feat: implement role-based access control and auth routes

backend/middleware/auditLogger.js

@@ -1,28 +1,33 @@
 // middleware/auditLogger.js
-const fs = require('fs').promises;
-const path = require('path');
+const db = require('../db');
 
-// In a real app, this would write to a database
-async function auditLogger(req, res, next) {
-  const logEntry = {
-    timestamp: new Date().toISOString(),
-    actorUserId: req.user?.id || 'anonymous',
-    action: `${req.method} ${req.path}`,
-    targetType: req.route?.path || 'unknown',
-    targetId: req.params?.id || 'unknown',
-    userAgent: req.get('User-Agent'),
-    ip: req.ip
+/**
+ * Middleware zur Protokollierung sensibler Aktionen
+ * @param {string} action - Name der Aktion (z.B. 'USER_SUSPEND')
+ * @param {string} targetType - Typ des Zielobjekts (z.B. 'user')
+ * @returns {function} Express-Middleware-Funktion
+ */
+function auditLogger(action, targetType) {
+  return async (req, res, next) => {
+    try {
+      const timestamp = new Date().toISOString();
+      const actorUserId = req.user?.id || null;
+      const targetId = req.params.id || req.body.id || null;
+      const reason = req.body.reason || null;
+
+      // Audit-Eintrag in die Datenbank schreiben
+      await db.run(
+        'INSERT INTO audit_log (timestamp, actor_user_id, action, target_type, target_id, reason) VALUES (?, ?, ?, ?, ?, ?)',
+        [timestamp, actorUserId, action, targetType, targetId, reason]
+      );
+
+      next();
+    } catch (err) {
+      console.error('Audit logging failed:', err);
+      // Fehler bei Audit-Logging sollte nicht den Request blockieren
+      next();
+    }
   };
-
-  // Log to file (in real app, this would be a DB insert)
-  try {
-    const logPath = path.join(__dirname, '../logs/audit.log');
-    await fs.appendFile(logPath, JSON.stringify(logEntry) + '\n');
-  } catch (error) {
-    console.error('Failed to write audit log:', error);
-  }
-
-  next();
 }
 
 module.exports = auditLogger;