use axum::extract::{Query, State};
use axum::response::IntoResponse;
use chrono::{DateTime, Utc};
use serde::Deserialize;
use uuid::Uuid;
use ironflow_auth::extractor::Authenticated;
use ironflow_store::entities::{AuditLogFilter, EventKind};
use crate::error::ApiError;
use crate::response::ok_paged;
use crate::state::AppState;
#[derive(Debug, Deserialize)]
#[cfg_attr(feature = "openapi", derive(utoipa::IntoParams, utoipa::ToSchema))]
pub struct ListAuditLogsQuery {
pub event_type: Option<EventKind>,
pub run_id: Option<Uuid>,
pub from: Option<DateTime<Utc>>,
pub to: Option<DateTime<Utc>>,
pub page: Option<u32>,
pub per_page: Option<u32>,
}
#[cfg_attr(
feature = "openapi",
utoipa::path(
get,
path = "/api/v1/audit-logs",
tags = ["audit"],
params(ListAuditLogsQuery),
responses(
(status = 200, description = "List of audit log entries with pagination"),
(status = 401, description = "Unauthorized"),
(status = 403, description = "Forbidden - admin only")
),
security(("Bearer" = []))
)
)]
pub async fn list_audit_logs(
auth: Authenticated,
State(state): State<AppState>,
Query(params): Query<ListAuditLogsQuery>,
) -> Result<impl IntoResponse, ApiError> {
if !auth.is_admin() {
return Err(ApiError::Forbidden);
}
let page = params.page.unwrap_or(1).max(1);
let per_page = params.per_page.unwrap_or(50).min(100);
let filter = AuditLogFilter {
event_type: params.event_type,
run_id: params.run_id,
from: params.from,
to: params.to,
};
let page_result = state.store.list_audit_logs(filter, page, per_page).await?;
Ok(ok_paged(
page_result.items,
page,
per_page,
page_result.total,
))
}
#[cfg(test)]
mod tests {
use std::sync::Arc;
use axum::Router;
use axum::body::Body;
use axum::http::{Request, StatusCode};
use axum::routing::get;
use http_body_util::BodyExt;
use serde_json::{Value as JsonValue, from_slice, json};
use tokio::sync::broadcast;
use tower::ServiceExt;
use uuid::Uuid;
use ironflow_auth::jwt::{AccessToken, JwtConfig};
use ironflow_core::providers::claude::ClaudeCodeProvider;
use ironflow_engine::engine::Engine;
use ironflow_engine::notify::Event;
use ironflow_store::entities::{EventKind, NewAuditLogEntry};
use ironflow_store::memory::InMemoryStore;
use super::*;
fn new_test_entry(event_type: EventKind, run_id: Option<Uuid>) -> NewAuditLogEntry {
NewAuditLogEntry {
event_type,
payload: json!({}),
run_id,
step_id: None,
user_id: None,
}
}
fn test_state() -> AppState {
let store = Arc::new(InMemoryStore::new());
let provider = Arc::new(ClaudeCodeProvider::new());
let engine = Arc::new(Engine::new(store.clone(), provider));
let jwt_config = Arc::new(JwtConfig {
secret: "test-secret".to_string(),
access_token_ttl_secs: 900,
refresh_token_ttl_secs: 604800,
cookie_domain: None,
cookie_secure: false,
});
let (event_sender, _) = broadcast::channel::<Event>(1);
AppState::new(
store,
engine,
jwt_config,
"test-worker-token".to_string(),
event_sender,
)
}
fn make_admin_auth_header(state: &AppState) -> String {
let user_id = Uuid::now_v7();
let token = AccessToken::for_user(user_id, "admin", true, &state.jwt_config).unwrap();
format!("Bearer {}", token.0)
}
fn make_user_auth_header(state: &AppState) -> String {
let user_id = Uuid::now_v7();
let token = AccessToken::for_user(user_id, "user", false, &state.jwt_config).unwrap();
format!("Bearer {}", token.0)
}
#[tokio::test]
async fn empty_list() {
let state = test_state();
let auth_header = make_admin_auth_header(&state);
let app = Router::new()
.route("/", get(list_audit_logs))
.with_state(state);
let req = Request::builder()
.uri("/")
.header("authorization", auth_header)
.body(Body::empty())
.unwrap();
let resp = app.oneshot(req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = resp.into_body().collect().await.unwrap().to_bytes();
let json_val: JsonValue = from_slice(&body).unwrap();
assert_eq!(json_val["data"].as_array().unwrap().len(), 0);
assert_eq!(json_val["meta"]["total"], 0);
}
#[tokio::test]
async fn non_admin_gets_403() {
let state = test_state();
let auth_header = make_user_auth_header(&state);
let app = Router::new()
.route("/", get(list_audit_logs))
.with_state(state);
let req = Request::builder()
.uri("/")
.header("authorization", auth_header)
.body(Body::empty())
.unwrap();
let resp = app.oneshot(req).await.unwrap();
assert_eq!(resp.status(), StatusCode::FORBIDDEN);
}
#[tokio::test]
async fn returns_entries_with_pagination() {
let state = test_state();
let auth_header = make_admin_auth_header(&state);
let kinds = [
EventKind::RunCreated,
EventKind::RunFailed,
EventKind::StepCompleted,
EventKind::StepFailed,
EventKind::UserSignedIn,
];
for kind in kinds {
state
.store
.append_audit_log(new_test_entry(kind, None))
.await
.unwrap();
}
let app = Router::new()
.route("/", get(list_audit_logs))
.with_state(state);
let req = Request::builder()
.uri("/?page=1&per_page=2")
.header("authorization", auth_header)
.body(Body::empty())
.unwrap();
let resp = app.oneshot(req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = resp.into_body().collect().await.unwrap().to_bytes();
let json_val: JsonValue = from_slice(&body).unwrap();
assert_eq!(json_val["data"].as_array().unwrap().len(), 2);
assert_eq!(json_val["meta"]["total"], 5);
assert_eq!(json_val["meta"]["page"], 1);
assert_eq!(json_val["meta"]["per_page"], 2);
}
#[tokio::test]
async fn filters_by_event_type() {
let state = test_state();
let auth_header = make_admin_auth_header(&state);
state
.store
.append_audit_log(new_test_entry(EventKind::RunCreated, None))
.await
.unwrap();
state
.store
.append_audit_log(new_test_entry(EventKind::RunFailed, None))
.await
.unwrap();
let app = Router::new()
.route("/", get(list_audit_logs))
.with_state(state);
let req = Request::builder()
.uri("/?event_type=run_created")
.header("authorization", auth_header)
.body(Body::empty())
.unwrap();
let resp = app.oneshot(req).await.unwrap();
let body = resp.into_body().collect().await.unwrap().to_bytes();
let json_val: JsonValue = from_slice(&body).unwrap();
assert_eq!(json_val["data"].as_array().unwrap().len(), 1);
assert_eq!(json_val["data"][0]["event_type"], "run_created");
}
#[tokio::test]
async fn filters_by_run_id() {
let state = test_state();
let auth_header = make_admin_auth_header(&state);
let target_run = Uuid::now_v7();
state
.store
.append_audit_log(new_test_entry(EventKind::RunCreated, Some(target_run)))
.await
.unwrap();
state
.store
.append_audit_log(new_test_entry(EventKind::RunCreated, Some(Uuid::now_v7())))
.await
.unwrap();
let app = Router::new()
.route("/", get(list_audit_logs))
.with_state(state);
let req = Request::builder()
.uri(format!("/?run_id={target_run}"))
.header("authorization", auth_header)
.body(Body::empty())
.unwrap();
let resp = app.oneshot(req).await.unwrap();
let body = resp.into_body().collect().await.unwrap().to_bytes();
let json_val: JsonValue = from_slice(&body).unwrap();
assert_eq!(json_val["data"].as_array().unwrap().len(), 1);
}
#[tokio::test]
async fn per_page_capped_at_100() {
let state = test_state();
let auth_header = make_admin_auth_header(&state);
let app = Router::new()
.route("/", get(list_audit_logs))
.with_state(state);
let req = Request::builder()
.uri("/?per_page=500")
.header("authorization", auth_header)
.body(Body::empty())
.unwrap();
let resp = app.oneshot(req).await.unwrap();
let body = resp.into_body().collect().await.unwrap().to_bytes();
let json_val: JsonValue = from_slice(&body).unwrap();
assert_eq!(json_val["meta"]["per_page"], 100);
}
}