Fix Audit Logs Authentication in ADM Portal

Resolved 💬 3 comments Opened Aug 24, 2025 by kabzadev Closed Aug 25, 2025

Problem

The Audit Logs page in the ADM portal shows "Error loading logs" because:

  1. The frontend expects authenticated API calls and sends JWT tokens
  2. The backend /api/audit endpoint in the Express server doesn't require authentication
  3. This creates a mismatch where authenticated requests fail

Current Architecture

  • Container: lseg-postgres-test running Express.js server on port 3000
  • Database: PostgreSQL with audit logs table containing real data
  • Frontend: React app on port 4000 with MSAL authentication
  • Issue: Backend audit endpoint has no auth validation

Solution Plan

Step 1: Identify the Source

  • [ ] Find the actual source code for the Express server running in the container
  • [ ] Locate where the /api/audit endpoint is defined
  • [ ] Understand the existing JWT validation pattern used in other endpoints

Step 2: Add Authentication

  • [ ] Add JWT token extraction from Authorization header
  • [ ] Add token validation using existing jwtService
  • [ ] Add Teams Administrator role check for audit access
  • [ ] Log the authenticated user making audit requests

Step 3: Test Authentication

  • [ ] Verify unauthenticated requests return 401
  • [ ] Verify authenticated requests with proper roles return audit data
  • [ ] Test frontend logs page displays data correctly
  • [ ] Verify user tracking in audit logs

Step 4: Validate End-to-End

  • [ ] Confirm audit logs page loads with real data
  • [ ] Verify proper user identification in audit entries
  • [ ] Test role-based access control

Acceptance Criteria

  • [ ] /api/audit endpoint requires valid JWT token
  • [ ] Endpoint requires Teams Administrator role
  • [ ] Frontend logs page displays audit data correctly
  • [ ] User identity is properly tracked in audit requests
  • [ ] No authentication bypasses remain

Technical Requirements

  • Must use existing container and Express server (no new deployments)
  • Must integrate with existing JWT validation service
  • Must maintain current audit data structure
  • Must work with existing frontend authentication flow

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗