DouglasNeuroInformatics
diff --git a/‎apps/api/prisma/schema.prisma‎
Lines changed: 36 additions & 4 deletions b/‎apps/api/prisma/schema.prisma‎
Lines changed: 36 additions & 4 deletions
diff --git a/‎apps/api/src/assignments/assignments.controller.ts‎
Lines changed: 5 additions & 4 deletions b/‎apps/api/src/assignments/assignments.controller.ts‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎apps/api/src/assignments/assignments.service.ts‎
Lines changed: 25 additions & 5 deletions b/‎apps/api/src/assignments/assignments.service.ts‎
Lines changed: 25 additions & 5 deletions
diff --git a/‎apps/api/src/audit/audit.controller.ts‎
Lines changed: 23 additions & 0 deletions b/‎apps/api/src/audit/audit.controller.ts‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎apps/api/src/audit/audit.logger.ts‎
Lines changed: 29 additions & 0 deletions b/‎apps/api/src/audit/audit.logger.ts‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎apps/api/src/audit/audit.module.ts‎
Lines changed: 13 additions & 0 deletions b/‎apps/api/src/audit/audit.module.ts‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎apps/api/src/audit/audit.service.ts‎
Lines changed: 28 additions & 0 deletions b/‎apps/api/src/audit/audit.service.ts‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎apps/api/src/auth/auth.service.ts‎
Lines changed: 14 additions & 11 deletions b/‎apps/api/src/auth/auth.service.ts‎
Lines changed: 14 additions & 11 deletions
diff --git a/‎apps/api/src/gateway/gateway.synchronizer.ts‎
Lines changed: 1 addition & 3 deletions b/‎apps/api/src/gateway/gateway.synchronizer.ts‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎apps/api/src/main.ts‎
Lines changed: 2 additions & 0 deletions b/‎apps/api/src/main.ts‎
Lines changed: 2 additions & 0 deletions
@@ -27,6 +27,36 @@ type EncryptionKeyPair {
   privateKey Bytes
 }
 
+enum AuditLogAction {
+  CREATE
+  UPDATE
+  DELETE
+  LOGIN
+}
+
+enum AuditLogEntity {
+  ASSIGNMENT
+  GROUP
+  INSTRUMENT_RECORD
+  INSTRUMENT
+  SUBJECT
+  SESSION
+  USER
+}
+
+model AuditLog {
+  id        String         @id @default(auto()) @map("_id") @db.ObjectId
+  action    AuditLogAction
+  entity    AuditLogEntity
+  group     Group?         @relation(fields: [groupId], references: [id])
+  groupId   String?        @db.ObjectId
+  timestamp Int
+  user      User?          @relation(fields: [userId], references: [id])
+  userId    String?        @db.ObjectId
+
+  @@map("AuditLogModel")
+}
+
 model Assignment {
   createdAt         DateTime          @default(now()) @db.Date
   updatedAt         DateTime          @updatedAt @db.Date
@@ -68,7 +98,7 @@ type GroupSettings {
   defaultIdentificationMethod   SubjectIdentificationMethod
   idValidationRegex             String?
   idValidationRegexErrorMessage ErrorMessage?
-  subjectIdDisplayLength        Int?  
+  subjectIdDisplayLength        Int?
 }
 
 model Group {
@@ -78,12 +108,13 @@ model Group {
   accessibleInstrumentIds String[]
   accessibleInstruments   Instrument[]       @relation(fields: [accessibleInstrumentIds], references: [id])
   assignments             Assignment[]
+  auditLogs               AuditLog[]
   instrumentRecords       InstrumentRecord[]
   name                    String             @unique
   settings                GroupSettings
   sessions                Session[]
   subjects                Subject[]          @relation(fields: [subjectIds], references: [id])
-  subjectIds              String[]           
+  subjectIds              String[]
   type                    GroupType
   userIds                 String[]           @db.ObjectId
   users                   User[]             @relation(fields: [userIds], references: [id])
@@ -199,6 +230,7 @@ model User {
   createdAt             DateTime             @default(now()) @db.Date
   updatedAt             DateTime             @updatedAt @db.Date
   id                    String               @id @default(auto()) @map("_id") @db.ObjectId
+  auditLogs             AuditLog[]
   basePermissionLevel   BasePermissionLevel?
   additionalPermissions AuthRule[]
   firstName             String
@@ -230,8 +262,8 @@ model Session {
   instrumentRecords InstrumentRecord[]
   subject           Subject?           @relation(fields: [subjectId], references: [id])
   subjectId         String
-  user              User?              @relation(fields: [userId], references: [id])         
-  userId            String?
+  user              User?              @relation(fields: [userId], references: [id])
+  userId            String?            @db.ObjectId
   type              SessionType
 
@@map("SessionModel")
 
@@ -1,4 +1,5 @@
 import { CurrentUser } from '@douglasneuroinformatics/libnest';
+import type { RequestUser } from '@douglasneuroinformatics/libnest';
 import { Body, Controller, Get, Param, Patch, Post, Query } from '@nestjs/common';
 import { ApiOperation } from '@nestjs/swagger';
 import type { Assignment } from '@opendatacapture/schemas/assignment';
@@ -17,8 +18,8 @@ export class AssignmentsController {
   @ApiOperation({ summary: 'Create Assignment' })
   @Post()
   @RouteAccess({ action: 'create', subject: 'Assignment' })
-  create(@Body() data: CreateAssignmentDto): Promise<Assignment> {
-    return this.assignmentsService.create(data);
+  create(@Body() data: CreateAssignmentDto, @CurrentUser() currentUser: RequestUser): Promise<Assignment> {
+    return this.assignmentsService.create(data, currentUser);
   }
 
   @ApiOperation({ summary: 'Get All Assignments' })
@@ -31,7 +32,7 @@ export class AssignmentsController {
   @ApiOperation({ summary: 'Update Assignment' })
   @Patch(':id')
   @RouteAccess({ action: 'update', subject: 'Assignment' })
-  updateById(@Param('id') id: string, @Body() data: UpdateAssignmentDto, @CurrentUser('ability') ability?: AppAbility) {
-    return this.assignmentsService.updateById(id, data, { ability });
+  updateById(@Param('id') id: string, @Body() data: UpdateAssignmentDto, @CurrentUser() currentUser: RequestUser) {
+    return this.assignmentsService.updateById(id, data, currentUser);
   }
 }
@@ -2,10 +2,11 @@ import crypto from 'node:crypto';
 
 import { HybridCrypto } from '@douglasneuroinformatics/libcrypto';
 import { ConfigService, InjectModel } from '@douglasneuroinformatics/libnest';
-import type { Model } from '@douglasneuroinformatics/libnest';
+import type { Model, RequestUser } from '@douglasneuroinformatics/libnest';
 import { Injectable, NotFoundException } from '@nestjs/common';
 import type { Assignment, UpdateAssignmentData } from '@opendatacapture/schemas/assignment';
 
+import { AuditLogger } from '@/audit/audit.logger';
 import { accessibleQuery } from '@/auth/ability.utils';
 import type { EntityOperationOptions } from '@/core/types';
 import { GatewayService } from '@/gateway/gateway.service';
@@ -19,6 +20,7 @@ export class AssignmentsService {
   constructor(
     @InjectModel('Assignment') private readonly assignmentModel: Model<'Assignment'>,
     configService: ConfigService,
+    private readonly auditLogger: AuditLogger,
     private readonly gatewayService: GatewayService
   ) {
     if (configService.get('NODE_ENV') === 'production') {
@@ -30,7 +32,10 @@ export class AssignmentsService {
     }
   }
 
-  async create({ expiresAt, groupId, instrumentId, subjectId }: CreateAssignmentDto): Promise<Assignment> {
+  async create(
+    { expiresAt, groupId, instrumentId, subjectId }: CreateAssignmentDto,
+    currentUser: RequestUser
+  ): Promise<Assignment> {
     const { privateKey, publicKey } = await HybridCrypto.generateKeyPair();
     const id = crypto.randomUUID();
     const assignment = await this.assignmentModel.create({
@@ -68,6 +73,7 @@ export class AssignmentsService {
       await this.assignmentModel.delete({ where: { id } });
       throw err;
     }
+    await this.auditLogger.log('CREATE', 'ASSIGNMENT', { groupId: groupId ?? null, userId: currentUser.id });
     return assignment;
   }
 
@@ -92,13 +98,27 @@ export class AssignmentsService {
     return assignment;
   }
 
-  async updateById(id: string, data: UpdateAssignmentData, { ability }: EntityOperationOptions = {}) {
+  async updateById(id: string, data: UpdateAssignmentData, currentUser: RequestUser) {
     if (data.status === 'CANCELED') {
       await this.gatewayService.deleteRemoteAssignment(id);
     }
-    return this.assignmentModel.update({
+    const assignment = await this.assignmentModel.update({
       data,
-      where: { AND: [accessibleQuery(ability, 'update', 'Assignment')], id }
+      where: { AND: [accessibleQuery(currentUser.ability, 'update', 'Assignment')], id }
+    });
+    await this.auditLogger.log('UPDATE', 'ASSIGNMENT', { groupId: assignment.groupId, userId: currentUser.id });
+    return assignment;
+  }
+
+  /** used by the gateway internal system */
+  async updateStatusById(id: string, status: UpdateAssignmentData['status']) {
+    return this.assignmentModel.update({
+      data: {
+        status
+      },
+      where: {
+        id
+      }
     });
   }
 }
@@ -0,0 +1,23 @@
+import { ParseSchemaPipe } from '@douglasneuroinformatics/libnest';
+import { Controller, Get, Query } from '@nestjs/common';
+import { $AuditLogsQuerySearchParams } from '@opendatacapture/schemas/audit';
+import type { $AuditLog } from '@opendatacapture/schemas/audit';
+import { z } from 'zod/v4';
+
+import { RouteAccess } from '@/core/decorators/route-access.decorator';
+
+import { AuditService } from './audit.service';
+
+@Controller('audit')
+export class AuditController {
+  constructor(private readonly auditService: AuditService) {}
+
+  @Get('logs')
+  @RouteAccess({ action: 'manage', subject: 'all' })
+  find(
+    @Query(new ParseSchemaPipe({ schema: $AuditLogsQuerySearchParams }))
+    query: z.infer<typeof $AuditLogsQuerySearchParams>
+  ): Promise<$AuditLog[]> {
+    return this.auditService.find(query);
+  }
+}
@@ -0,0 +1,29 @@
+import { InjectModel } from '@douglasneuroinformatics/libnest';
+import type { Model } from '@douglasneuroinformatics/libnest';
+import { Injectable } from '@nestjs/common';
+import type { $AuditLogAction, $AuditLogEntity } from '@opendatacapture/schemas/audit';
+
+@Injectable()
+export class AuditLogger {
+  constructor(@InjectModel('AuditLog') private readonly auditLogModel: Model<'AuditLog'>) {}
+
+  async log(
+    action: $AuditLogAction,
+    entity: $AuditLogEntity,
+    params: { groupId: null | string; userId: string }
+  ): Promise<void> {
+    await this.auditLogModel.create({
+      data: {
+        action,
+        entity,
+        group: params.groupId ? { connect: { id: params.groupId } } : undefined,
+        timestamp: Date.now(),
+        user: {
+          connect: {
+            id: params.userId
+          }
+        }
+      }
+    });
+  }
+}
@@ -0,0 +1,13 @@
+import { Global, Module } from '@nestjs/common';
+
+import { AuditController } from './audit.controller';
+import { AuditLogger } from './audit.logger';
+import { AuditService } from './audit.service';
+
+@Global()
+@Module({
+  controllers: [AuditController],
+  exports: [AuditLogger],
+  providers: [AuditLogger, AuditService]
+})
+export class AuditModule {}
@@ -0,0 +1,28 @@
+import { InjectModel } from '@douglasneuroinformatics/libnest';
+import type { Model } from '@douglasneuroinformatics/libnest';
+import { Injectable } from '@nestjs/common';
+import type { $AuditLog, $AuditLogsQuerySearchParams } from '@opendatacapture/schemas/audit';
+
+@Injectable()
+export class AuditService {
+  constructor(@InjectModel('AuditLog') private readonly auditLogModel: Model<'AuditLog'>) {}
+
+  async find({ action, entity, groupId, userId }: $AuditLogsQuerySearchParams): Promise<$AuditLog[]> {
+    return this.auditLogModel.findMany({
+      select: {
+        action: true,
+        entity: true,
+        group: { select: { name: true } },
+        id: true,
+        timestamp: true,
+        user: { select: { username: true } }
+      },
+      where: {
+        action,
+        entity,
+        groupId,
+        userId
+      }
+    });
+  }
+}
@@ -5,6 +5,7 @@ import { JwtService } from '@nestjs/jwt';
 import type { $LoginCredentials, TokenPayload } from '@opendatacapture/schemas/auth';
 import type { Group, User } from '@prisma/client';
 
+import { AuditLogger } from '@/audit/audit.logger';
 import { UsersService } from '@/users/users.service';
 
 import { AbilityFactory } from './ability.factory';
@@ -13,6 +14,7 @@ import { AbilityFactory } from './ability.factory';
 export class AuthService {
   constructor(
     private readonly abilityFactory: AbilityFactory,
+    private readonly auditLogger: AuditLogger,
     private readonly cryptoService: CryptoService,
     private readonly jwtService: JwtService,
     private readonly usersService: UsersService
@@ -52,22 +54,23 @@ export class AuthService {
       basePermissionLevel: user.basePermissionLevel,
       firstName: user.firstName,
       groups: user.groups,
+      id: user.id,
       lastName: user.lastName,
       username: user.username
     };
 
     const ability = this.abilityFactory.createForPayload(tokenPayload);
 
-    return {
-      accessToken: await this.jwtService.signAsync(
-        {
-          ...tokenPayload,
-          permissions: ability.rules
-        },
-        {
-          expiresIn: '1h'
-        }
-      )
-    };
+    const accessToken = await this.jwtService.signAsync(
+      { ...tokenPayload, permissions: ability.rules },
+      { expiresIn: '1h' }
+    );
+
+    await this.auditLogger.log('LOGIN', 'USER', {
+      groupId: null,
+      userId: user.id
+    });
+
+    return { accessToken };
   }
 }
@@ -162,9 +162,7 @@ export class GatewaySynchronizer implements OnApplicationBootstrap {
       } else {
         await this.gatewayService.deleteRemoteAssignment(assignment.id);
       }
-      await this.assignmentsService.updateById(assignment.id, {
-        status: assignment.status
-      });
+      await this.assignmentsService.updateStatusById(assignment.id, assignment.status);
     }
     this.loggingService.log('Done synchronizing with gateway');
   }
 
@@ -1,6 +1,7 @@
 import { AppFactory, PrismaModule } from '@douglasneuroinformatics/libnest';
 
 import { AssignmentsModule } from './assignments/assignments.module';
+import { AuditModule } from './audit/audit.module';
 import { AuthModule } from './auth/auth.module';
 import { PrismaModuleOptionsFactory } from './core/prisma';
 import { $Env } from './core/schemas/env.schema';
@@ -37,6 +38,7 @@ export default AppFactory.create({
   },
   envSchema: $Env,
   imports: [
+    AuditModule,
     AuthModule,
     GroupsModule,
     InstrumentRecordsModule,
Original file line number	Diff line number	Diff line change
`@@ -162,9 +162,7 @@ export class GatewaySynchronizer implements OnApplicationBootstrap {`
`162`	`162`	`} else {`
`163`	`163`	`await this.gatewayService.deleteRemoteAssignment(assignment.id);`
`164`	`164`	`}`
`165`		`- await this.assignmentsService.updateById(assignment.id, {`
`166`		`- status: assignment.status`
`167`		`- });`
	`165`	`+ await this.assignmentsService.updateStatusById(assignment.id, assignment.status);`
`168`	`166`	`}`
`169`	`167`	`this.loggingService.log('Done synchronizing with gateway');`
`170`	`168`	`}`