security(csv-export): harden mnemonic export with super admin, audit, watermark (#48)

- Add SUPER_ADMIN_IDS config (fallback to ADMIN_IDS if not set)
- Add isSuperAdmin() to middleware/auth.js
- Create auditService.js for structured audit logging (DB + pino)
- Create migration 005_audit_log.js
- Add confirmation dialog before CSV export (confirm_export_ callback)
- Check isSuperAdmin before export — block non-super admins
- Audit log every export: admin ID, wallet type, wallet count
- Add exported_by watermark column to CSV with admin telegram ID
- Notify all other super admins when export occurs
- Add SUPER_ADMIN_IDS to .env.example

8 files changed, 154 insertions, 39 deletions
This commit is contained in:
NW
2026-06-22 10:07:58 +01:00
parent a04e60d751
commit 49945d9d81
8 changed files with 155 additions and 40 deletions

View File

@@ -39,6 +39,7 @@ export async function runMigrations() {
(await import('./002_add_columns.js')).default,
(await import('./003_add_indexes.js')).default,
(await import('./004_user_states.js')).default,
(await import('./005_audit_log.js')).default,
];
for (let i = currentVersion; i < migrations.length; i++) {