refactor: consolidate audit logging into internal/audit provider (#541)

* refactor: consolidate audit logging into internal/audit provider

Replace two duplicate audit log helpers (graphql/audit_log_helper.go
and http_handlers/audit_log_helper.go) with a single audit.Provider
in internal/audit/ following the project's standard provider pattern.

- Create internal/audit/provider.go with Provider interface + LogEvent
- Inject AuditProvider into graphql.Dependencies and http_handlers.Dependencies
- Initialize audit provider in cmd/root.go
- Update all 32 call sites across 29 files to use audit.Event
- Delete the two old helper files
- Callers now extract IP/UserAgent and pass in Event struct directly

* chore: fix test

Author: lakhansamani

cmd/root.go

@@ -11,6 +11,7 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/sync/errgroup"
 
+	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/authenticators"
 	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/constants"
@@ -397,8 +398,14 @@ func runRoot(c *cobra.Command, args []string) {
 		log.Fatal().Msg("client secret missing in rootArgs")
 	}
 
+	auditProvider := audit.New(&audit.Dependencies{
+		Log:             &log,
+		StorageProvider: storageProvider,
+	})
+
 	httpProvider, err := http_handlers.New(&rootArgs.config, &http_handlers.Dependencies{
 		Log:                   &log,
+		AuditProvider:         auditProvider,
 		AuthenticatorProvider: authenticatorProvider,
 		EmailProvider:         emailProvider,
 		EventsProvider:        eventsProvider,

internal/audit/provider.go

@@ -0,0 +1,69 @@
+package audit
+
+import (
+	"context"
+
+	"github.com/rs/zerolog"
+
+	"github.com/authorizerdev/authorizer/internal/storage"
+	"github.com/authorizerdev/authorizer/internal/storage/schemas"
+)
+
+// Dependencies for the audit provider.
+type Dependencies struct {
+	Log             *zerolog.Logger
+	StorageProvider storage.Provider
+}
+
+// Event represents an audit event to be logged.
+type Event struct {
+	ActorID      string
+	ActorType    string
+	ActorEmail   string
+	Action       string
+	ResourceType string
+	ResourceID   string
+	IPAddress    string
+	UserAgent    string
+	Metadata     string
+}
+
+// Provider is the interface for audit logging.
+type Provider interface {
+	// LogEvent asynchronously records an audit log entry.
+	// It is fire-and-forget: errors are logged but not propagated.
+	LogEvent(event Event)
+}
+
+type provider struct {
+	deps *Dependencies
+}
+
+// Ensure provider implements Provider.
+var _ Provider = &provider{}
+
+// New creates a new audit provider.
+func New(deps *Dependencies) Provider {
+	return &provider{deps: deps}
+}
+
+// LogEvent asynchronously records an audit log entry.
+func (p *provider) LogEvent(event Event) {
+	go func() {
+		log := p.deps.Log.With().Str("func", "LogEvent").Logger()
+		auditLog := &schemas.AuditLog{
+			ActorID:      event.ActorID,
+			ActorType:    event.ActorType,
+			ActorEmail:   event.ActorEmail,
+			Action:       event.Action,
+			ResourceType: event.ResourceType,
+			ResourceID:   event.ResourceID,
+			IPAddress:    event.IPAddress,
+			UserAgent:    event.UserAgent,
+			Metadata:     event.Metadata,
+		}
+		if err := p.deps.StorageProvider.AddAuditLog(context.Background(), auditLog); err != nil {
+			log.Debug().Err(err).Str("action", event.Action).Msg("Failed to add audit log")
+		}
+	}()
+}

internal/graphql/add_email_template.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/refs"
@@ -59,10 +60,13 @@ func (g *graphqlProvider) AddEmailTemplate(ctx context.Context, params *model.Ad
 		return nil, err
 	}
 
-	g.logAuditEvent(ctx, constants.AuditAdminEmailTemplateCreatedEvent, AuditLogOpts{
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminEmailTemplateCreatedEvent,
 		ActorType:    constants.AuditActorTypeAdmin,
 		ResourceType: constants.AuditResourceTypeEmailTemplate,
 		ResourceID:   emailTemplate.ID,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
 	})
 	return &model.Response{
 		Message: `Email template added successfully`,

internal/graphql/add_webhook.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/refs"
@@ -55,10 +56,13 @@ func (g *graphqlProvider) AddWebhook(ctx context.Context, params *model.AddWebho
 		return nil, err
 	}
 
-	g.logAuditEvent(ctx, constants.AuditAdminWebhookCreatedEvent, AuditLogOpts{
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminWebhookCreatedEvent,
 		ActorType:    constants.AuditActorTypeAdmin,
 		ResourceType: constants.AuditResourceTypeWebhook,
 		ResourceID:   webhook.ID,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
 	})
 	return &model.Response{
 		Message: `Webhook added successfully`,

internal/graphql/admin_login.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/cookie"
 	"github.com/authorizerdev/authorizer/internal/crypto"
@@ -23,9 +24,12 @@ func (g *graphqlProvider) AdminLogin(ctx context.Context, params *model.AdminLog
 	}
 	if params.AdminSecret != g.Config.AdminSecret {
 		log.Debug().Msg("Invalid admin secret")
-		g.logAuditEvent(ctx, constants.AuditAdminLoginFailedEvent, AuditLogOpts{
+		g.AuditProvider.LogEvent(audit.Event{
+			Action:       constants.AuditAdminLoginFailedEvent,
 			ActorType:    constants.AuditActorTypeAdmin,
 			ResourceType: constants.AuditResourceTypeAdminSession,
+			IPAddress:    utils.GetIP(gc.Request),
+			UserAgent:    utils.GetUserAgent(gc.Request),
 		})
 		return res, fmt.Errorf(`invalid admin secret`)
 	}
@@ -36,9 +40,12 @@ func (g *graphqlProvider) AdminLogin(ctx context.Context, params *model.AdminLog
 	}
 	cookie.SetAdminCookie(gc, hashedKey, g.Config.AdminCookieSecure)
 
-	g.logAuditEvent(ctx, constants.AuditAdminLoginSuccessEvent, AuditLogOpts{
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminLoginSuccessEvent,
 		ActorType:    constants.AuditActorTypeAdmin,
 		ResourceType: constants.AuditResourceTypeAdminSession,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
 	})
 	res = &model.Response{
 		Message: "admin logged in successfully",

internal/graphql/admin_logout.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/cookie"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
@@ -25,9 +26,12 @@ func (g *graphqlProvider) AdminLogout(ctx context.Context) (*model.Response, err
 	}
 
 	cookie.DeleteAdminCookie(gc, g.Config.AdminCookieSecure)
-	g.logAuditEvent(ctx, constants.AuditAdminLogoutEvent, AuditLogOpts{
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminLogoutEvent,
 		ActorType:    constants.AuditActorTypeAdmin,
 		ResourceType: constants.AuditResourceTypeAdminSession,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
 	})
 
 	res := &model.Response{

internal/graphql/audit_log_helper.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"time"
 
+	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/refs"
@@ -43,12 +44,15 @@ func (g *graphqlProvider) DeactivateAccount(ctx context.Context) (*model.Respons
 		g.MemoryStoreProvider.DeleteAllUserSessions(user.ID)
 		g.EventsProvider.RegisterEvent(ctx, constants.UserDeactivatedWebhookEvent, "", user)
 	}()
-	g.logAuditEvent(ctx, constants.AuditUserDeactivatedEvent, AuditLogOpts{
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditUserDeactivatedEvent,
 		ActorID:      user.ID,
 		ActorType:    constants.AuditActorTypeUser,
 		ActorEmail:   refs.StringValue(user.Email),
 		ResourceType: constants.AuditResourceTypeUser,
 		ResourceID:   user.ID,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
 	})
 	res = &model.Response{
 		Message: `user account deactivated successfully`,

internal/graphql/deactivate_account.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/utils"
@@ -43,10 +44,13 @@ func (g *graphqlProvider) DeleteEmailTemplate(ctx context.Context, params *model
 		return nil, err
 	}
 
-	g.logAuditEvent(ctx, constants.AuditAdminEmailTemplateDeletedEvent, AuditLogOpts{
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminEmailTemplateDeletedEvent,
 		ActorType:    constants.AuditActorTypeAdmin,
 		ResourceType: constants.AuditResourceTypeEmailTemplate,
 		ResourceID:   params.ID,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
 	})
 	return &model.Response{
 		Message: "Email templated deleted successfully",

internal/graphql/delete_email_template.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/refs"
@@ -89,10 +90,13 @@ func (g *graphqlProvider) DeleteUser(ctx context.Context, params *model.DeleteUs
 		g.MemoryStoreProvider.DeleteAllUserSessions(user.ID)
 		g.EventsProvider.RegisterEvent(ctx, constants.UserDeletedWebhookEvent, "", user)
 	}()
-	g.logAuditEvent(ctx, constants.AuditAdminUserDeletedEvent, AuditLogOpts{
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminUserDeletedEvent,
 		ActorType:    constants.AuditActorTypeAdmin,
 		ResourceType: constants.AuditResourceTypeUser,
 		ResourceID:   user.ID,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
 	})
 
 	return res, nil