import { NextResponse } from "next/server"; import { prisma } from "@nexus/db"; import { createNotificationsForUsers } from "@nexus/api"; import { logger } from "@nexus/api/lib/logger"; import { verifyCronSecret } from "~/lib/cron-auth.js"; import { detectAuthAnomalies } from "./detect.js"; export const dynamic = "force-dynamic"; export const runtime = "nodejs"; /** * GET /api/cron/auth-anomaly-check * * Scans recent auth audit events for brute-force / anomaly patterns and * alerts ADMIN users when thresholds are exceeded. * * Protected by CRON_SECRET. Run every 30 minutes via cron or Vercel Cron. */ export async function GET(request: Request) { const deny = verifyCronSecret(request); if (deny) return deny; try { const report = await detectAuthAnomalies(); if (report.anomalies.length > 0) { const adminUsers = await prisma.user.findMany({ where: { systemRole: "ADMIN" }, select: { id: true }, }); if (adminUsers.length > 0) { const summary = report.anomalies .map((a) => a.entityId ? `${a.type}: ${a.count} failures for entity ${a.entityId}` : `${a.type}: ${a.count} total failures`, ) .join("; "); await createNotificationsForUsers({ db: prisma, userIds: adminUsers.map((u) => u.id), type: "SYSTEM_ALERT", title: `Auth Anomaly Detected (${report.anomalies.length} signal${report.anomalies.length > 1 ? "s" : ""})`, body: `${summary}. Window: ${report.windowStartedAt} – ${report.windowEndedAt}. Review audit logs at /admin/settings.`, category: "system", priority: "CRITICAL", link: "/admin/settings", }); logger.warn( { anomalies: report.anomalies, window: { start: report.windowStartedAt, end: report.windowEndedAt }, }, "Auth anomaly cron: anomalies detected and admins notified", ); } } return NextResponse.json({ ok: true, ...report, }); } catch (error) { logger.error({ error, route: "/api/cron/auth-anomaly-check" }, "Auth anomaly cron failed"); return NextResponse.json({ ok: false, error: "Internal error" }, { status: 500 }); } }