feat: Phase 1 - Implementation of Data Security Infrastructure
Implemented comprehensive data security infrastructure for SFERA platform: ## Security Classes Created: - `SupplyDataFilter`: Role-based data filtering for supply orders - `ParticipantIsolation`: Data isolation between competing organizations - `RecipeAccessControl`: Protection of production recipes and trade secrets - `CommercialDataAudit`: Audit logging and suspicious activity detection - `SecurityLogger`: Centralized security event logging system ## Infrastructure Components: - Feature flags system for gradual security rollout - Database migrations for audit logging (AuditLog, SecurityAlert models) - Secure resolver wrapper for automatic GraphQL security - TypeScript interfaces and type safety throughout ## Security Features: - Role-based access control (SELLER, WHOLESALE, FULFILLMENT, LOGIST) - Commercial data protection between competitors - Production recipe confidentiality - Audit trail for all data access - Real-time security monitoring and alerts - Rate limiting and suspicious activity detection ## Implementation Notes: - All console logging replaced with centralized security logger - Comprehensive TypeScript typing with no explicit 'any' types - Modular architecture following SFERA coding standards - Feature flag controlled rollout for safe deployment This completes Phase 1 of the security implementation plan. Next phases will integrate these classes into existing GraphQL resolvers. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Veronika Smirnova
47
prisma/migrations/001_add_security_audit_system.sql
Normal file
47
prisma/migrations/001_add_security_audit_system.sql
Normal file
@ -0,0 +1,47 @@
|
||||
-- CreateEnum для типов алертов безопасности
|
||||
CREATE TYPE "SecurityAlertType" AS ENUM ('EXCESSIVE_ACCESS', 'UNAUTHORIZED_ATTEMPT', 'DATA_LEAK_RISK', 'SUSPICIOUS_PATTERN', 'BULK_EXPORT_DETECTED');
|
||||
|
||||
-- CreateEnum для уровней серьезности алертов
|
||||
CREATE TYPE "SecurityAlertSeverity" AS ENUM ('LOW', 'MEDIUM', 'HIGH', 'CRITICAL');
|
||||
|
||||
-- CreateTable для журнала аудита
|
||||
CREATE TABLE "audit_logs" (
|
||||
"id" TEXT NOT NULL,
|
||||
"userId" TEXT NOT NULL,
|
||||
"organizationType" "OrganizationType" NOT NULL,
|
||||
"action" TEXT NOT NULL,
|
||||
"resourceType" TEXT NOT NULL,
|
||||
"resourceId" TEXT,
|
||||
"metadata" JSONB NOT NULL DEFAULT '{}',
|
||||
"ipAddress" TEXT,
|
||||
"userAgent" TEXT,
|
||||
"timestamp" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||
|
||||
CONSTRAINT "audit_logs_pkey" PRIMARY KEY ("id")
|
||||
);
|
||||
|
||||
-- CreateTable для алертов безопасности
|
||||
CREATE TABLE "security_alerts" (
|
||||
"id" TEXT NOT NULL,
|
||||
"type" "SecurityAlertType" NOT NULL,
|
||||
"severity" "SecurityAlertSeverity" NOT NULL,
|
||||
"userId" TEXT NOT NULL,
|
||||
"message" TEXT NOT NULL,
|
||||
"metadata" JSONB NOT NULL DEFAULT '{}',
|
||||
"timestamp" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||
"resolved" BOOLEAN NOT NULL DEFAULT false,
|
||||
|
||||
CONSTRAINT "security_alerts_pkey" PRIMARY KEY ("id")
|
||||
);
|
||||
|
||||
-- CreateIndex для оптимизации запросов по audit_logs
|
||||
CREATE INDEX "audit_logs_userId_idx" ON "audit_logs"("userId");
|
||||
CREATE INDEX "audit_logs_timestamp_idx" ON "audit_logs"("timestamp");
|
||||
CREATE INDEX "audit_logs_action_idx" ON "audit_logs"("action");
|
||||
CREATE INDEX "audit_logs_resourceType_idx" ON "audit_logs"("resourceType");
|
||||
|
||||
-- CreateIndex для оптимизации запросов по security_alerts
|
||||
CREATE INDEX "security_alerts_userId_idx" ON "security_alerts"("userId");
|
||||
CREATE INDEX "security_alerts_timestamp_idx" ON "security_alerts"("timestamp");
|
||||
CREATE INDEX "security_alerts_resolved_idx" ON "security_alerts"("resolved");
|
||||
CREATE INDEX "security_alerts_severity_idx" ON "security_alerts"("severity");
|
||||
@ -680,3 +680,54 @@ enum ReferralTransactionType {
|
||||
FIRST_ORDER
|
||||
MONTHLY_BONUS
|
||||
}
|
||||
|
||||
model AuditLog {
|
||||
id String @id @default(cuid())
|
||||
userId String
|
||||
organizationType OrganizationType
|
||||
action String
|
||||
resourceType String
|
||||
resourceId String?
|
||||
metadata Json @default("{}")
|
||||
ipAddress String?
|
||||
userAgent String?
|
||||
timestamp DateTime @default(now())
|
||||
|
||||
@@index([userId])
|
||||
@@index([timestamp])
|
||||
@@index([action])
|
||||
@@index([resourceType])
|
||||
@@map("audit_logs")
|
||||
}
|
||||
|
||||
model SecurityAlert {
|
||||
id String @id @default(cuid())
|
||||
type SecurityAlertType
|
||||
severity SecurityAlertSeverity
|
||||
userId String
|
||||
message String
|
||||
metadata Json @default("{}")
|
||||
timestamp DateTime @default(now())
|
||||
resolved Boolean @default(false)
|
||||
|
||||
@@index([userId])
|
||||
@@index([timestamp])
|
||||
@@index([resolved])
|
||||
@@index([severity])
|
||||
@@map("security_alerts")
|
||||
}
|
||||
|
||||
enum SecurityAlertType {
|
||||
EXCESSIVE_ACCESS
|
||||
UNAUTHORIZED_ATTEMPT
|
||||
DATA_LEAK_RISK
|
||||
SUSPICIOUS_PATTERN
|
||||
BULK_EXPORT_DETECTED
|
||||
}
|
||||
|
||||
enum SecurityAlertSeverity {
|
||||
LOW
|
||||
MEDIUM
|
||||
HIGH
|
||||
CRITICAL
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user