refactor: update account and transaction handling with improved logging and parameter handling

- Changed `null` parameters to `undefined` in account closing and balance retrieval for better API compatibility.
- Enhanced logging in account-related functions to provide detailed insights during operations.
- Updated transaction listing to handle date parameters more robustly.
- Improved OAuth2 routes with detailed logging for authorization and token exchange processes.
- Removed outdated authentication tests to streamline the test suite.

Author: ZoneMix

src/auth/oauth2/code.js

@@ -4,6 +4,7 @@
 
 import crypto from 'crypto';
 import { executeQuery, getRow, pruneExpiredCodes } from '../../db/authDb.js';
+import logger from '../../logging/logger.js';
 
 /**
  * Generate and store a short-lived authorization code.
@@ -18,6 +19,14 @@ export const generateAuthCode = async (clientId, userId, redirectUri, scope = 'a
     VALUES (?, ?, ?, ?, ?, ?)
   `, [code, clientId, userId, redirectUri, scope, expiresAt]);
 
+  logger.debug('[OAuth2] Authorization code generated', { 
+    clientId, 
+    userId, 
+    redirectUri, 
+    scope,
+    expiresAt 
+  });
+
   return code;
 };
 
@@ -35,6 +44,7 @@ const validateAuthCodeFormat = (code) => {
  */
 export const validateAuthCode = async (code, clientId, redirectUri) => {
   if (!validateAuthCodeFormat(code)) {
+    logger.warn('[OAuth2] Invalid authorization code format', { clientId, codeLength: code?.length });
     throw new Error('Invalid authorization code format');
   }
   await pruneExpiredCodes();
@@ -43,10 +53,19 @@ export const validateAuthCode = async (code, clientId, redirectUri) => {
     WHERE code = ? AND client_id = ? AND redirect_uri = ?
   `, [code, clientId, redirectUri]);
 
-  if (!row) throw new Error('Invalid or expired authorization code');
+  if (!row) {
+    logger.warn('[OAuth2] Invalid or expired authorization code', { clientId, redirectUri });
+    throw new Error('Invalid or expired authorization code');
+  }
 
   // One-time use – delete
   await executeQuery('DELETE FROM auth_codes WHERE code = ?', [code]);
 
+  logger.debug('[OAuth2] Authorization code validated and consumed', { 
+    clientId, 
+    userId: row.user_id, 
+    scope: row.scope || 'api' 
+  });
+
   return { userId: row.user_id, scope: row.scope || 'api' };
 };

src/routes/accounts.js

@@ -74,7 +74,7 @@ router.post(
   validateBody(CloseAccountSchema),
   asyncHandler(async (req, res) => {
     const { transferAccountId, transferCategoryId } = req.validatedBody;
-    await accountClose(req.validatedParams.id, transferAccountId || null, transferCategoryId || null);
+    await accountClose(req.validatedParams.id, transferAccountId || undefined, transferCategoryId || undefined);
     sendSuccess(res);
   })
 );
@@ -93,7 +93,7 @@ router.get(
   '/:id/balance',
   validateParams(IDSchema),
   asyncHandler(async (req, res) => {
-    const cutoff = req.query.cutoff ? new Date(req.query.cutoff) : null;
+    const cutoff = req.query.cutoff ? new Date(req.query.cutoff) : undefined;
     const balance = await accountBalance(req.validatedParams.id, cutoff);
     sendSuccess(res, { balance });
   })

src/routes/admin.js

@@ -11,6 +11,7 @@ import { asyncHandler } from '../middleware/asyncHandler.js';
 import { sendSuccess, sendCreated, throwBadRequest, throwNotFound } from '../middleware/responseHelpers.js';
 import { validateBody, validateParams, CreateClientSchema, UpdateClientSchema, ClientIdParamsSchema } from '../middleware/validation-schemas.js';
 import { adminLimiter, standardWriteLimiter, deleteLimiter } from '../middleware/rateLimiters.js';
+import logger from '../logging/logger.js';
 
 const router = express.Router();
 
@@ -24,7 +25,9 @@ router.use(adminLimiter);
  * List all OAuth clients (without secrets).
  */
 router.get('/oauth-clients', asyncHandler(async (req, res) => {
+  logger.debug('[Admin] Listing OAuth clients', { userId: req.user?.user_id });
   const clients = await listClients();
+  logger.info('[Admin] OAuth clients listed', { userId: req.user?.user_id, count: clients.length });
   sendSuccess(res, { clients });
 }));
 
@@ -35,12 +38,15 @@ router.get('/oauth-clients', asyncHandler(async (req, res) => {
  */
 router.get('/oauth-clients/:clientId', validateParams(ClientIdParamsSchema), asyncHandler(async (req, res) => {
   const { clientId } = req.validatedParams;
+  logger.debug('[Admin] Getting OAuth client', { userId: req.user?.user_id, clientId });
   const client = await getClient(clientId);
 
   if (!client) {
+    logger.warn('[Admin] OAuth client not found', { userId: req.user?.user_id, clientId });
     throwNotFound(`OAuth client '${clientId}' not found`);
   }
 
+  logger.info('[Admin] OAuth client retrieved', { userId: req.user?.user_id, clientId });
   sendSuccess(res, { client });
 }));
 
@@ -54,6 +60,14 @@ router.get('/oauth-clients/:clientId', validateParams(ClientIdParamsSchema), asy
 router.post('/oauth-clients', standardWriteLimiter, validateBody(CreateClientSchema), asyncHandler(async (req, res) => {
   const { client_id, client_secret, allowed_scopes, redirect_uris } = req.validatedBody;
 
+  logger.debug('[Admin] Creating OAuth client', { 
+    userId: req.user?.user_id, 
+    client_id,
+    hasSecret: !!client_secret,
+    allowed_scopes,
+    redirect_uris: redirect_uris ? (Array.isArray(redirect_uris) ? redirect_uris.length : 1) : 0
+  });
+  
   try {
     const client = await createClient({
       clientId: client_id,
@@ -62,14 +76,29 @@ router.post('/oauth-clients', standardWriteLimiter, validateBody(CreateClientSch
       redirectUris: redirect_uris,
     });
 
+    logger.info('[Admin] OAuth client created', { 
+      userId: req.user?.user_id, 
+      client_id,
+      allowed_scopes: client.allowed_scopes 
+    });
+    
     sendCreated(res, {
       client,
       message: 'OAuth client created successfully. Save the client_secret now - it will not be shown again.',
     });
   } catch (error) {
     if (error.message.includes('already exists')) {
+      logger.warn('[Admin] OAuth client creation failed - already exists', { 
+        userId: req.user?.user_id, 
+        client_id 
+      });
       throwBadRequest(error.message);
     }
+    logger.error('[Admin] OAuth client creation failed', { 
+      userId: req.user?.user_id, 
+      client_id, 
+      error: error.message 
+    });
     throw error;
   }
 }));
@@ -88,16 +117,35 @@ router.put('/oauth-clients/:clientId',
     const { clientId } = req.validatedParams;
     const updates = req.validatedBody;
 
+    logger.debug('[Admin] Updating OAuth client', { 
+      userId: req.user?.user_id, 
+      clientId,
+      updateFields: Object.keys(updates.fields || {})
+    });
+    
     try {
       const client = await updateClient(clientId, updates);
+      logger.info('[Admin] OAuth client updated', { 
+        userId: req.user?.user_id, 
+        clientId 
+      });
       sendSuccess(res, {
         client,
         message: 'OAuth client updated successfully',
       });
     } catch (error) {
       if (error.message.includes('not found')) {
+        logger.warn('[Admin] OAuth client update failed - not found', { 
+          userId: req.user?.user_id, 
+          clientId 
+        });
         throwNotFound(error.message);
       }
+      logger.error('[Admin] OAuth client update failed', { 
+        userId: req.user?.user_id, 
+        clientId, 
+        error: error.message 
+      });
       throw error;
     }
   })
@@ -110,12 +158,27 @@ router.put('/oauth-clients/:clientId',
  */
 router.delete('/oauth-clients/:clientId', deleteLimiter, validateParams(ClientIdParamsSchema), asyncHandler(async (req, res) => {
   const { clientId } = req.validatedParams;
+  
+  logger.debug('[Admin] Deleting OAuth client', { 
+    userId: req.user?.user_id, 
+    clientId 
+  });
+  
   const deleted = await deleteClient(clientId);
 
   if (!deleted) {
+    logger.warn('[Admin] OAuth client deletion failed - not found', { 
+      userId: req.user?.user_id, 
+      clientId 
+    });
     throwNotFound(`OAuth client '${clientId}' not found`);
   }
 
+  logger.info('[Admin] OAuth client deleted', { 
+    userId: req.user?.user_id, 
+    clientId 
+  });
+  
   sendSuccess(res, { message: `OAuth client '${clientId}' deleted successfully` });
 }));
 

src/routes/login.js

@@ -9,6 +9,7 @@ import rateLimit from 'express-rate-limit';
 import { authenticateUser } from '../auth/user.js';
 import { authenticateAdminDashboard } from '../auth/adminDashboard.js';
 import { asyncHandler } from '../middleware/asyncHandler.js';
+import logger, { logAuthEvent } from '../logging/logger.js';
 
 const router = express.Router();
 
@@ -56,12 +57,33 @@ const validateReturnTo = (returnTo, baseUrl = '') => {
 router.post('/login', loginLimiter, async (req, res) => {
   const { username, password, return_to } = req.body;
 
-  const { userId } = await authenticateUser(username, password);
-  req.session.user = { id: userId, username };
+  logger.debug('[Session] Login attempt', { username, hasReturnTo: !!return_to, ip: req.ip });
 
-  // Validate return_to to prevent open redirect attacks
-  const safeReturnTo = validateReturnTo(return_to, req.get('origin') || req.protocol + '://' + req.get('host'));
-  res.redirect(safeReturnTo);
+  try {
+    const { userId } = await authenticateUser(username, password);
+    req.session.user = { id: userId, username };
+
+    logAuthEvent('SESSION_LOGIN', userId, { username, ip: req.ip }, true);
+    logger.info('[Session] Login successful', { userId, username });
+
+    // Validate return_to to prevent open redirect attacks
+    const safeReturnTo = validateReturnTo(return_to, req.get('origin') || req.protocol + '://' + req.get('host'));
+    
+    if (return_to && return_to !== safeReturnTo) {
+      logger.warn('[Session] Invalid return_to URL sanitized', { 
+        original: return_to, 
+        sanitized: safeReturnTo,
+        username 
+      });
+    }
+    
+    res.redirect(safeReturnTo);
+  } catch (error) {
+    logAuthEvent('SESSION_LOGIN_FAILED', null, { username, reason: error.message, ip: req.ip }, false);
+    logger.warn('[Session] Login failed', { username, error: error.message, ip: req.ip });
+    // Re-throw to be handled by error middleware
+    throw error;
+  }
 });
 
 /**
@@ -72,12 +94,20 @@ router.post('/login', loginLimiter, async (req, res) => {
  */
 router.post('/logout', (req, res) => {
   const sessionCookieName = req.session.cookie.name || 'sessionId';
+  const userId = req.session.user?.id;
+  const username = req.session.user?.username;
 
   req.session.destroy((err) => {
     if (err) {
+      logger.error('[Session] Logout failed', { userId, username, error: err.message });
       return res.status(500).json({ error: 'Failed to logout' });
     }
 
+    if (userId) {
+      logAuthEvent('SESSION_LOGOUT', userId, { username }, true);
+      logger.info('[Session] Logout successful', { userId, username });
+    }
+    
     // Clear the session cookie with the same options used when creating it
     res.clearCookie(sessionCookieName, {
       httpOnly: true,