Skip to content

[Backend] Add Queryable Audit Log API with Filtering and Export #504

Closed
#514
Closed
[Backend] Add Queryable Audit Log API with Filtering and Export#504
#514
Assignees
yosemite01
Labels
NestjsStellar WaveIssues in the Stellar wave programbackendenhancementNew feature or request
@llinsss

Description

@llinsss
llinsss
opened on Jun 1, 2026

⚠️ This is a backend issue — work is done inside the backend/ folder

Description

backend/src/modules/audit/audit.service.ts only has a log() method — there is no way to query, filter, or export audit logs via the API. Admins and compliance officers have no interface to review who accessed or modified records, which is a compliance gap.

Current State

  • AuditService.log() — writes audit entries
  • AuditLog entity has: userId, entityType, entityId, action, ipAddress, userAgent, createdAt
  • No findAll, findByUser, or export methods exist
  • AuditController exists in backend/src/audit/ but is separate from the module — needs consolidation

What Needs to Be Built

1. Query DTO

export class AuditQueryDto {
  @IsOptional() @IsUUID()       userId?: string;
  @IsOptional() @IsString()     entityType?: string;
  @IsOptional() @IsEnum(AuditAction) action?: AuditAction;
  @IsOptional() @IsDateString() dateFrom?: string;
  @IsOptional() @IsDateString() dateTo?: string;
  @IsOptional() @IsIn(['ASC','DESC']) order?: string;
  @IsOptional() @Min(1)         page?: number;
  @IsOptional() @Min(1) @Max(100) limit?: number;
}

2. Service Methods

async findAll(query: AuditQueryDto): Promise<PaginatedResult<AuditLog>>
async findByEntity(entityType: string, entityId: string): Promise<AuditLog[]>
async exportCsv(query: AuditQueryDto): Promise<Buffer>

3. Controller Endpoints (Admin only)

GET  /audit?userId=&entityType=&action=&dateFrom=&dateTo=&page=&limit=
GET  /audit/entity/:entityType/:entityId
GET  /audit/export?format=csv   (streams CSV download)

4. Access Control

  • All audit endpoints require ADMIN role
  • Users can query their own audit trail via GET /audit/me

Acceptance Criteria

  • All filter combinations return correct paginated results
  • GET /audit/export streams a valid CSV file
  • Non-admin users receive 403 on admin endpoints
  • Users can view their own audit trail via /audit/me
  • Integration tests cover filtering, pagination, and CSV export

Files to Modify / Create

  • backend/src/modules/audit/audit.service.ts
  • backend/src/modules/audit/audit.controller.ts
  • backend/src/modules/audit/dto/audit-query.dto.ts (new)
  • backend/src/modules/audit/audit.service.spec.ts (new)

Priority

High — compliance requirement for medical data access tracking

Estimated Effort

2 days

Metadata

Metadata

Assignees

Labels

NestjsStellar WaveIssues in the Stellar wave programbackendenhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions