feat: audit log

[TaduJR]

What does this PR do?

This change tries to resolve #1461 by adding audit logger on v1 and v2 api and on nextjs backend.
These are the list of events handled on Teams and Organizations

Event-Types
	- Modified
		Event Setup
			Title
			Duration
			Location
		Assignment
		        Scheduling Type
	- Created
	- Delete

Bookings
	- Modified
		Reschedule
		Edit Location
	- Created
	- Cancelled

• Fixes [CAL-1710] Audit log #1461 (GitHub issue number)
• Fixes CAL-1461 (Linear issue number - should be visible at the bottom of the GitHub issue description)

Handling EventType Audit Logs
https://www.loom.com/share/96a655c5a5134744bd5ea900a3542420

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected)
• I have added a Docs issue here if this PR makes changes that would require a documentation change
• I have added or modified automated tests that prove my fix is effective or that my feature works (PRs might be rejected if logical changes are not properly tested)

How should this be tested?

• Are there environment variables that should be set? No
• What are the minimal test data to have? Team/Organization and User Entity Records
• What is expected (happy path) to have (input and output)?
• Any other important info that could help to test that PR?

Checklist

• I haven't commented my code, particularly in hard-to-understand areas
  /claim [CAL-1710] Audit log #1461

[vercel]

@TaduJR is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

Thank you for following the naming conventions! 🙏 Feel free to join our discord and post your PR link.

[graphite-app]

Graphite Automations

"Add community label" took an action on this PR • (05/11/24)

1 label was added to this PR based on Keith Williams's automation.

"Add foundation team as reviewer" took an action on this PR • (05/11/24)

1 reviewer was added to this PR based on Keith Williams's automation.

"Add consumer team as reviewer" took an action on this PR • (05/11/24)

1 reviewer was added to this PR based on Keith Williams's automation.

[github-actions]

📦 Next.js Bundle Analysis for @calcom/web

This analysis was generated by the Next.js Bundle Analysis action. 🤖

This PR introduced no changes to the JavaScript bundle! 🙌

[zomars]

This PR has a lot of potential. Thank you for your contribution 🙏 I have some observations in order to ensure this is a top quality feature.

Delegate auditing logs to a background task

Since we're doing extra writing to the database for each action being taken. We should find a way to delegate all this logging off the main thread. It is expected that this will make all logged actions slower. But we should try to make this the least intrusive as possible. Some possible approaches that come to mind is using a prisma middleware to avoid polluting the code itself.

Make the feature opt-in by default

Since this codebase is shared with all self posters. We should try to make all these features opt-in by default. That way we don't suddenly introduce more unexpected DB load or side effect after an update. A possible approach would be using our current feature flags to toggle logging on or off and it is turned off by default. That way we can also switch it off without having to redeploy in case something wrong happens.

Use dependency injection pattern

This is so we can easily switch to a third party service if needed. We can disable it locally. We can unit test it. We can switch it with another one. I would try to come up with a AuditLogger abstraction and create an InternalAuditLogger as our first option. Here's a very nice video explaining the pattern if you want to dive into that.

Feel free to reach out with questions and more guidance.

​May you be well 🙏

[zomars]

Is the relationship needed at all? We can ditch the relationship and still query by teamId don't we?

[TaduJR]

Yes. It is needed because We onDelete Cascade expects opposite relation from auditlog table. If we omit onDelete cascade then If a team gets deleted the audit logs of that team stays. So inorder to also delete the auditlogs belonging to the deleted team must be also deleted.

[zomars]

I think we want to keep the logs even if the team has been deleted. That's the point of having an audit log doesn't it?

[TaduJR]

Great. Done.

[zomars]

Instead of Json can we turn this into actorId so we can query/join the user on query? We're trying to avoid Json fields as much as possible are these are harder to index and query.

[TaduJR]

@zomars I am very sorry. I had to get back to using JSON for actorUser, and targetTeam because since we want to maintain the logs info when a user deleted or team gets deleted. If a user gets deleted the corresponding actorUser JSON will be populated with name and email, also team will get populated with name and slug. If we don't maintain that info then we would not know who triggered that event if a user or team gets deleted.

[zomars]

Same here on target. We can have a targetId: 1 and targetType: "team" instead of a Json field.

[TaduJR]

Unfortunately, We can't turn this in to primitive data type because there are different triggers. For Example Creation of event type only require targetEvent but Updating eventtype require changedAttribute for report. So We need to wrap it into target JSON.

[zomars]

This could/should be an enum:

enum Crud {
  CREATE
  READ
  UPDATE
  DELETE
}

[TaduJR]

Done.

[zomars]

/tip $25

[algora-pbc]

🎉🎈 @TaduJR has been awarded $25! 🎈🎊

• Share on socials
• Give feedback

[TaduJR]

Hello @zomars. I will look into and fix every changes you requested and thank you so much for the tip.

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub ↗︎

👍 No dependency changes detected in pull request