fix: attach auditLog middleware to JWT admin dispute endpoints#41
Conversation
ogazboiz
left a comment
There was a problem hiding this comment.
this is correct, the auditLog middleware is attached on both /disputes/:disputeId/resolve and /disputes/:disputeId/reject after requireJwtAuth + requireRoles("admin") so req.user.publicKey is the actor, it's a real INSERT into audit_logs (columns match migration 1780000000010), and the DB write is fire-and-forget with its own try/catch + logger.error and a synchronous next(), so a DB error can't block or crash the request. nice. one mechanical thing:
- prettier fails on src/tests/loanDispute.test.ts (CI's lint step fails the whole job on it). run: npx prettier --write src/tests/loanDispute.test.ts
fix that and it's good to merge.
if you want to keep contributing, join us on Telegram: https://t.me/+DOylgFv1jyJlNzM0
ogazboiz
left a comment
There was a problem hiding this comment.
The auditLog middleware is correctly attached on both dispute resolve/reject routes after requireJwtAuth + requireRoles('admin'), the extractTarget handles disputeId, and the test verifies the INSERT INTO audit_logs fires with redaction. Looks good.
This PR resolves an issue where the JWT-protected admin dispute endpoints (/disputes/:disputeId/resolve and /disputes/:disputeId/reject) were not logging audit events, despite modifying loan default status.
What was done:
Added the auditLog middleware to POST /disputes/:disputeId/resolve and POST /disputes/:disputeId/reject in src/routes/adminRoutes.ts.
Updated the extractTarget function in src/middleware/auditLog.ts to properly identify and extract disputeId from the request parameters (logging as DisputeID:).
Included a test in src/tests/loanDispute.test.ts to assert that the audit_logs insertion query fires upon JWT resolution, ensuring the admin public key is recorded while sensitive fields (like tokens/passwords) remain successfully redacted by the sanitizer.
How it was verified:
Verified standard unit tests via Jest pass smoothly without mock conflicts.
Verified test specifically tracks and logs the payload safely while confirming JWT endpoint triggers the asynchronous INSERT INTO audit_logs properly.
closes #13