[FEATURE] Enregistrer la date de dernière connexion dans Authentication method pour les connexions OIDC (PIX-16742)

pix-service-auto-merge · web-flow · commit 0b4ec3ad7300 · 2025-03-05T15:03:37.000+01:00
#11538
diff --git a/api/src/identity-access-management/domain/usecases/authenticate-oidc-user.usecase.js b/api/src/identity-access-management/domain/usecases/authenticate-oidc-user.usecase.js
@@ -77,6 +77,15 @@ async function authenticateOidcUser({
     authenticationMethodRepository,
   });
 
+  await _updateUserLastConnection({
+    user,
+    requestedApplication,
+    oidcAuthenticationService,
+    authenticationMethodRepository,
+    lastUserApplicationConnectionsRepository,
+    userLoginRepository,
+  });
+
   const pixAccessToken = oidcAuthenticationService.createAccessToken({ userId: user.id, audience });
 
   let logoutUrlUUID;
@@ -87,18 +96,23 @@ async function authenticateOidcUser({
     });
   }
 
-  await userLoginRepository.updateLastLoggedAt({ userId: user.id });
-  await lastUserApplicationConnectionsRepository.upsert({
-    userId: user.id,
-    application: requestedApplication.applicationName,
-    lastLoggedAt: new Date(),
-  });
-
   return { pixAccessToken, logoutUrlUUID, isAuthenticationComplete: true };
 }
 
 export { authenticateOidcUser };
 
+async function _assertUserHasAccessToApplication({ requestedApplication, user, adminMemberRepository }) {
+  if (requestedApplication.isPixAdmin) {
+    const adminMember = await adminMemberRepository.get({ userId: user.id });
+    if (!adminMember?.hasAccessToAdminScope) {
+      throw new ForbiddenAccess(
+        'User does not have the rights to access the application',
+        'PIX_ADMIN_ACCESS_NOT_ALLOWED',
+      );
+    }
+  }
+}
+
 async function _updateAuthenticationMethodWithComplement({
   userInfo,
   userId,
@@ -111,21 +125,29 @@ async function _updateAuthenticationMethodWithComplement({
     sessionContent,
   });
 
-  return await authenticationMethodRepository.updateAuthenticationComplementByUserIdAndIdentityProvider({
+  await authenticationMethodRepository.updateAuthenticationComplementByUserIdAndIdentityProvider({
     authenticationComplement,
     userId,
     identityProvider: oidcAuthenticationService.identityProvider,
   });
 }
 
-async function _assertUserHasAccessToApplication({ requestedApplication, user, adminMemberRepository }) {
-  if (requestedApplication.isPixAdmin) {
-    const adminMember = await adminMemberRepository.get({ userId: user.id });
-    if (!adminMember?.hasAccessToAdminScope) {
-      throw new ForbiddenAccess(
-        'User does not have the rights to access the application',
-        'PIX_ADMIN_ACCESS_NOT_ALLOWED',
-      );
-    }
-  }
+async function _updateUserLastConnection({
+  user,
+  requestedApplication,
+  oidcAuthenticationService,
+  authenticationMethodRepository,
+  lastUserApplicationConnectionsRepository,
+  userLoginRepository,
+}) {
+  await userLoginRepository.updateLastLoggedAt({ userId: user.id });
+  await lastUserApplicationConnectionsRepository.upsert({
+    userId: user.id,
+    application: requestedApplication.applicationName,
+    lastLoggedAt: new Date(),
+  });
+  await authenticationMethodRepository.updateLastLoggedAtByIdentityProvider({
+    userId: user.id,
+    identityProvider: oidcAuthenticationService.identityProvider,
+  });
 }
diff --git a/api/src/identity-access-management/domain/usecases/create-oidc-user.usecase.js b/api/src/identity-access-management/domain/usecases/create-oidc-user.usecase.js
@@ -73,21 +73,43 @@ async function createOidcUser({
     authenticationMethodRepository,
   });
 
+  await _updateUserLastConnection({
+    userId,
+    requestedApplication,
+    oidcAuthenticationService,
+    authenticationMethodRepository,
+    lastUserApplicationConnectionsRepository,
+    userLoginRepository,
+  });
+
   const accessToken = oidcAuthenticationService.createAccessToken({ userId, audience });
 
   let logoutUrlUUID;
   if (oidcAuthenticationService.shouldCloseSession) {
     logoutUrlUUID = await oidcAuthenticationService.saveIdToken({ idToken: sessionContent.idToken, userId });
   }
 
+  return { accessToken, logoutUrlUUID };
+}
+
+export { createOidcUser };
+
+async function _updateUserLastConnection({
+  userId,
+  requestedApplication,
+  oidcAuthenticationService,
+  authenticationMethodRepository,
+  lastUserApplicationConnectionsRepository,
+  userLoginRepository,
+}) {
   await userLoginRepository.updateLastLoggedAt({ userId });
   await lastUserApplicationConnectionsRepository.upsert({
     userId,
     application: requestedApplication.applicationName,
     lastLoggedAt: new Date(),
   });
-
-  return { accessToken, logoutUrlUUID };
+  await authenticationMethodRepository.updateLastLoggedAtByIdentityProvider({
+    userId,
+    identityProvider: oidcAuthenticationService.identityProvider,
+  });
 }
-
-export { createOidcUser };
diff --git a/api/src/identity-access-management/domain/usecases/reconcile-oidc-user-for-admin.usecase.js b/api/src/identity-access-management/domain/usecases/reconcile-oidc-user-for-admin.usecase.js
@@ -64,15 +64,17 @@ export const reconcileOidcUserForAdmin = async function ({
     }),
   });
 
-  const accessToken = await oidcAuthenticationService.createAccessToken({ userId, audience });
-
-  await userLoginRepository.updateLastLoggedAt({ userId });
-  await lastUserApplicationConnectionsRepository.upsert({
+  await _updateUserLastConnection({
     userId,
-    application: requestedApplication.applicationName,
-    lastLoggedAt: new Date(),
+    requestedApplication,
+    oidcAuthenticationService,
+    authenticationMethodRepository,
+    lastUserApplicationConnectionsRepository,
+    userLoginRepository,
   });
 
+  const accessToken = await oidcAuthenticationService.createAccessToken({ userId, audience });
+
   return accessToken;
 };
 
@@ -94,3 +96,23 @@ async function _assertExternalIdentifier({
     throw new DifferentExternalIdentifierError();
   }
 }
+
+async function _updateUserLastConnection({
+  userId,
+  requestedApplication,
+  oidcAuthenticationService,
+  authenticationMethodRepository,
+  lastUserApplicationConnectionsRepository,
+  userLoginRepository,
+}) {
+  await userLoginRepository.updateLastLoggedAt({ userId });
+  await lastUserApplicationConnectionsRepository.upsert({
+    userId,
+    application: requestedApplication.applicationName,
+    lastLoggedAt: new Date(),
+  });
+  await authenticationMethodRepository.updateLastLoggedAtByIdentityProvider({
+    userId,
+    identityProvider: oidcAuthenticationService.identityProvider,
+  });
+}
diff --git a/api/src/identity-access-management/domain/usecases/reconcile-oidc-user.usecase.js b/api/src/identity-access-management/domain/usecases/reconcile-oidc-user.usecase.js
@@ -60,6 +60,15 @@ export const reconcileOidcUser = async function ({
     }),
   });
 
+  await _updateUserLastConnection({
+    userId,
+    requestedApplication,
+    oidcAuthenticationService,
+    authenticationMethodRepository,
+    lastUserApplicationConnectionsRepository,
+    userLoginRepository,
+  });
+
   const accessToken = await oidcAuthenticationService.createAccessToken({ userId, audience });
 
   let logoutUrlUUID;
@@ -70,12 +79,25 @@ export const reconcileOidcUser = async function ({
     });
   }
 
+  return { accessToken, logoutUrlUUID };
+};
+
+async function _updateUserLastConnection({
+  userId,
+  requestedApplication,
+  oidcAuthenticationService,
+  authenticationMethodRepository,
+  lastUserApplicationConnectionsRepository,
+  userLoginRepository,
+}) {
   await userLoginRepository.updateLastLoggedAt({ userId });
   await lastUserApplicationConnectionsRepository.upsert({
     userId,
     application: requestedApplication.applicationName,
     lastLoggedAt: new Date(),
   });
-
-  return { accessToken, logoutUrlUUID };
-};
+  await authenticationMethodRepository.updateLastLoggedAtByIdentityProvider({
+    userId,
+    identityProvider: oidcAuthenticationService.identityProvider,
+  });
+}
diff --git a/api/tests/identity-access-management/unit/domain/usecases/authenticate-oidc-user.usecase.test.js b/api/tests/identity-access-management/unit/domain/usecases/authenticate-oidc-user.usecase.test.js
@@ -36,6 +36,7 @@ describe('Unit | Identity Access Management | Domain | UseCase | authenticate-oi
       };
       authenticationMethodRepository = {
         updateAuthenticationComplementByUserIdAndIdentityProvider: sinon.stub(),
+        updateLastLoggedAtByIdentityProvider: sinon.stub(),
       };
       authenticationSessionService = {
         save: sinon.stub(),
@@ -294,6 +295,15 @@ describe('Unit | Identity Access Management | Domain | UseCase | authenticate-oi
             userId: 10,
             identityProvider: oidcAuthenticationService.identityProvider,
           });
+          expect(authenticationMethodRepository.updateLastLoggedAtByIdentityProvider).to.have.been.calledWithExactly({
+            userId: 10,
+            identityProvider: oidcAuthenticationService.identityProvider,
+          });
+          expect(lastUserApplicationConnectionsRepository.upsert).to.have.been.calledWithExactly({
+            userId: 10,
+            application: 'app',
+            lastLoggedAt: sinon.match.instanceOf(Date),
+          });
         });
       });
 
@@ -331,6 +341,15 @@ describe('Unit | Identity Access Management | Domain | UseCase | authenticate-oi
             userId: 10,
             identityProvider: oidcAuthenticationService.identityProvider,
           });
+          expect(authenticationMethodRepository.updateLastLoggedAtByIdentityProvider).to.have.been.calledWithExactly({
+            userId: 10,
+            identityProvider: oidcAuthenticationService.identityProvider,
+          });
+          expect(lastUserApplicationConnectionsRepository.upsert).to.have.been.calledWithExactly({
+            userId: 10,
+            application: 'app',
+            lastLoggedAt: sinon.match.instanceOf(Date),
+          });
         });
       });
     });
@@ -365,6 +384,7 @@ describe('Unit | Identity Access Management | Domain | UseCase | authenticate-oi
       };
       authenticationMethodRepository = {
         updateAuthenticationComplementByUserIdAndIdentityProvider: sinon.stub(),
+        updateLastLoggedAtByIdentityProvider: sinon.stub(),
       };
 
       authenticationSessionService = {
@@ -416,6 +436,15 @@ describe('Unit | Identity Access Management | Domain | UseCase | authenticate-oi
           userId: 1,
           identityProvider: oidcAuthenticationService.identityProvider,
         });
+        expect(authenticationMethodRepository.updateLastLoggedAtByIdentityProvider).to.have.been.calledWithExactly({
+          userId: 1,
+          identityProvider: oidcAuthenticationService.identityProvider,
+        });
+        expect(lastUserApplicationConnectionsRepository.upsert).to.have.been.calledWithExactly({
+          userId: 1,
+          application: 'app',
+          lastLoggedAt: sinon.match.instanceOf(Date),
+        });
       });
 
       it('returns an access token, the logout url uuid and update the last logged date with the existing external user id', async function () {
@@ -496,6 +525,15 @@ describe('Unit | Identity Access Management | Domain | UseCase | authenticate-oi
           userId: 10,
           identityProvider: oidcAuthenticationService.identityProvider,
         });
+        expect(authenticationMethodRepository.updateLastLoggedAtByIdentityProvider).to.have.been.calledWithExactly({
+          userId: 10,
+          identityProvider: oidcAuthenticationService.identityProvider,
+        });
+        expect(lastUserApplicationConnectionsRepository.upsert).to.have.been.calledWithExactly({
+          userId: 10,
+          application: 'app',
+          lastLoggedAt: sinon.match.instanceOf(Date),
+        });
       });
     });
   });
diff --git a/api/tests/identity-access-management/unit/domain/usecases/create-oidc-user.usecase.test.js b/api/tests/identity-access-management/unit/domain/usecases/create-oidc-user.usecase.test.js
@@ -19,6 +19,7 @@ describe('Unit | Identity Access Management | Domain | UseCase | create-oidc-use
 
     authenticationMethodRepository = {
       findOneByExternalIdentifierAndIdentityProvider: sinon.stub(),
+      updateLastLoggedAtByIdentityProvider: sinon.stub(),
     };
 
     authenticationSessionService = {
@@ -148,12 +149,21 @@ describe('Unit | Identity Access Management | Domain | UseCase | create-oidc-use
       userToCreateRepository,
       authenticationMethodRepository,
     });
-    sinon.assert.calledOnce(oidcAuthenticationService.createAccessToken);
-    sinon.assert.calledOnce(oidcAuthenticationService.saveIdToken);
-    sinon.assert.calledOnceWithExactly(userLoginRepository.updateLastLoggedAt, { userId: 10 });
+    expect(oidcAuthenticationService.createAccessToken).to.have.been.calledOnce;
+    expect(oidcAuthenticationService.saveIdToken).to.have.been.calledOnce;
+    expect(userLoginRepository.updateLastLoggedAt).to.have.been.calledWithExactly({ userId: 10 });
     expect(result).to.deep.equal({
       accessToken: 'accessTokenForExistingExternalUser',
       logoutUrlUUID: 'logoutUrlUUID',
     });
+    expect(authenticationMethodRepository.updateLastLoggedAtByIdentityProvider).to.have.been.calledWithExactly({
+      userId: 10,
+      identityProvider: oidcAuthenticationService.identityProvider,
+    });
+    expect(lastUserApplicationConnectionsRepository.upsert).to.have.been.calledWithExactly({
+      userId: 10,
+      application: 'app',
+      lastLoggedAt: sinon.match.instanceOf(Date),
+    });
   });
 });
diff --git a/api/tests/identity-access-management/unit/domain/usecases/reconcile-oidc-user-for-admin.usecase.test.js b/api/tests/identity-access-management/unit/domain/usecases/reconcile-oidc-user-for-admin.usecase.test.js
@@ -19,7 +19,11 @@ describe('Unit | Identity Access Management | Domain | UseCase | reconcile-oidc-
   const requestedApplication = new RequestedApplication('admin');
 
   beforeEach(function () {
-    authenticationMethodRepository = { create: sinon.stub(), findOneByUserIdAndIdentityProvider: sinon.stub() };
+    authenticationMethodRepository = {
+      create: sinon.stub(),
+      findOneByUserIdAndIdentityProvider: sinon.stub(),
+      updateLastLoggedAtByIdentityProvider: sinon.stub(),
+    };
     userRepository = { getByEmail: sinon.stub() };
     userLoginRepository = { updateLastLoggedAt: sinon.stub() };
     authenticationSessionService = { getByKey: sinon.stub() };
@@ -144,7 +148,7 @@ describe('Unit | Identity Access Management | Domain | UseCase | reconcile-oidc-
     expect(result).to.equal('accessToken');
   });
 
-  it('saves the last user application connection', async function () {
+  it('saves the last user connection', async function () {
     // given
     const email = 'anne@example.net';
     const externalIdentifier = 'external_id';
@@ -182,6 +186,10 @@ describe('Unit | Identity Access Management | Domain | UseCase | reconcile-oidc-
       application: 'admin',
       lastLoggedAt: sinon.match.instanceOf(Date),
     });
+    expect(authenticationMethodRepository.updateLastLoggedAtByIdentityProvider).to.be.calledWithMatch({
+      userId,
+      identityProvider: oidcAuthenticationService.identityProvider,
+    });
   });
 
   context('when authentication key is expired', function () {
diff --git a/api/tests/identity-access-management/unit/domain/usecases/reconcile-oidc-user.usecase.test.js b/api/tests/identity-access-management/unit/domain/usecases/reconcile-oidc-user.usecase.test.js
