adminFront에 Audit Log 기능 추가

2026-01-28 16:15:44 +09:00
parent f33f417045
commit 3e95650024
7 changed files with 633 additions and 133 deletions
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -5,6 +5,7 @@ import (
 	"baron-sso-backend/internal/handler"
 	"baron-sso-backend/internal/idp"
 	"baron-sso-backend/internal/logger"
+	"baron-sso-backend/internal/middleware"
 	"baron-sso-backend/internal/repository"
 	"baron-sso-backend/internal/service"
 	"baron-sso-backend/internal/validator"
@@ -335,6 +336,13 @@ func main() {

 	// API Group
 	api := app.Group("/api/v1")
+	api.Use(middleware.RequireAudit(middleware.AuditRequiredConfig{
+		Repo: auditRepo,
+		ExcludePaths: map[string]struct{}{
+			"/api/v1/audit":      {},
+			"/api/v1/client-log": {},
+		},
+	}))
 	api.Post("/audit", auditHandler.CreateLog)
 	api.Get("/audit", auditHandler.ListLogs)

--- a/backend/internal/domain/models.go
+++ b/backend/internal/domain/models.go
@@ -7,6 +7,7 @@ import (

 // AuditLog represents a single audit event
 type AuditLog struct {
+	EventID   string    `json:"event_id"`
 	Timestamp time.Time `json:"timestamp"`
 	UserID    string    `json:"user_id"`
 	EventType string    `json:"event_type"` // e.g., "login_success", "login_failed", "otp_sent"
@@ -20,6 +21,11 @@ type AuditLog struct {
 // AuditRepository defines interface for storing logs
 type AuditRepository interface {
 	Create(log *AuditLog) error
-	FindAll(ctx context.Context, limit, offset int) ([]AuditLog, error)
+	FindPage(ctx context.Context, limit int, cursor *AuditCursor) ([]AuditLog, error)
 	Ping(ctx context.Context) error
 }
+
+type AuditCursor struct {
+	Timestamp time.Time
+	EventID   string
+}
--- a/backend/internal/handler/audit_handler.go
+++ b/backend/internal/handler/audit_handler.go
@@ -2,9 +2,13 @@ package handler

 import (
 	"baron-sso-backend/internal/domain"
+	"encoding/base64"
+	"errors"
+	"strings"
 	"time"

 	"github.com/gofiber/fiber/v2"
+	"github.com/google/uuid"
 )

 type AuditHandler struct {
@@ -34,6 +38,9 @@ func (h *AuditHandler) CreateLog(c *fiber.Ctx) error {
 	if req.Timestamp.IsZero() {
 		req.Timestamp = time.Now()
 	}
+	if req.EventID == "" {
+		req.EventID = ensureRequestID(c)
+	}

 	if err := h.repo.Create(&req); err != nil {
 		// Log internal error but don't expose details
@@ -50,18 +57,68 @@ func (h *AuditHandler) CreateLog(c *fiber.Ctx) error {
 // ListLogs handles GET /api/v1/audit
 func (h *AuditHandler) ListLogs(c *fiber.Ctx) error {
 	limit := c.QueryInt("limit", 50)
-	offset := c.QueryInt("offset", 0)
+	cursorRaw := c.Query("cursor")
+	cursor, err := parseAuditCursor(cursorRaw)
+	if err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{
+			"error": "Invalid cursor",
+		})
+	}

-	logs, err := h.repo.FindAll(c.Context(), limit, offset)
+	logs, err := h.repo.FindPage(c.Context(), limit+1, cursor)
 	if err != nil {
 		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
 			"error": "Failed to retrieve audit logs",
 		})
 	}

+	nextCursor := ""
+	if len(logs) > limit {
+		last := logs[limit-1]
+		nextCursor = encodeAuditCursor(last)
+		logs = logs[:limit]
+	}
+
 	return c.JSON(fiber.Map{
-		"items":  logs,
-		"limit":  limit,
-		"offset": offset,
+		"items":       logs,
+		"limit":       limit,
+		"cursor":      cursorRaw,
+		"next_cursor": nextCursor,
 	})
 }
+
+func ensureRequestID(c *fiber.Ctx) string {
+	reqID := c.Get("X-Request-Id")
+	if reqID == "" {
+		reqID = uuid.New().String()
+		c.Set("X-Request-Id", reqID)
+	}
+	return reqID
+}
+
+func parseAuditCursor(raw string) (*domain.AuditCursor, error) {
+	if raw == "" {
+		return nil, nil
+	}
+	decoded, err := base64.RawURLEncoding.DecodeString(raw)
+	if err != nil {
+		return nil, err
+	}
+	parts := strings.SplitN(string(decoded), "|", 2)
+	if len(parts) != 2 {
+		return nil, errors.New("invalid cursor")
+	}
+	ts, err := time.Parse(time.RFC3339Nano, parts[0])
+	if err != nil {
+		return nil, err
+	}
+	return &domain.AuditCursor{
+		Timestamp: ts,
+		EventID:   parts[1],
+	}, nil
+}
+
+func encodeAuditCursor(log domain.AuditLog) string {
+	payload := log.Timestamp.UTC().Format(time.RFC3339Nano) + "|" + log.EventID
+	return base64.RawURLEncoding.EncodeToString([]byte(payload))
+}
--- a/backend/internal/middleware/audit_required.go
+++ b/backend/internal/middleware/audit_required.go
@@ -0,0 +1,106 @@
+package middleware
+
+import (
+	"baron-sso-backend/internal/domain"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/google/uuid"
+)
+
+type AuditRequiredConfig struct {
+	Repo           domain.AuditRepository
+	ExcludePaths   map[string]struct{}
+	CommandMethods map[string]struct{}
+}
+
+func RequireAudit(config AuditRequiredConfig) fiber.Handler {
+	commandMethods := config.CommandMethods
+	if len(commandMethods) == 0 {
+		commandMethods = map[string]struct{}{
+			fiber.MethodPost:   {},
+			fiber.MethodPut:    {},
+			fiber.MethodPatch:  {},
+			fiber.MethodDelete: {},
+		}
+	}
+
+	excludePaths := config.ExcludePaths
+	if excludePaths == nil {
+		excludePaths = map[string]struct{}{}
+	}
+
+	return func(c *fiber.Ctx) error {
+		if _, ok := commandMethods[c.Method()]; !ok {
+			return c.Next()
+		}
+		if _, excluded := excludePaths[c.Path()]; excluded {
+			return c.Next()
+		}
+		if config.Repo == nil {
+			return fiber.NewError(fiber.StatusServiceUnavailable, "audit repository unavailable")
+		}
+
+		start := time.Now()
+		reqID := c.Get("X-Request-Id")
+		if reqID == "" {
+			reqID = uuid.New().String()
+			c.Set("X-Request-Id", reqID)
+		}
+
+		err := c.Next()
+		latency := time.Since(start)
+
+		status := c.Response().StatusCode()
+		if err != nil {
+			if fiberErr, ok := err.(*fiber.Error); ok {
+				status = fiberErr.Code
+			} else {
+				status = fiber.StatusInternalServerError
+			}
+		}
+
+		statusText := "success"
+		if status >= fiber.StatusBadRequest {
+			statusText = "failure"
+		}
+
+		details := map[string]any{
+			"request_id": reqID,
+			"method":     c.Method(),
+			"path":       c.Path(),
+			"status":     status,
+			"latency_ms": latency.Milliseconds(),
+		}
+		if err != nil {
+			details["error"] = err.Error()
+		}
+
+		detailsJSON, jsonErr := json.Marshal(details)
+		if jsonErr != nil {
+			slog.Warn("failed to marshal audit details", "error", jsonErr, "req_id", reqID)
+		}
+
+		auditLog := &domain.AuditLog{
+			EventID:   reqID,
+			Timestamp: time.Now(),
+			UserID:    "",
+			EventType: fmt.Sprintf("%s %s", c.Method(), c.Path()),
+			Status:    statusText,
+			IPAddress: c.IP(),
+			UserAgent: c.Get("User-Agent"),
+			DeviceID:  "",
+			Details:   string(detailsJSON),
+		}
+
+		if createErr := config.Repo.Create(auditLog); createErr != nil {
+			slog.Error("audit log write failed", "error", createErr, "req_id", reqID, "path", c.Path())
+			return fiber.NewError(fiber.StatusServiceUnavailable, "audit logging unavailable")
+		}
+
+		return err
+	}
+}
--- a/backend/internal/repository/clickhouse_repo.go
+++ b/backend/internal/repository/clickhouse_repo.go
@@ -36,6 +36,7 @@ func NewClickHouseRepository(host string, port int, user, password, db string) (
 	// Note: In production, use migrations.
 	query := `
 	CREATE TABLE IF NOT EXISTS audit_logs (
+		event_id String,
 		timestamp DateTime DEFAULT now(),
 		user_id String,
 		event_type String,
@@ -51,6 +52,14 @@ func NewClickHouseRepository(host string, port int, user, password, db string) (
 		return nil, fmt.Errorf("failed to create table: %w", err)
 	}

+	alterQuery := `
+		ALTER TABLE audit_logs
+		ADD COLUMN IF NOT EXISTS event_id String
+	`
+	if err := conn.Exec(context.Background(), alterQuery); err != nil {
+		return nil, fmt.Errorf("failed to alter table: %w", err)
+	}
+
 	return &ClickHouseRepository{conn: conn}, nil
 }

@@ -63,10 +72,11 @@ func (r *ClickHouseRepository) Create(log *domain.AuditLog) error {
 	}

 	query := `
-		INSERT INTO audit_logs (timestamp, user_id, event_type, status, ip_address, user_agent, device_id, details)
-		VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+		INSERT INTO audit_logs (event_id, timestamp, user_id, event_type, status, ip_address, user_agent, device_id, details)
+		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
 	`
 	return r.conn.Exec(ctx, query,
+		log.EventID,
 		log.Timestamp,
 		log.UserID,
 		log.EventType,
@@ -78,21 +88,28 @@ func (r *ClickHouseRepository) Create(log *domain.AuditLog) error {
 	)
 }

-func (r *ClickHouseRepository) FindAll(ctx context.Context, limit, offset int) ([]domain.AuditLog, error) {
+func (r *ClickHouseRepository) FindPage(ctx context.Context, limit int, cursor *domain.AuditCursor) ([]domain.AuditLog, error) {
 	if limit <= 0 {
 		limit = 50
 	}
-	if offset < 0 {
-		offset = 0
-	}
-
 	query := `
-		SELECT timestamp, user_id, event_type, status, ip_address, user_agent, device_id, details
+		SELECT event_id, timestamp, user_id, event_type, status, ip_address, user_agent, device_id, details
 		FROM audit_logs
-		ORDER BY timestamp DESC
-		LIMIT ? OFFSET ?
 	`
-	rows, err := r.conn.Query(ctx, query, limit, offset)
+	args := make([]any, 0, 4)
+	if cursor != nil {
+		query += `
+		WHERE (timestamp < ?) OR (timestamp = ? AND event_id < ?)
+		`
+		args = append(args, cursor.Timestamp, cursor.Timestamp, cursor.EventID)
+	}
+	query += `
+		ORDER BY timestamp DESC, event_id DESC
+		LIMIT ?
+	`
+	args = append(args, limit)
+
+	rows, err := r.conn.Query(ctx, query, args...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to query audit logs: %w", err)
 	}
@@ -102,6 +119,7 @@ func (r *ClickHouseRepository) FindAll(ctx context.Context, limit, offset int) (
 	for rows.Next() {
 		var log domain.AuditLog
 		if err := rows.Scan(
+			&log.EventID,
 			&log.Timestamp,
 			&log.UserID,
 			&log.EventType,