audit tracking

Author: tannerlinsley

src/db/schema.ts

@@ -36,6 +36,23 @@ export const docFeedbackStatusEnum = pgEnum('doc_feedback_status', [
   'denied',
 ])
 export const bannerScopeEnum = pgEnum('banner_scope', ['global', 'targeted'])
+export const auditActionEnum = pgEnum('audit_action', [
+  'user.capabilities.update',
+  'user.adsDisabled.update',
+  'user.sessions.revoke',
+  'role.create',
+  'role.update',
+  'role.delete',
+  'role.assignment.create',
+  'role.assignment.delete',
+  'banner.create',
+  'banner.update',
+  'banner.delete',
+  'feed.entry.create',
+  'feed.entry.update',
+  'feed.entry.delete',
+  'feedback.moderate',
+])
 export const bannerStyleEnum = pgEnum('banner_style', [
   'info',
   'warning',
@@ -62,6 +79,22 @@ export type DocFeedbackStatus = 'pending' | 'approved' | 'denied'
 export type BannerScope = 'global' | 'targeted'
 export type BannerStyle = 'info' | 'warning' | 'success' | 'promo'
 export type EntryType = 'release' | 'blog' | 'announcement'
+export type AuditAction =
+  | 'user.capabilities.update'
+  | 'user.adsDisabled.update'
+  | 'user.sessions.revoke'
+  | 'role.create'
+  | 'role.update'
+  | 'role.delete'
+  | 'role.assignment.create'
+  | 'role.assignment.delete'
+  | 'banner.create'
+  | 'banner.update'
+  | 'banner.delete'
+  | 'feed.entry.create'
+  | 'feed.entry.update'
+  | 'feed.entry.delete'
+  | 'feedback.moderate'
 
 // Constants
 export const VALID_CAPABILITIES: readonly Capability[] = [
@@ -678,6 +711,67 @@ export type NewAnnouncementDismissal = InferInsertModel<
   typeof announcementDismissals
 >
 
+// Login history table (tracks user logins for analytics and security)
+export const loginHistory = pgTable(
+  'login_history',
+  {
+    id: uuid('id').primaryKey().defaultRandom(),
+    userId: uuid('user_id')
+      .notNull()
+      .references(() => users.id, { onDelete: 'cascade' }),
+    provider: oauthProviderEnum('provider').notNull(),
+    ipAddress: varchar('ip_address', { length: 45 }), // IPv6 max length
+    userAgent: text('user_agent'),
+    isNewUser: boolean('is_new_user').notNull().default(false),
+    createdAt: timestamp('created_at', { withTimezone: true, mode: 'date' })
+      .notNull()
+      .defaultNow(),
+  },
+  (table) => ({
+    userIdIdx: index('login_history_user_id_idx').on(table.userId),
+    createdAtIdx: index('login_history_created_at_idx').on(table.createdAt),
+    providerIdx: index('login_history_provider_idx').on(table.provider),
+  }),
+)
+
+export type LoginHistory = InferSelectModel<typeof loginHistory>
+export type NewLoginHistory = InferInsertModel<typeof loginHistory>
+
+// Audit logs table (tracks admin actions for security and compliance)
+export const auditLogs = pgTable(
+  'audit_logs',
+  {
+    id: uuid('id').primaryKey().defaultRandom(),
+    // Who performed the action
+    actorId: uuid('actor_id')
+      .notNull()
+      .references(() => users.id, { onDelete: 'cascade' }),
+    // What action was performed
+    action: auditActionEnum('action').notNull(),
+    // Target of the action (user, role, banner, etc.)
+    targetType: varchar('target_type', { length: 50 }).notNull(), // 'user', 'role', 'banner', 'feed_entry', 'feedback'
+    targetId: varchar('target_id', { length: 255 }).notNull(), // UUID or other identifier
+    // Details of the change
+    details: jsonb('details'), // { before: {...}, after: {...} } or other relevant data
+    // Request metadata
+    ipAddress: varchar('ip_address', { length: 45 }),
+    userAgent: text('user_agent'),
+    createdAt: timestamp('created_at', { withTimezone: true, mode: 'date' })
+      .notNull()
+      .defaultNow(),
+  },
+  (table) => ({
+    actorIdIdx: index('audit_logs_actor_id_idx').on(table.actorId),
+    actionIdx: index('audit_logs_action_idx').on(table.action),
+    targetTypeIdx: index('audit_logs_target_type_idx').on(table.targetType),
+    targetIdIdx: index('audit_logs_target_id_idx').on(table.targetId),
+    createdAtIdx: index('audit_logs_created_at_idx').on(table.createdAt),
+  }),
+)
+
+export type AuditLog = InferSelectModel<typeof auditLogs>
+export type NewAuditLog = InferInsertModel<typeof auditLogs>
+
 // Relations
 export const usersRelations = relations(users, ({ many }) => ({
   sessions: many(sessions),
@@ -686,6 +780,8 @@ export const usersRelations = relations(users, ({ many }) => ({
   docFeedback: many(docFeedback),
   announcementDismissals: many(announcementDismissals),
   bannerDismissals: many(bannerDismissals),
+  loginHistory: many(loginHistory),
+  auditLogs: many(auditLogs),
 }))
 
 export const rolesRelations = relations(roles, ({ many }) => ({
@@ -758,3 +854,17 @@ export const bannerDismissalsRelations = relations(
     }),
   }),
 )
+
+export const loginHistoryRelations = relations(loginHistory, ({ one }) => ({
+  user: one(users, {
+    fields: [loginHistory.userId],
+    references: [users.id],
+  }),
+}))
+
+export const auditLogsRelations = relations(auditLogs, ({ one }) => ({
+  actor: one(users, {
+    fields: [auditLogs.actorId],
+    references: [users.id],
+  }),
+}))

src/hooks/useClickOutside.ts

@@ -32,26 +32,52 @@ export function useClickOutside<T extends HTMLElement = HTMLElement>({
   additionalRefs = [],
 }: UseClickOutsideOptions): React.RefObject<T | null> {
   const ref = React.useRef<T>(null)
+  const touchStartRef = React.useRef<{ x: number; y: number } | null>(null)
 
   React.useEffect(() => {
     if (!enabled) return
 
-    const handleClickOutside = (event: MouseEvent) => {
-      const target = event.target as Node
+    const isInsideRefs = (target: Node) => {
+      if (ref.current?.contains(target)) return true
+      for (const additionalRef of additionalRefs) {
+        if (additionalRef.current?.contains(target)) return true
+      }
+      return false
+    }
 
-      // Check if click is inside the main ref
-      if (ref.current?.contains(target)) {
+    const handlePointerDown = (event: PointerEvent) => {
+      if (event.pointerType === 'touch') {
+        // Track touch start position to detect scrolls vs taps
+        touchStartRef.current = { x: event.clientX, y: event.clientY }
         return
       }
 
-      // Check if click is inside any additional refs
-      for (const additionalRef of additionalRefs) {
-        if (additionalRef.current?.contains(target)) {
-          return
-        }
+      // Mouse/pen: handle immediately
+      if (!isInsideRefs(event.target as Node)) {
+        onClickOutside()
+      }
+    }
+
+    const handlePointerUp = (event: PointerEvent) => {
+      if (event.pointerType !== 'touch') return
+
+      const start = touchStartRef.current
+      touchStartRef.current = null
+
+      if (!start) return
+
+      // If finger moved more than 10px, it's a scroll not a tap
+      const dx = Math.abs(event.clientX - start.x)
+      const dy = Math.abs(event.clientY - start.y)
+      if (dx > 10 || dy > 10) return
+
+      if (!isInsideRefs(event.target as Node)) {
+        onClickOutside()
       }
+    }
 
-      onClickOutside()
+    const handlePointerCancel = () => {
+      touchStartRef.current = null
     }
 
     const handleEscape = (event: KeyboardEvent) => {
@@ -60,13 +86,17 @@ export function useClickOutside<T extends HTMLElement = HTMLElement>({
       }
     }
 
-    document.addEventListener('mousedown', handleClickOutside)
+    document.addEventListener('pointerdown', handlePointerDown)
+    document.addEventListener('pointerup', handlePointerUp)
+    document.addEventListener('pointercancel', handlePointerCancel)
     if (closeOnEscape) {
       document.addEventListener('keydown', handleEscape)
     }
 
     return () => {
-      document.removeEventListener('mousedown', handleClickOutside)
+      document.removeEventListener('pointerdown', handlePointerDown)
+      document.removeEventListener('pointerup', handlePointerUp)
+      document.removeEventListener('pointercancel', handlePointerCancel)
       if (closeOnEscape) {
         document.removeEventListener('keydown', handleEscape)
       }

src/routes/api/auth/callback/$provider.tsx

@@ -13,6 +13,7 @@ import {
   SESSION_DURATION_MS,
   SESSION_MAX_AGE_SECONDS,
 } from '~/auth/index.server'
+import { recordLogin } from '~/utils/audit.server'
 
 export const Route = createFileRoute('/api/auth/callback/$provider')({
   server: {
@@ -133,6 +134,16 @@ export const Route = createFileRoute('/api/auth/callback/$provider')({
             throw new Error('User not found after OAuth account creation')
           }
 
+          // Record login event (fire and forget, don't block auth flow)
+          recordLogin({
+            userId: user.id,
+            provider,
+            isNewUser: result.isNewUser,
+            request,
+          }).catch((err) => {
+            console.error('[AUTH:WARN] Failed to record login event:', err)
+          })
+
           // Create signed session cookie
           const sessionService = getSessionService()
           const expiresAt = Date.now() + SESSION_DURATION_MS

src/utils/audit.server.ts

@@ -0,0 +1,70 @@
+import { db } from '~/db/client'
+import {
+  loginHistory,
+  auditLogs,
+  type AuditAction,
+  type OAuthProvider,
+} from '~/db/schema'
+
+// Extract IP address from request headers
+export function getClientIp(request: Request): string | undefined {
+  // Check common proxy headers first
+  const forwardedFor = request.headers.get('x-forwarded-for')
+  if (forwardedFor) {
+    // x-forwarded-for can contain multiple IPs, take the first one
+    return forwardedFor.split(',')[0].trim()
+  }
+
+  const realIp = request.headers.get('x-real-ip')
+  if (realIp) {
+    return realIp
+  }
+
+  // Cloudflare
+  const cfConnectingIp = request.headers.get('cf-connecting-ip')
+  if (cfConnectingIp) {
+    return cfConnectingIp
+  }
+
+  return undefined
+}
+
+// Record a login event
+export async function recordLogin(opts: {
+  userId: string
+  provider: OAuthProvider
+  isNewUser: boolean
+  request: Request
+}): Promise<void> {
+  const { userId, provider, isNewUser, request } = opts
+
+  await db.insert(loginHistory).values({
+    userId,
+    provider,
+    isNewUser,
+    ipAddress: getClientIp(request),
+    userAgent: request.headers.get('user-agent') || undefined,
+  })
+}
+
+// Record an audit log entry
+export async function recordAuditLog(opts: {
+  actorId: string
+  action: AuditAction
+  targetType: 'user' | 'role' | 'banner' | 'feed_entry' | 'feedback'
+  targetId: string
+  details?: Record<string, unknown>
+  request?: Request
+}): Promise<void> {
+  const { actorId, action, targetType, targetId, details, request } = opts
+
+  await db.insert(auditLogs).values({
+    actorId,
+    action,
+    targetType,
+    targetId,
+    details: details ?? null,
+    ipAddress: request ? getClientIp(request) : undefined,
+    userAgent: request?.headers.get('user-agent') || undefined,
+  })
+}