Kwaku Danso
b873012191
Per-event fraud tuning. Hosts can now dial the medium / high / block
boundaries, allowlist trusted networks, and feed verdicts back on
flagged accesses — the seed corpus for a future ML model.
Schema (migration 0011)
- events.fraud_{medium,high,block}_threshold default 30/60/85 so
existing events behave identically until a host changes them
- access_logs.geo_{country,city,lat,lon} for future enrichment
- fraud_feedback table — verdict ('legitimate' | 'suspicious') + note,
PK on access_log_id so re-mark is an upsert
- event_allowlists table — (event_id, ip_cidr) primary key, inet column
so containment checks use the native >>= operator (indexed lookup)
Domain
- FraudThresholds with Valid() + Band() helpers; Default trio echoed
through GET responses so the frontend doesn't duplicate constants
- ParseAllowlistCIDR accepts bare IPs (auto-widens to /32 or /128) and
canonicalises the output (203.0.113.42 → 203.0.113.42/32)
- Event.Thresholds() falls back to defaults if columns weren't
populated yet, so the API never wedges every score into "low"
Storage
- AllowlistRepo: List / Add / Remove + Matches() — the latter pushes
CIDR containment into Postgres rather than streaming rows back
- FeedbackRepo: Record (upserts) + ListForEvent (joined through guests)
- EventRepo.GetThresholds + UpdateThresholds, plus the threshold
columns baked into scanEvent so every event load carries them
- AccessLogRepo.BelongsToEvent — stops a hostile editor on event A
from marking event B's access logs
API
- GET/PUT /events/{id}/security/thresholds (viewer/editor)
- GET/POST/DELETE /events/{id}/security/allowlist
- POST /events/{id}/access-logs/{log_id}/feedback (editor)
- GET /events/{id}/security/feedback
- RSVP scoring path: allowlist short-circuit fires before the fraud
engine; the engine's score is then re-banded against the event's
thresholds (engine.Risk becomes advisory — API is the source of
truth for "what counts as block here")
- CORS Allow-Methods already includes PUT (Block D fix)
Fraud engine
- Single-signal cap: it now takes ≥2 sub-scores of ≥70 to push the
final into HIGH. Fixes the well-known "second visit with a slightly
shifted fingerprint scores 60+" false positive
- Engine band remains advisory; API re-bands using per-event
thresholds before deciding to block
Frontend
- SecurityCard.vue: visual band ribbon (proportional to thresholds),
three sliders with mutual clamping so dragging medium past high
pushes high (not an invalid ordering), reset-to-defaults button,
CIDR allowlist with inline add + per-row remove, verdict-history
inbox. Toast feedback on save/add/remove
- "Security" tab added to the event-detail tab nav (5th tab,
right of Analytics)
- Viewer role hides write affordances; server enforces too
Tests
- Domain: ThresholdsBand, ThresholdsValid, ParseAllowlistCIDR (bare
IP widening + traversal/typo rejection), FraudFeedbackValid
- Integration: thresholds round-trip + invalid ordering rejection,
allowlist CRUD + duplicate 409 + invalid CIDR 400 + IP auto-widen,
feedback record + upsert + cross-tenant 404 + invalid verdict 400,
viewer can read / editor can write / outsider gets 404
- Full integration suite green (315.8s, all 36 top-level tests pass)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
243 lines
7.8 KiB
Go
243 lines
7.8 KiB
Go
package storage
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"strings"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/jackc/pgx/v5"
|
|
"github.com/jackc/pgx/v5/pgconn"
|
|
"github.com/jackc/pgx/v5/pgxpool"
|
|
|
|
"github.com/alchemistkay/guestguard/internal/domain"
|
|
)
|
|
|
|
// AllowlistRepo manages the per-event CIDR bypass list. Lookups happen
|
|
// before each fraud-engine call so they need to be cheap — the index on
|
|
// event_id keeps that O(log n) even on very busy events.
|
|
type AllowlistRepo struct {
|
|
pool *pgxpool.Pool
|
|
}
|
|
|
|
func NewAllowlistRepo(db *DB) *AllowlistRepo {
|
|
return &AllowlistRepo{pool: db.Pool}
|
|
}
|
|
|
|
// List returns every CIDR allowlisted for the event, newest first.
|
|
func (r *AllowlistRepo) List(ctx context.Context, eventID uuid.UUID) ([]domain.Allowlist, error) {
|
|
rows, err := r.pool.Query(ctx, `
|
|
SELECT event_id, ip_cidr::text, COALESCE(label, ''), created_by, created_at
|
|
FROM event_allowlists
|
|
WHERE event_id = $1
|
|
ORDER BY created_at DESC
|
|
`, eventID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
out := []domain.Allowlist{}
|
|
for rows.Next() {
|
|
var a domain.Allowlist
|
|
if err := rows.Scan(&a.EventID, &a.CIDR, &a.Label, &a.CreatedBy, &a.CreatedAt); err != nil {
|
|
return nil, err
|
|
}
|
|
out = append(out, a)
|
|
}
|
|
return out, rows.Err()
|
|
}
|
|
|
|
type AddAllowlistParams struct {
|
|
EventID uuid.UUID
|
|
CIDR string // pre-validated; ParseAllowlistCIDR canonicalised it
|
|
Label string
|
|
CreatedBy uuid.UUID
|
|
}
|
|
|
|
// Add inserts a row. A pre-existing (event_id, ip_cidr) returns
|
|
// ErrAllowlistExists so the API can render a friendly 409 instead of the
|
|
// raw Postgres unique-violation.
|
|
func (r *AllowlistRepo) Add(ctx context.Context, p AddAllowlistParams) (*domain.Allowlist, error) {
|
|
const q = `
|
|
INSERT INTO event_allowlists (event_id, ip_cidr, label, created_by)
|
|
VALUES ($1, $2::inet, NULLIF($3, ''), $4)
|
|
RETURNING event_id, ip_cidr::text, COALESCE(label, ''), created_by, created_at
|
|
`
|
|
var a domain.Allowlist
|
|
err := r.pool.QueryRow(ctx, q, p.EventID, p.CIDR, p.Label, p.CreatedBy).Scan(
|
|
&a.EventID, &a.CIDR, &a.Label, &a.CreatedBy, &a.CreatedAt,
|
|
)
|
|
if err != nil {
|
|
var pgErr *pgconn.PgError
|
|
if errors.As(err, &pgErr) && pgErr.Code == "23505" {
|
|
return nil, ErrAllowlistExists
|
|
}
|
|
return nil, err
|
|
}
|
|
return &a, nil
|
|
}
|
|
|
|
// Remove deletes an allowlist entry. Returns ErrAllowlistNotFound if the
|
|
// (event, cidr) tuple doesn't exist.
|
|
func (r *AllowlistRepo) Remove(ctx context.Context, eventID uuid.UUID, cidr string) error {
|
|
tag, err := r.pool.Exec(ctx,
|
|
`DELETE FROM event_allowlists WHERE event_id = $1 AND ip_cidr = $2::inet`,
|
|
eventID, strings.TrimSpace(cidr))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if tag.RowsAffected() == 0 {
|
|
return domain.ErrAllowlistNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Matches reports whether the given IP falls inside any allowlisted CIDR
|
|
// for the event. Returns the matching label (if any) so the API can log
|
|
// "bypassed allowlist=Office Wi-Fi" instead of a bare boolean.
|
|
//
|
|
// We push the CIDR containment into Postgres via the inet `>>=` operator
|
|
// — much faster than streaming every row back to Go and matching there.
|
|
// One DB round-trip per access, indexed by event_id.
|
|
func (r *AllowlistRepo) Matches(ctx context.Context, eventID uuid.UUID, ip string) (bool, string, error) {
|
|
if ip == "" {
|
|
return false, "", nil
|
|
}
|
|
var label string
|
|
err := r.pool.QueryRow(ctx, `
|
|
SELECT COALESCE(label, '')
|
|
FROM event_allowlists
|
|
WHERE event_id = $1
|
|
AND ip_cidr >>= $2::inet
|
|
LIMIT 1
|
|
`, eventID, ip).Scan(&label)
|
|
if err != nil {
|
|
if errors.Is(err, pgx.ErrNoRows) {
|
|
return false, "", nil
|
|
}
|
|
// Invalid IP gets a Postgres error — treat as "doesn't match" so a
|
|
// malformed forwarded IP doesn't blow up the access path.
|
|
return false, "", nil
|
|
}
|
|
return true, label, nil
|
|
}
|
|
|
|
// --- thresholds ---
|
|
|
|
// GetThresholds returns the per-event fraud thresholds. Missing event
|
|
// surfaces as the global defaults — the caller normally has the event
|
|
// loaded already and doesn't need this method, but the fraud engine /
|
|
// access path can use it as a cheap lookup without re-loading the row.
|
|
func (r *EventRepo) GetThresholds(ctx context.Context, eventID uuid.UUID) (domain.FraudThresholds, error) {
|
|
var th domain.FraudThresholds
|
|
err := r.pool.QueryRow(ctx, `
|
|
SELECT fraud_medium_threshold, fraud_high_threshold, fraud_block_threshold
|
|
FROM events WHERE id = $1
|
|
`, eventID).Scan(&th.Medium, &th.High, &th.Block)
|
|
if err != nil {
|
|
if errors.Is(err, pgx.ErrNoRows) {
|
|
return domain.DefaultThresholds(), domain.ErrEventNotFound
|
|
}
|
|
return domain.DefaultThresholds(), err
|
|
}
|
|
return th, nil
|
|
}
|
|
|
|
// UpdateThresholds patches the trio. Validation lives in the handler
|
|
// (host-facing error messages), but we keep the SQL guard rail with the
|
|
// ordering check duplicated at the DB level — a misbehaving client should
|
|
// never be able to write nonsense.
|
|
func (r *EventRepo) UpdateThresholds(ctx context.Context, eventID uuid.UUID, th domain.FraudThresholds) error {
|
|
if err := th.Valid(); err != nil {
|
|
return err
|
|
}
|
|
tag, err := r.pool.Exec(ctx, `
|
|
UPDATE events SET
|
|
fraud_medium_threshold = $2,
|
|
fraud_high_threshold = $3,
|
|
fraud_block_threshold = $4,
|
|
updated_at = now()
|
|
WHERE id = $1
|
|
`, eventID, th.Medium, th.High, th.Block)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if tag.RowsAffected() == 0 {
|
|
return domain.ErrEventNotFound
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// --- feedback ---
|
|
|
|
type FeedbackRepo struct {
|
|
pool *pgxpool.Pool
|
|
}
|
|
|
|
func NewFeedbackRepo(db *DB) *FeedbackRepo {
|
|
return &FeedbackRepo{pool: db.Pool}
|
|
}
|
|
|
|
type RecordFeedbackParams struct {
|
|
AccessLogID uuid.UUID
|
|
Verdict string // "legitimate" | "suspicious"
|
|
MarkedBy uuid.UUID
|
|
Note string
|
|
}
|
|
|
|
// Record upserts the verdict. Hosts sometimes change their mind ("oh,
|
|
// that was Aunty after all"); ON CONFLICT lets the second click win
|
|
// rather than 409-ing them.
|
|
func (r *FeedbackRepo) Record(ctx context.Context, p RecordFeedbackParams) (*domain.FraudFeedback, error) {
|
|
const q = `
|
|
INSERT INTO fraud_feedback (access_log_id, verdict, marked_by, note)
|
|
VALUES ($1, $2, $3, NULLIF($4, ''))
|
|
ON CONFLICT (access_log_id) DO UPDATE SET
|
|
verdict = EXCLUDED.verdict,
|
|
marked_by = EXCLUDED.marked_by,
|
|
note = EXCLUDED.note,
|
|
created_at = now()
|
|
RETURNING access_log_id, verdict, marked_by, COALESCE(note, ''), created_at
|
|
`
|
|
var f domain.FraudFeedback
|
|
err := r.pool.QueryRow(ctx, q, p.AccessLogID, p.Verdict, p.MarkedBy, p.Note).Scan(
|
|
&f.AccessLogID, &f.Verdict, &f.MarkedBy, &f.Note, &f.CreatedAt,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &f, nil
|
|
}
|
|
|
|
// ListForEvent returns every feedback row for access logs on the event,
|
|
// newest first. Powers the host's "I've reviewed these" filter on the
|
|
// Security tab and the future ML training pipeline.
|
|
func (r *FeedbackRepo) ListForEvent(ctx context.Context, eventID uuid.UUID) ([]domain.FraudFeedback, error) {
|
|
rows, err := r.pool.Query(ctx, `
|
|
SELECT f.access_log_id, f.verdict, f.marked_by, COALESCE(f.note, ''), f.created_at
|
|
FROM fraud_feedback f
|
|
JOIN access_logs a ON a.id = f.access_log_id
|
|
JOIN guests g ON g.id = a.guest_id
|
|
WHERE g.event_id = $1
|
|
ORDER BY f.created_at DESC
|
|
`, eventID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
out := []domain.FraudFeedback{}
|
|
for rows.Next() {
|
|
var f domain.FraudFeedback
|
|
if err := rows.Scan(&f.AccessLogID, &f.Verdict, &f.MarkedBy, &f.Note, &f.CreatedAt); err != nil {
|
|
return nil, err
|
|
}
|
|
out = append(out, f)
|
|
}
|
|
return out, rows.Err()
|
|
}
|
|
|
|
// ErrAllowlistExists is the storage-layer signal for a duplicate insert.
|
|
// Exposed here (not in domain) because the API layer is what cares about
|
|
// the 409 mapping — domain just sees "already exists".
|
|
var ErrAllowlistExists = errors.New("allowlist entry already exists")
|