "authentication_required",
+  "message": "Authentication required",
+  "ok": false,
+  "status": 401,
+}
+`;
--- a/server/api/collections.js
+++ b/server/api/collections.js
@@ -4,12 +4,11 @@ import Router from 'koa-router';
 import auth from '../middlewares/authentication';
 import pagination from './middlewares/pagination';
 import { presentCollection, presentUser } from '../presenters';
-import { Collection, CollectionUser, Team, User } from '../models';
+import { Collection, CollectionUser, Team, Event, User } from '../models';
 import { ValidationError, InvalidRequestError } from '../errors';
 import { exportCollections } from '../logistics';
 import { archiveCollection } from '../utils/zip';
 import policy from '../policies';
-import events from '../events';

 const { authorize } = policy;
 const router = new Router();
@@ -35,11 +34,13 @@ router.post('collections.create', auth(), async ctx => {
    private: isPrivate,
  });

-  events.add({
+  await Event.create({
    name: 'collections.create',
-    modelId: collection.id,
+    collectionId: collection.id,
    teamId: collection.teamId,
    actorId: user.id,
+    data: { name },
+    ip: ctx.request.ip,
  });

  ctx.body = {
@@ -81,12 +82,14 @@ router.post('collections.add_user', auth(), async ctx => {
    createdById: ctx.state.user.id,
  });

-  events.add({
+  await Event.create({
    name: 'collections.add_user',
-    modelId: userId,
+    userId,
    collectionId: collection.id,
    teamId: collection.teamId,
    actorId: ctx.state.user.id,
+    data: { name: user.name },
+    ip: ctx.request.ip,
  });

  ctx.body = {
@@ -111,12 +114,14 @@ router.post('collections.remove_user', auth(), async ctx => {

  await collection.removeUser(user);

-  events.add({
+  await Event.create({
    name: 'collections.remove_user',
-    modelId: userId,
+    userId,
    collectionId: collection.id,
    teamId: collection.teamId,
    actorId: ctx.state.user.id,
+    data: { name: user.name },
+    ip: ctx.request.ip,
  });

  ctx.body = {
@@ -148,6 +153,15 @@ router.post('collections.export', auth(), async ctx => {

  const filePath = await archiveCollection(collection);

+  await Event.create({
+    name: 'collections.export',
+    collectionId: collection.id,
+    teamId: user.teamId,
+    actorId: user.id,
+    data: { title: collection.title },
+    ip: ctx.request.ip,
+  });
+
  ctx.attachment(`${collection.name}.zip`);
  ctx.set('Content-Type', 'application/force-download');
  ctx.body = fs.createReadStream(filePath);
@@ -161,6 +175,13 @@ router.post('collections.exportAll', auth(), async ctx => {
  // async operation to create zip archive and email user
  exportCollections(user.teamId, user.email);

+  await Event.create({
+    name: 'collections.export',
+    teamId: user.teamId,
+    actorId: user.id,
+    ip: ctx.request.ip,
+  });
+
  ctx.body = {
    success: true,
  };
@@ -197,11 +218,13 @@ router.post('collections.update', auth(), async ctx => {
  collection.private = isPrivate;
  await collection.save();

-  events.add({
+  await Event.create({
    name: 'collections.update',
-    modelId: collection.id,
+    collectionId: collection.id,
    teamId: collection.teamId,
    actorId: user.id,
+    data: { name },
+    ip: ctx.request.ip,
  });

  ctx.body = {
@@ -246,11 +269,13 @@ router.post('collections.delete', auth(), async ctx => {

  await collection.destroy();

-  events.add({
+  await Event.create({
    name: 'collections.delete',
-    modelId: collection.id,
+    collectionId: collection.id,
    teamId: collection.teamId,
    actorId: user.id,
+    data: { name: collection.name },
+    ip: ctx.request.ip,
  });

  ctx.body = {
--- a/server/api/documents.js
+++ b/server/api/documents.js
@@ -10,8 +10,9 @@ import {
  presentRevision,
 } from '../presenters';
 import {
-  Document,
  Collection,
+  Document,
+  Event,
  Share,
  Star,
  View,
@@ -20,7 +21,6 @@ import {
  User,
 } from '../models';
 import { InvalidRequestError } from '../errors';
-import events from '../events';
 import policy from '../policies';
 import { sequelize } from '../sequelize';

@@ -369,12 +369,14 @@ router.post('documents.restore', auth(), async ctx => {
    // restore a previously archived document
    await document.unarchive(user.id);

-    events.add({
+    await Event.create({
      name: 'documents.unarchive',
-      modelId: document.id,
+      documentId: document.id,
      collectionId: document.collectionId,
      teamId: document.teamId,
      actorId: user.id,
+      data: { title: document.title },
+      ip: ctx.request.ip,
    });
  } else if (revisionId) {
    // restore a document to a specific revision
@@ -387,12 +389,14 @@ router.post('documents.restore', auth(), async ctx => {
    document.title = revision.title;
    await document.save();

-    events.add({
+    await Event.create({
      name: 'documents.restore',
-      modelId: document.id,
+      documentId: document.id,
      collectionId: document.collectionId,
      teamId: document.teamId,
      actorId: user.id,
+      data: { title: document.title },
+      ip: ctx.request.ip,
    });
  } else {
    ctx.assertPresent(revisionId, 'revisionId is required');
@@ -463,12 +467,14 @@ router.post('documents.pin', auth(), async ctx => {
  document.pinnedById = user.id;
  await document.save();

-  events.add({
+  await Event.create({
    name: 'documents.pin',
-    modelId: document.id,
+    documentId: document.id,
    collectionId: document.collectionId,
    teamId: document.teamId,
    actorId: user.id,
+    data: { title: document.title },
+    ip: ctx.request.ip,
  });

  ctx.body = {
@@ -487,12 +493,14 @@ router.post('documents.unpin', auth(), async ctx => {
  document.pinnedById = null;
  await document.save();

-  events.add({
+  await Event.create({
    name: 'documents.unpin',
-    modelId: document.id,
+    documentId: document.id,
    collectionId: document.collectionId,
    teamId: document.teamId,
    actorId: user.id,
+    data: { title: document.title },
+    ip: ctx.request.ip,
  });

  ctx.body = {
@@ -512,12 +520,14 @@ router.post('documents.star', auth(), async ctx => {
    where: { documentId: document.id, userId: user.id },
  });

-  events.add({
+  await Event.create({
    name: 'documents.star',
-    modelId: document.id,
+    documentId: document.id,
    collectionId: document.collectionId,
    teamId: document.teamId,
    actorId: user.id,
+    data: { title: document.title },
+    ip: ctx.request.ip,
  });
 });

@@ -533,12 +543,14 @@ router.post('documents.unstar', auth(), async ctx => {
    where: { documentId: document.id, userId: user.id },
  });

-  events.add({
+  await Event.create({
    name: 'documents.unstar',
    modelId: document.id,
    collectionId: document.collectionId,
    teamId: document.teamId,
    actorId: user.id,
+    data: { title: document.title },
+    ip: ctx.request.ip,
  });
 });

@@ -592,23 +604,27 @@ router.post('documents.create', auth(), async ctx => {
    text,
  });

-  events.add({
+  await Event.create({
    name: 'documents.create',
-    modelId: document.id,
+    documentId: document.id,
    collectionId: document.collectionId,
    teamId: document.teamId,
    actorId: user.id,
+    data: { title: document.title },
+    ip: ctx.request.ip,
  });

  if (publish) {
    await document.publish();

-    events.add({
+    await Event.create({
      name: 'documents.publish',
-      modelId: document.id,
+      documentId: document.id,
      collectionId: document.collectionId,
      teamId: document.teamId,
      actorId: user.id,
+      data: { title: document.title },
+      ip: ctx.request.ip,
    });
  }

@@ -664,29 +680,10 @@ router.post('documents.update', auth(), async ctx => {

    if (publish) {
      await document.publish({ transaction });
-      await transaction.commit();
-
-      events.add({
-        name: 'documents.publish',
-        modelId: document.id,
-        collectionId: document.collectionId,
-        teamId: document.teamId,
-        actorId: user.id,
-      });
    } else {
      await document.save({ autosave, transaction });
-      await transaction.commit();
-
-      events.add({
-        name: 'documents.update',
-        modelId: document.id,
-        collectionId: document.collectionId,
-        teamId: document.teamId,
-        actorId: user.id,
-        autosave,
-        done,
-      });
    }
+    await transaction.commit();
  } catch (err) {
    if (transaction) {
      await transaction.rollback();
@@ -694,6 +691,32 @@ router.post('documents.update', auth(), async ctx => {
    throw err;
  }

+  if (publish) {
+    await Event.create({
+      name: 'documents.publish',
+      documentId: document.id,
+      collectionId: document.collectionId,
+      teamId: document.teamId,
+      actorId: user.id,
+      data: { title: document.title },
+      ip: ctx.request.ip,
+    });
+  } else {
+    await Event.create({
+      name: 'documents.update',
+      documentId: document.id,
+      collectionId: document.collectionId,
+      teamId: document.teamId,
+      actorId: user.id,
+      data: {
+        autosave,
+        done,
+        title: document.title,
+      },
+      ip: ctx.request.ip,
+    });
+  }
+
  ctx.body = {
    data: await presentDocument(document),
  };
@@ -735,10 +758,12 @@ router.post('documents.move', auth(), async ctx => {
  }

  const { documents, collections } = await documentMover({
+    user,
    document,
    collectionId,
    parentDocumentId,
    index,
+    ip: ctx.request.ip,
  });

  ctx.body = {
@@ -763,12 +788,14 @@ router.post('documents.archive', auth(), async ctx => {

  await document.archive(user.id);

-  events.add({
+  await Event.create({
    name: 'documents.archive',
-    modelId: document.id,
+    documentId: document.id,
    collectionId: document.collectionId,
    teamId: document.teamId,
    actorId: user.id,
+    data: { title: document.title },
+    ip: ctx.request.ip,
  });

  ctx.body = {
@@ -786,12 +813,14 @@ router.post('documents.delete', auth(), async ctx => {

  await document.delete();

-  events.add({
+  await Event.create({
    name: 'documents.delete',
-    modelId: document.id,
+    documentId: document.id,
    collectionId: document.collectionId,
    teamId: document.teamId,
    actorId: user.id,
+    data: { title: document.title },
+    ip: ctx.request.ip,
  });

  ctx.body = {
--- a/server/api/events.js
+++ b/server/api/events.js
@@ -0,0 +1,58 @@
+// @flow
+import Sequelize from 'sequelize';
+import Router from 'koa-router';
+import auth from '../middlewares/authentication';
+import pagination from './middlewares/pagination';
+import { presentEvent } from '../presenters';
+import { Event, Team, User } from '../models';
+import policy from '../policies';
+
+const Op = Sequelize.Op;
+const { authorize } = policy;
+const router = new Router();
+
+router.post('events.list', auth(), pagination(), async ctx => {
+  let { sort = 'updatedAt', direction, auditLog = false } = ctx.body;
+  if (direction !== 'ASC') direction = 'DESC';
+
+  const user = ctx.state.user;
+  const collectionIds = await user.collectionIds();
+
+  let where = {
+    name: Event.ACTIVITY_EVENTS,
+    teamId: user.teamId,
+    [Op.or]: [
+      { collectionId: collectionIds },
+      {
+        collectionId: {
+          [Op.eq]: null,
+        },
+      },
+    ],
+  };
+
+  if (auditLog) {
+    authorize(user, 'auditLog', Team);
+    where.name = Event.AUDIT_EVENTS;
+  }
+
+  const events = await Event.findAll({
+    where,
+    order: [[sort, direction]],
+    include: [
+      {
+        model: User,
+        as: 'actor',
+      },
+    ],
+    offset: ctx.state.pagination.offset,
+    limit: ctx.state.pagination.limit,
+  });
+
+  ctx.body = {
+    pagination: ctx.state.pagination,
+    data: events.map(event => presentEvent(event, auditLog)),
+  };
+});
+
+export default router;
--- a/server/api/events.test.js
+++ b/server/api/events.test.js
@@ -0,0 +1,49 @@
+/* eslint-disable flowtype/require-valid-file-annotation */
+import TestServer from 'fetch-test-server';
+import app from '../app';
+import { flushdb, seed } from '../test/support';
+import { buildEvent } from '../test/factories';
+
+const server = new TestServer(app.callback());
+
+beforeEach(flushdb);
+afterAll(server.close);
+
+describe('#events.list', async () => {
+  it('should only return activity events', async () => {
+    const { user, admin, document, collection } = await seed();
+
+    // private event
+    await buildEvent({
+      name: 'users.promote',
+      teamId: user.teamId,
+      actorId: admin.id,
+      userId: user.id,
+    });
+
+    // event viewable in activity stream
+    const event = await buildEvent({
+      name: 'documents.publish',
+      collectionId: collection.id,
+      documentId: document.id,
+      teamId: user.teamId,
+      actorId: admin.id,
+    });
+    const res = await server.post('/api/events.list', {
+      body: { token: user.getJwtToken() },
+    });
+    const body = await res.json();
+
+    expect(res.status).toEqual(200);
+    expect(body.data.length).toEqual(1);
+    expect(body.data[0].id).toEqual(event.id);
+  });
+
+  it('should require authentication', async () => {
+    const res = await server.post('/api/events.list');
+    const body = await res.json();
+
+    expect(res.status).toEqual(401);
+    expect(body).toMatchSnapshot();
+  });
+});
--- a/server/api/index.js
+++ b/server/api/index.js
@@ -4,6 +4,7 @@ import Koa from 'koa';
 import Router from 'koa-router';

 import auth from './auth';
+import events from './events';
 import users from './users';
 import collections from './collections';
 import documents from './documents';
@@ -35,6 +36,7 @@ api.use(apiWrapper());

 // routes
 router.use('/', auth.routes());
+router.use('/', events.routes());
 router.use('/', users.routes());
 router.use('/', collections.routes());
 router.use('/', documents.routes());
--- a/server/api/integrations.js
+++ b/server/api/integrations.js
@@ -3,9 +3,9 @@ import Router from 'koa-router';
 import Integration from '../models/Integration';
 import pagination from './middlewares/pagination';
 import auth from '../middlewares/authentication';
+import { Event } from '../models';
 import { presentIntegration } from '../presenters';
 import policy from '../policies';
-import events from '../events';

 const { authorize } = policy;
 const router = new Router();
@@ -38,11 +38,12 @@ router.post('integrations.delete', auth(), async ctx => {

  await integration.destroy();

-  events.add({
+  await Event.create({
    name: 'integrations.delete',
    modelId: integration.id,
    teamId: integration.teamId,
    actorId: user.id,
+    ip: ctx.request.ip,
  });

  ctx.body = {
--- a/server/api/shares.js
+++ b/server/api/shares.js
@@ -4,7 +4,7 @@ import Sequelize from 'sequelize';
 import auth from '../middlewares/authentication';
 import pagination from './middlewares/pagination';
 import { presentShare } from '../presenters';
-import { Document, User, Share, Team } from '../models';
+import { Document, User, Event, Share, Team } from '../models';
 import policy from '../policies';

 const Op = Sequelize.Op;
@@ -50,6 +50,7 @@ router.post('shares.list', auth(), pagination(), async ctx => {
  });

  ctx.body = {
+    pagination: ctx.state.pagination,
    data: shares.map(presentShare),
  };
 });
@@ -73,6 +74,17 @@ router.post('shares.create', auth(), async ctx => {
    },
  });

+  await Event.create({
+    name: 'shares.create',
+    documentId,
+    collectionId: document.collectionId,
+    modelId: share.id,
+    teamId: user.teamId,
+    actorId: user.id,
+    data: { name: document.title },
+    ip: ctx.request.ip,
+  });
+
  share.user = user;
  share.document = document;

@@ -91,6 +103,19 @@ router.post('shares.revoke', auth(), async ctx => {

  await share.revoke(user.id);

+  const document = await Document.findByPk(share.documentId);
+
+  await Event.create({
+    name: 'shares.revoke',
+    documentId: document.id,
+    collectionId: document.collectionId,
+    modelId: share.id,
+    teamId: user.teamId,
+    actorId: user.id,
+    data: { name: document.title },
+    ip: ctx.request.ip,
+  });
+
  ctx.body = {
    success: true,
  };
--- a/server/api/users.js
+++ b/server/api/users.js
@@ -86,6 +86,7 @@ router.post('users.s3Upload', auth(), async ctx => {
    },
    teamId: ctx.state.user.teamId,
    userId: ctx.state.user.id,
+    ip: ctx.request.ip,
  });

  ctx.body = {
@@ -126,6 +127,15 @@ router.post('users.promote', auth(), async ctx => {
  const team = await Team.findByPk(teamId);
  await team.addAdmin(user);

+  await Event.create({
+    name: 'users.promote',
+    actorId: ctx.state.user.id,
+    userId,
+    teamId,
+    data: { name: user.name },
+    ip: ctx.request.ip,
+  });
+
  ctx.body = {
    data: presentUser(user, { includeDetails: true }),
  };
@@ -146,6 +156,15 @@ router.post('users.demote', auth(), async ctx => {
    throw new ValidationError(err.message);
  }

+  await Event.create({
+    name: 'users.demote',
+    actorId: ctx.state.user.id,
+    userId,
+    teamId,
+    data: { name: user.name },
+    ip: ctx.request.ip,
+  });
+
  ctx.body = {
    data: presentUser(user, { includeDetails: true }),
  };
@@ -167,6 +186,15 @@ router.post('users.suspend', auth(), async ctx => {
    throw new ValidationError(err.message);
  }

+  await Event.create({
+    name: 'users.suspend',
+    actorId: ctx.state.user.id,
+    userId,
+    teamId,
+    data: { name: user.name },
+    ip: ctx.request.ip,
+  });
+
  ctx.body = {
    data: presentUser(user, { includeDetails: true }),
  };
@@ -184,6 +212,15 @@ router.post('users.activate', auth(), async ctx => {
  const team = await Team.findByPk(teamId);
  await team.activateUser(user, admin);

+  await Event.create({
+    name: 'users.activate',
+    actorId: ctx.state.user.id,
+    userId,
+    teamId,
+    data: { name: user.name },
+    ip: ctx.request.ip,
+  });
+
  ctx.body = {
    data: presentUser(user, { includeDetails: true }),
  };
@@ -196,7 +233,7 @@ router.post('users.invite', auth(), async ctx => {
  const user = ctx.state.user;
  authorize(user, 'invite', User);

-  const invitesSent = await userInviter({ user, invites });
+  const invitesSent = await userInviter({ user, invites, ip: ctx.request.ip });

  ctx.body = {
    data: invitesSent,
@@ -216,6 +253,15 @@ router.post('users.delete', auth(), async ctx => {
    throw new ValidationError(err.message);
  }

+  await Event.create({
+    name: 'users.delete',
+    actorId: user.id,
+    userId: user.id,
+    teamId: user.teamId,
+    data: { name: user.name },
+    ip: ctx.request.ip,
+  });
+
  ctx.body = {
    success: true,
  };
--- a/server/api/views.js
+++ b/server/api/views.js
@@ -2,7 +2,7 @@
 import Router from 'koa-router';
 import auth from '../middlewares/authentication';
 import { presentView } from '../presenters';
-import { View, Document, User } from '../models';
+import { View, Document, Event, User } from '../models';
 import policy from '../policies';

 const { authorize } = policy;
@@ -42,6 +42,16 @@ router.post('views.create', auth(), async ctx => {

  await View.increment({ documentId, userId: user.id });

+  await Event.create({
+    name: 'views.create',
+    actorId: user.id,
+    documentId: document.id,
+    collectionId: document.collectionId,
+    teamId: user.teamId,
+    data: { title: document.title },
+    ip: ctx.request.ip,
+  });
+
  ctx.body = {
    success: true,
  };