Create login audit table

suvikankare · suvikankare · commit b76b47f9c1ba · 2025-12-05T13:59:35.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -25,7 +25,7 @@ ADD https://raw.githubusercontent.com/HSLdevcom/jore4-tools/main/docker/read-sec
 # copy over compiled jar
 COPY --from=builder /build/target/*.jar /usr/src/jore4-auth/auth-backend.jar
 
-# read docker secrets into environment varaibles and run application
+# read docker secrets into environment variables and run application
 CMD /bin/bash -c "source /app/scripts/read-secrets.sh && java -jar /usr/src/jore4-auth/auth-backend.jar"
 
 HEALTHCHECK --interval=1m --timeout=5s \
diff --git a/src/main/kotlin/fi/hsl/jore4/auth/audit/LoginAudit.kt b/src/main/kotlin/fi/hsl/jore4/auth/audit/LoginAudit.kt
@@ -0,0 +1,26 @@
+package fi.hsl.jore4.auth.audit
+
+import jakarta.persistence.Column
+import jakarta.persistence.Entity
+import jakarta.persistence.GeneratedValue
+import jakarta.persistence.GenerationType
+import jakarta.persistence.Id
+import jakarta.persistence.Table
+import java.time.Instant
+
+/**
+ * Entity representing a login record.
+ */
+@Entity
+@Table(name = "login_audit")
+data class LoginAudit(
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    val id: Long? = null,
+    @Column(name = "user_id", nullable = false)
+    val userId: String,
+    @Column(name = "user_name")
+    val userName: String?,
+    @Column(name = "login_timestamp", nullable = false)
+    val loginTimestamp: Instant = Instant.now()
+)
diff --git a/src/main/kotlin/fi/hsl/jore4/auth/audit/LoginAuditRepository.kt b/src/main/kotlin/fi/hsl/jore4/auth/audit/LoginAuditRepository.kt
@@ -0,0 +1,10 @@
+package fi.hsl.jore4.auth.audit
+
+import org.springframework.data.jpa.repository.JpaRepository
+import org.springframework.stereotype.Repository
+
+/**
+ * Repository for login records.
+ */
+@Repository
+interface LoginAuditRepository : JpaRepository<LoginAudit, Long>
diff --git a/src/main/kotlin/fi/hsl/jore4/auth/audit/LoginAuditService.kt b/src/main/kotlin/fi/hsl/jore4/auth/audit/LoginAuditService.kt
@@ -0,0 +1,45 @@
+package fi.hsl.jore4.auth.audit
+
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean
+import org.springframework.stereotype.Service
+import org.springframework.transaction.annotation.Transactional
+
+/**
+ * Service for logging login events.
+ * Only enabled when JPA is available.
+ */
+@Service
+@ConditionalOnBean(LoginAuditRepository::class)
+open class LoginAuditService(
+    private val loginAuditRepository: LoginAuditRepository
+) {
+    companion object {
+        private val LOGGER: Logger = LoggerFactory.getLogger(LoginAuditService::class.java)
+    }
+
+    /**
+     * Record a login event for the specified user.
+     */
+    @Transactional
+    open fun recordLogin(
+        userId: String,
+        userName: String?
+    ) {
+        try {
+            val auditRecord =
+                LoginAudit(
+                    userId = userId,
+                    userName = userName
+                )
+
+            loginAuditRepository.save(auditRecord)
+
+            LOGGER.info("Recorded login for user: userId={}, userName={}", userId, userName)
+        } catch (e: Exception) {
+            // Log the error but don't fail the login process
+            LOGGER.error("Failed to record login audit for user: userId={}, userName={}", userId, userName, e)
+        }
+    }
+}
diff --git a/src/main/kotlin/fi/hsl/jore4/auth/oidc/OIDCCodeExchangeService.kt b/src/main/kotlin/fi/hsl/jore4/auth/oidc/OIDCCodeExchangeService.kt
@@ -1,5 +1,6 @@
 package fi.hsl.jore4.auth.oidc
 
+import com.fasterxml.jackson.databind.ObjectMapper
 import com.nimbusds.oauth2.sdk.AuthorizationCode
 import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant
 import com.nimbusds.oauth2.sdk.Scope
@@ -10,9 +11,13 @@ import com.nimbusds.oauth2.sdk.id.ClientID
 import com.nimbusds.oauth2.sdk.id.State
 import com.nimbusds.openid.connect.sdk.OIDCTokenResponse
 import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser
+import fi.hsl.jore4.auth.audit.LoginAuditService
 import jakarta.servlet.http.HttpSession
+import okhttp3.OkHttpClient
+import okhttp3.Request
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
+import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.stereotype.Service
 import java.net.URI
@@ -28,10 +33,17 @@ open class OIDCCodeExchangeService(
     private val verificationService: TokenVerificationService,
     @Value("\${loginpage.url}") private val loginPageUrl: String
 ) {
+    @Autowired(required = false)
+    private var loginAuditService: LoginAuditService? = null
+
     companion object {
         private val LOGGER: Logger = LoggerFactory.getLogger(OIDCCodeExchangeService::class.java)
+        private const val SUB_CLAIM = "sub"
+        private const val NAME_CLAIM = "name"
     }
 
+    private val httpClient = OkHttpClient.Builder().build()
+
     /**
      * Exchange the given authorization {@param code} for an access and refresh token.
      *
@@ -78,6 +90,7 @@ open class OIDCCodeExchangeService(
         // get the access token and refresh token
         val accessToken = successResponse.oidcTokens.accessToken
         val refreshToken = successResponse.oidcTokens.refreshToken
+        val idToken = successResponse.oidcTokens.idToken
 
         // verify token authenticity and validity if not using Entra, as it uses an unverifiable internal token
         // See https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#validate-tokens
@@ -87,11 +100,74 @@ open class OIDCCodeExchangeService(
 
         session.setAttribute(SessionKeys.USER_TOKEN_SET_KEY, UserTokenSet(accessToken, refreshToken))
 
+        // Record the login event in the audit log
+        try {
+            loginAuditService?.let {
+                val userId = idToken.jwtClaimsSet.subject
+                val userName = fetchUserNameFromUserInfo(accessToken.value, userId)
+                it.recordLogin(userId, userName)
+            }
+        } catch (e: Exception) {
+            LOGGER.warn("Could not record login audit", e)
+        }
+
         // redirect the user to the login page URL
         val redirectUri = URI.create(loginPageUrl)
 
         LOGGER.debug("Created redirect URI: {}", redirectUri)
 
         return redirectUri
     }
+
+    /**
+     * Fetch the user's name from the OIDC UserInfo endpoint.
+     */
+    private fun fetchUserNameFromUserInfo(
+        accessTokenValue: String,
+        expectedSub: String
+    ): String? =
+        runCatching {
+            val request =
+                Request
+                    .Builder()
+                    .addHeader("Authorization", "Bearer $accessTokenValue")
+                    .addHeader("Accept", "application/json")
+                    .get()
+                    .url(oidcProviderMetadataSupplier.providerMetadata.userInfoEndpointURI.toURL())
+                    .build()
+
+            httpClient
+                .newCall(request)
+                .execute()
+                .use { response ->
+                    if (!response.isSuccessful) {
+                        LOGGER.warn("Failed to fetch UserInfo, status: {}", response.code)
+                        return null
+                    }
+
+                    val responseBody =
+                        response.body?.string() ?: run {
+                            LOGGER.warn("UserInfo response body is null")
+                            return null
+                        }
+
+                    val result = ObjectMapper().readValue(responseBody, Map::class.java) as Map<*, *>
+
+                    // Verify that the sub claim matches the ID token's sub
+                    val userInfoSub = result[SUB_CLAIM]?.toString()
+                    if (userInfoSub != expectedSub) {
+                        LOGGER.error(
+                            "UserInfo sub claim '{}' does not match ID token sub '{}'.",
+                            userInfoSub,
+                            expectedSub
+                        )
+                        return null
+                    }
+
+                    result[NAME_CLAIM]?.toString()
+                }
+        }.getOrElse { e ->
+            LOGGER.warn("Error fetching user name from UserInfo endpoint", e)
+            null
+        }
 }
diff --git a/src/main/resources/db/migration/V1__create_login_audit_table.sql b/src/main/resources/db/migration/V1__create_login_audit_table.sql
@@ -0,0 +1,23 @@
+-- Create login_audit table for tracking login events
+CREATE TABLE IF NOT EXISTS login_audit (
+    id BIGSERIAL PRIMARY KEY,
+    user_id TEXT NOT NULL,
+    user_name TEXT,
+    login_timestamp TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE INDEX IF NOT EXISTS idx_login_audit_user_id ON login_audit(user_id);
+CREATE INDEX IF NOT EXISTS idx_login_audit_timestamp ON login_audit(login_timestamp);
+
+-- Grant permissions to the database user
+DO $$
+BEGIN
+    IF EXISTS (SELECT FROM pg_roles WHERE rolname = 'dbauth') THEN
+        GRANT SELECT, INSERT ON login_audit TO dbauth;
+        GRANT USAGE, SELECT ON SEQUENCE login_audit_id_seq TO dbauth;
+    END IF;
+    IF EXISTS (SELECT FROM pg_roles WHERE rolname = 'dbhasura') THEN
+        GRANT SELECT ON login_audit TO dbhasura;
+        GRANT USAGE, SELECT ON SEQUENCE login_audit_id_seq TO dbhasura;
+    END IF;
+END $$;
