⚡ Optimized audit, event logging system

✨ Audit logs
✨ Admin edit user permissions

.idea/workspace.xml

@@ -4,10 +4,14 @@
     <option name="autoReloadType" value="ALL" />
   </component>
   <component name="ChangeListManager">
-    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Password reset &amp; user lookup API">
+    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":recycle: Optimized the initial permission system">
+      <change afterPath="$PROJECT_DIR$/pkg/internal/models/audit.go" afterDir="false" />
+      <change afterPath="$PROJECT_DIR$/pkg/internal/server/admin/permissions_api.go" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/services/accounts.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/accounts.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/database/migrator.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/database/migrator.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/settings.toml" beforeDir="false" afterPath="$PROJECT_DIR$/settings.toml" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/server/admin/index.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/admin/index.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/services/events.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/events.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/main.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/main.go" afterDir="false" />
     </list>
     <option name="SHOW_DIALOG" value="false" />
     <option name="HIGHLIGHT_CONFLICTS" value="true" />
@@ -153,7 +157,6 @@
     </option>
   </component>
   <component name="VcsManagerConfiguration">
-    <MESSAGE value=":sparkles: Can pick up mfa request" />
     <MESSAGE value=":sparkles: Status system" />
     <MESSAGE value=":bug: Fix status expired in cache" />
     <MESSAGE value=":bug: Fix online condition" />
@@ -178,7 +181,8 @@
     <MESSAGE value=":recycle: Improve notify API" />
     <MESSAGE value=":sparkles: Reset password APIs" />
     <MESSAGE value=":sparkles: Password reset &amp; user lookup API" />
-    <option name="LAST_COMMIT_MESSAGE" value=":sparkles: Password reset &amp; user lookup API" />
+    <MESSAGE value=":recycle: Optimized the initial permission system" />
+    <option name="LAST_COMMIT_MESSAGE" value=":recycle: Optimized the initial permission system" />
   </component>
   <component name="VgoProject">
     <settings-migrated>true</settings-migrated>

pkg/internal/database/migrator.go

@@ -21,6 +21,7 @@ var AutoMaintainRange = []any{
 	&models.ActionEvent{},
 	&models.Notification{},
 	&models.NotificationSubscriber{},
+	&models.AuditRecord{},
 }
 
 func RunMigration(source *gorm.DB) error {

pkg/internal/models/audit.go

@@ -0,0 +1,13 @@
+package models
+
+import "gorm.io/datatypes"
+
+type AuditRecord struct {
+	BaseModel
+
+	Action    string            `json:"action"`
+	Metadata  datatypes.JSONMap `json:"metadata"`
+	UserAgent string            `json:"user_agent"`
+	IpAddress string            `json:"ip_address"`
+	AccountID uint              `json:"account_id"`
+}

pkg/internal/server/admin/index.go

@@ -11,5 +11,7 @@ func MapAdminAPIs(app *fiber.App) {
 		admin.Delete("/badges/:badgeId", revokeBadge)
 
 		admin.Post("/notify/all", notifyAllUser)
+
+		admin.Put("/users/:user/permissions", editUserPermission)
 	}
 }

pkg/internal/server/admin/permissions_api.go

@@ -0,0 +1,46 @@
+package admin
+
+import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
+	"github.com/gofiber/fiber/v2"
+)
+
+func editUserPermission(c *fiber.Ctx) error {
+	userId, _ := c.ParamsInt("user")
+
+	if err := exts.EnsureGrantedPerm(c, "AdminUserPermission", true); err != nil {
+		return err
+	}
+	operator := c.Locals("user").(models.Account)
+
+	var data struct {
+		PermNodes map[string]any `json:"perm_nodes" validate:"required"`
+	}
+
+	if err := exts.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	var user models.Account
+	if err := database.C.Where("id = ?", userId).First(&user).Error; err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("account was not found: %v", err))
+	}
+
+	prev := user.PermNodes
+	user.PermNodes = data.PermNodes
+
+	if err := database.C.Save(&user).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else {
+		services.AddAuditRecord(operator, "user.permissions.edit", c.IP(), c.Get(fiber.HeaderUserAgent), map[string]any{
+			"previous_permissions": prev,
+			"new_permissions":      data.PermNodes,
+		})
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}

pkg/internal/services/events.go

@@ -3,18 +3,46 @@ package services
 import (
 	"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
 	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
+	"github.com/rs/zerolog/log"
 )
 
-func AddEvent(user models.Account, event, target, ip, ua string) models.ActionEvent {
+var writeEventQueue []models.ActionEvent
-	evt := models.ActionEvent{
+var writeAuditQueue []models.AuditRecord
+
+// AddEvent to keep operation logs by user themselves clear to query
+func AddEvent(user models.Account, event, target, ip, ua string) {
+	writeEventQueue = append(writeEventQueue, models.ActionEvent{
 		Type:      event,
 		Target:    target,
 		IpAddress: ip,
 		UserAgent: ua,
 		AccountID: user.ID,
+	})
 }
 
-	database.C.Save(&evt)
+// AddAuditRecord to keep logs to make administrators' operations clear to query
-
+func AddAuditRecord(operator models.Account, act, ip, ua string, metadata map[string]any) {
-	return evt
+	writeAuditQueue = append(writeAuditQueue, models.AuditRecord{
+		Action:    act,
+		Metadata:  metadata,
+		IpAddress: ip,
+		UserAgent: ua,
+		AccountID: operator.ID,
+	})
+}
+
+// SaveEventChanges runs every 60 seconds to save events / audits changes into database
+func SaveEventChanges() {
+	if len(writeEventQueue) > 0 {
+		count := len(writeEventQueue)
+		database.C.CreateInBatches(writeEventQueue, min(count, 1000))
+		log.Info().Int("count", count).Msg("Saved action events changes into database...")
+		clear(writeEventQueue)
+	}
+	if len(writeAuditQueue) > 0 {
+		count := len(writeAuditQueue)
+		database.C.CreateInBatches(writeAuditQueue, min(count, 1000))
+		log.Info().Int("count", count).Msg("Saved audit records changes into database...")
+		clear(writeAuditQueue)
+	}
 }

pkg/main.go

@@ -70,6 +70,7 @@ func main() {
 	quartz.AddFunc("@every 60s", services.RecycleAuthContext)
 	quartz.AddFunc("@every 60m", services.RecycleUnConfirmAccount)
 	quartz.AddFunc("@every 5m", services.KexCleanup)
+	quartz.AddFunc("@every 60s", services.SaveEventChanges)
 	quartz.Start()
 
 	// Messages