in development, write audit logs to custom sink

gdpr/srv/auth.js

@@ -1,9 +1,5 @@
 /*
  * workaround to avoid approuter et al. setup
- *
- * DO NOT USE FOR PRODUCTION!
- * - no token validation
- * - no xsappname check
  */
 
 const jwt = require('jsonwebtoken')
@@ -12,7 +8,13 @@ const tenant = process.env.VCAP_SERVICES
   : 'anonymous'
 
 module.exports = (req, res, next) => {
-  // decode JWT coming from Personal Data Manager
+  /*
+   * decode JWT coming from Personal Data Manager
+   *
+   * DO NOT USE FOR PRODUCTION!
+   * - no token validation
+   * - no xsappname check
+   */
   const bearer = req.headers.authorization && req.headers.authorization.split('Bearer ')[1]
   if (bearer) {
     const { client_id: id, zid: tenant, scope: roles } = jwt.decode(bearer)
@@ -31,8 +33,7 @@ module.exports = (req, res, next) => {
     req.user = {
       id,
       tenant,
-      // is: role => role !== 'PersonalDataManagerUser'
-      is: role => true
+      is: role => role !== 'PersonalDataManagerUser'
     }
     return next()
   }

gdpr/srv/server.js

@@ -0,0 +1,26 @@
+const cds = require('@sap/cds')
+
+/*
+ * in development, write audit logs to custom sink (i.e., to console in this example)
+ */
+cds.on('served', async () => {
+  if (process.env.NODE_ENV === 'production') return
+
+  const auditLogService = await cds.connect.to('audit-log')
+  // use prepend to get called before the generic implementation
+  auditLogService.prepend(function() {
+    const LOG = cds.log('my custom audit logging impl')
+    // triggered when reading sensitive personal data
+    this.on('dataAccessLog', function(req) {
+      const { accesses } = req.data
+      for (const access of accesses) LOG.info(access)
+    })
+    // triggered when modifying personal data
+    this.on('dataModificationLog', function(req) {
+      const { modifications } = req.data
+      for (const modification of modifications) LOG.info(modification)
+    })
+  })
+})
+
+module.exports = cds.server