[FEATURE] Enregistrer dans Authentication Methods la date de dernière connexion Pix pour les méthodes de connexion Pix (PIX-16620)

 #11514

Author: pix-service-auto-merge

api/db/database-builder/factory/build-authentication-method.js

@@ -108,6 +108,7 @@ buildAuthenticationMethod.withPoleEmploiAsIdentityProvider = function ({
   userId,
   createdAt = new Date('2020-01-01'),
   updatedAt = new Date('2020-01-02'),
+  lastLoggedAt = null,
 } = {}) {
   userId = isUndefined(userId) ? buildUser().id : userId;
 
@@ -127,6 +128,7 @@ buildAuthenticationMethod.withPoleEmploiAsIdentityProvider = function ({
     userId,
     createdAt,
     updatedAt,
+    lastLoggedAt,
   };
   return databaseBuffer.pushInsertable({
     tableName: 'authentication-methods',
@@ -157,6 +159,7 @@ buildAuthenticationMethod.withOidcProviderAsIdentityProvider = function ({
     }),
     createdAt: new Date('2020-01-01'),
     updatedAt: new Date('2020-01-02'),
+    lastLoggedAt: null,
   };
   return databaseBuffer.pushInsertable({
     tableName: 'authentication-methods',
@@ -171,6 +174,7 @@ buildAuthenticationMethod.withIdentityProvider = function ({
   userId,
   createdAt = new Date('2020-01-01'),
   updatedAt = new Date('2020-01-02'),
+  lastLoggedAt = null,
 } = {}) {
   userId = isUndefined(userId) ? buildUser().id : userId;
 
@@ -185,6 +189,7 @@ buildAuthenticationMethod.withIdentityProvider = function ({
     userId,
     createdAt,
     updatedAt,
+    lastLoggedAt,
   };
   return databaseBuffer.pushInsertable({
     tableName: 'authentication-methods',

api/lib/domain/usecases/authenticate-external-user.js

@@ -57,7 +57,10 @@ async function authenticateExternalUser({
     const token = tokenService.createAccessTokenForSaml({ userId: userFromCredentials.id, audience });
 
     await userLoginRepository.updateLastLoggedAt({ userId: userFromCredentials.id });
-
+    await authenticationMethodRepository.updateLastLoggedAtByIdentityProvider({
+      userId: userFromCredentials.id,
+      identityProvider: NON_OIDC_IDENTITY_PROVIDERS.PIX.code,
+    });
     return token;
   } catch (error) {
     if (error instanceof UserNotFoundError || error instanceof PasswordNotMatching) {

api/src/identity-access-management/domain/models/AuthenticationMethod.js

@@ -80,6 +80,7 @@ const validationSchema = Joi.object({
   userId: Joi.number().integer().required(),
   createdAt: Joi.date().optional(),
   updatedAt: Joi.date().optional(),
+  lastLoggedAt: Joi.date().allow(null).optional(),
 });
 
 class AuthenticationMethod {
@@ -91,6 +92,7 @@ class AuthenticationMethod {
     createdAt,
     updatedAt,
     userId,
+    lastLoggedAt,
   } = {}) {
     this.id = id;
     this.identityProvider = identityProvider;
@@ -99,11 +101,20 @@ class AuthenticationMethod {
     this.createdAt = createdAt;
     this.updatedAt = updatedAt;
     this.userId = userId;
+    this.lastLoggedAt = lastLoggedAt;
 
     validateEntity(validationSchema, this);
   }
 
-  static buildPixAuthenticationMethod({ id, password, shouldChangePassword = false, createdAt, updatedAt, userId }) {
+  static buildPixAuthenticationMethod({
+    id,
+    password,
+    shouldChangePassword = false,
+    createdAt,
+    updatedAt,
+    userId,
+    lastLoggedAt,
+  }) {
     const authenticationComplement = new PixAuthenticationComplement({ password, shouldChangePassword });
     return new AuthenticationMethod({
       id,
@@ -113,6 +124,7 @@ class AuthenticationMethod {
       createdAt,
       updatedAt,
       userId,
+      lastLoggedAt,
     });
   }
 }

api/src/identity-access-management/domain/usecases/authenticate-user.js

@@ -1,5 +1,6 @@
 import { PIX_ADMIN, PIX_ORGA } from '../../../authorization/domain/constants.js';
 import { ForbiddenAccess, UserNotFoundError } from '../../../shared/domain/errors.js';
+import { NON_OIDC_IDENTITY_PROVIDERS } from '../constants/identity-providers.js';
 import { createWarningConnectionEmail } from '../emails/create-warning-connection.email.js';
 import { MissingOrInvalidCredentialsError, PasswordNotMatching, UserShouldChangePasswordError } from '../errors.js';
 import { RefreshToken } from '../models/RefreshToken.js';
@@ -15,6 +16,7 @@ const authenticateUser = async function ({
   tokenService,
   userRepository,
   userLoginRepository,
+  authenticationMethodRepository,
   adminMemberRepository,
   emailRepository,
   emailValidationDemandRepository,
@@ -47,7 +49,6 @@ const authenticateUser = async function ({
     if (foundUser.hasBeenModified) {
       await userRepository.update({ id: foundUser.id, locale: foundUser.locale });
     }
-
     const userLogin = await userLoginRepository.findByUserId(foundUser.id);
     if (foundUser.email && userLogin?.shouldSendConnectionWarning()) {
       const validationToken = !foundUser.emailConfirmedAt
@@ -64,6 +65,11 @@ const authenticateUser = async function ({
     }
     await userLoginRepository.updateLastLoggedAt({ userId: foundUser.id });
 
+    await authenticationMethodRepository.updateLastLoggedAtByIdentityProvider({
+      userId: foundUser.id,
+      identityProvider: NON_OIDC_IDENTITY_PROVIDERS.PIX.code,
+    });
+
     return { accessToken, refreshToken: refreshToken.value, expirationDelaySeconds };
   } catch (error) {
     if (error instanceof UserNotFoundError || error instanceof PasswordNotMatching) {

api/src/identity-access-management/infrastructure/repositories/authentication-method.repository.js

@@ -17,6 +17,7 @@ const COLUMNS = Object.freeze([
   'userId',
   'createdAt',
   'updatedAt',
+  'lastLoggedAt',
 ]);
 
 const create = async function ({ authenticationMethod }) {
@@ -123,6 +124,16 @@ const hasIdentityProviderPIX = async function ({ userId }) {
   return Boolean(authenticationMethodDTO);
 };
 
+const updateLastLoggedAtByIdentityProvider = async function ({ userId, identityProvider }) {
+  const knexConn = DomainTransaction.getConnection();
+  return knexConn(AUTHENTICATION_METHODS_TABLE)
+    .where({
+      userId,
+      identityProvider,
+    })
+    .update({ lastLoggedAt: new Date() });
+};
+
 const removeByUserIdAndIdentityProvider = async function ({ userId, identityProvider }) {
   return knex(AUTHENTICATION_METHODS_TABLE).where({ userId, identityProvider }).del();
 };
@@ -268,6 +279,7 @@ export {
   updateAuthenticationComplementByUserIdAndIdentityProvider,
   updateAuthenticationMethodUserId,
   updateExternalIdentifierByUserIdAndIdentityProvider,
+  updateLastLoggedAtByIdentityProvider,
   updatePassword,
 };
 

api/tests/identity-access-management/integration/infrastructure/repositories/authentication-method.repository.test.js

@@ -34,6 +34,7 @@ describe('Integration | Identity Access Management | Infrastructure | Repository
           'id',
           'createdAt',
           'updatedAt',
+          'lastLoggedAt',
         ]);
       });
 
@@ -794,6 +795,41 @@ describe('Integration | Identity Access Management | Infrastructure | Repository
     });
   });
 
+  describe('#updateLastLoggedAtByIdentityProvider', function () {
+    context('when authentication method is Pix', function () {
+      it('updates lastLoggedAt in database', async function () {
+        // given
+        const now = new Date('2021-01-02');
+        const createdAt = new Date('2020-01-02');
+        const clock = sinon.useFakeTimers({ now, toFake: ['Date'] });
+        const identityProvider = NON_OIDC_IDENTITY_PROVIDERS.PIX.code;
+        const userId = databaseBuilder.factory.buildUser().id;
+        await databaseBuilder.factory.buildAuthenticationMethod.withPixAsIdentityProviderAndHashedPassword({
+          userId: userId,
+          createdAt: createdAt,
+        });
+        await databaseBuilder.commit();
+
+        // when
+        await authenticationMethodRepository.updateLastLoggedAtByIdentityProvider({
+          userId,
+          identityProvider,
+        });
+
+        // then
+        const updatedAuthenticationMethod = await knex('authentication-methods')
+          .where({ userId: userId, identityProvider: identityProvider })
+          .first();
+
+        expect(updatedAuthenticationMethod).to.exist;
+        expect(updatedAuthenticationMethod.createdAt.toISOString()).to.equal(createdAt.toISOString());
+        expect(updatedAuthenticationMethod.lastLoggedAt.toISOString()).to.equal(now.toISOString());
+
+        clock.restore();
+      });
+    });
+  });
+
   describe('#findByUserId', function () {
     it("should return the user's authentication methods", async function () {
       // given

api/tests/identity-access-management/unit/domain/usecases/authenticate-user_test.js

@@ -1,4 +1,5 @@
 import { PIX_ADMIN, PIX_CERTIF, PIX_ORGA } from '../../../../../src/authorization/domain/constants.js';
+import { NON_OIDC_IDENTITY_PROVIDERS } from '../../../../../src/identity-access-management/domain/constants/identity-providers.js';
 import { createWarningConnectionEmail } from '../../../../../src/identity-access-management/domain/emails/create-warning-connection.email.js';
 import {
   MissingOrInvalidCredentialsError,
@@ -20,6 +21,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
   let adminMemberRepository;
   let pixAuthenticationService;
   let emailRepository;
+  let authenticationMethodRepository;
   let emailValidationDemandRepository;
   let clock;
 
@@ -46,6 +48,9 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
       updateLastLoggedAt: sinon.stub(),
       findByUserId: sinon.stub(),
     };
+    authenticationMethodRepository = {
+      updateLastLoggedAtByIdentityProvider: sinon.stub(),
+    };
     adminMemberRepository = {
       get: sinon.stub(),
     };
@@ -192,6 +197,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
           pixAuthenticationService,
           userRepository,
           userLoginRepository,
+          authenticationMethodRepository,
           adminMemberRepository,
           refreshTokenRepository,
           tokenService,
@@ -243,6 +249,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
             refreshTokenRepository,
             userRepository,
             userLoginRepository,
+            authenticationMethodRepository,
             audience,
           });
 
@@ -267,7 +274,6 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
     const audience = 'https://certif.pix.fr';
 
     pixAuthenticationService.getUserByUsernameAndPassword.resolves(user);
-
     const refreshToken = { value: 'jwt.refresh.token', userId: '456', scope, audience };
     sinon.stub(RefreshToken, 'generate').returns(refreshToken);
 
@@ -286,6 +292,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
       tokenService,
       userRepository,
       userLoginRepository,
+      authenticationMethodRepository,
       audience,
     });
 
@@ -307,7 +314,6 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
     const audience = 'https://certif.pix.fr';
 
     const user = domainBuilder.buildUser({ email: userEmail });
-
     pixAuthenticationService.getUserByUsernameAndPassword.resolves(user);
     tokenService.createAccessTokenFromUser
       .withArgs({ userId: user.id, source, audience })
@@ -324,11 +330,16 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
       tokenService,
       userRepository,
       userLoginRepository,
+      authenticationMethodRepository,
       audience,
     });
 
     // then
     expect(userLoginRepository.updateLastLoggedAt).to.have.been.calledWithExactly({ userId: user.id });
+    expect(authenticationMethodRepository.updateLastLoggedAtByIdentityProvider).to.have.been.calledWithExactly({
+      userId: user.id,
+      identityProvider: NON_OIDC_IDENTITY_PROVIDERS.PIX.code,
+    });
   });
 
   it('should rejects an error when given username (email) does not match an existing one', async function () {
@@ -413,6 +424,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
           tokenService,
           userRepository,
           userLoginRepository,
+          authenticationMethodRepository,
           emailRepository,
           emailValidationDemandRepository,
           audience,
@@ -459,6 +471,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
           tokenService,
           userRepository,
           userLoginRepository,
+          authenticationMethodRepository,
           emailRepository,
           audience,
         });
@@ -503,6 +516,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
         tokenService,
         userRepository,
         userLoginRepository,
+        authenticationMethodRepository,
         emailRepository,
         audience,
       });
@@ -577,6 +591,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
           tokenService,
           userRepository,
           userLoginRepository,
+          authenticationMethodRepository,
           audience,
         });
 
@@ -612,6 +627,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
             refreshTokenRepository,
             userRepository,
             userLoginRepository,
+            authenticationMethodRepository,
             audience,
           });
 
@@ -645,6 +661,7 @@ describe('Unit | Identity Access Management | Domain | UseCases | authenticate-u
             tokenService,
             userRepository,
             userLoginRepository,
+            authenticationMethodRepository,
             audience,
           });
 

api/tests/identity-access-management/unit/domain/usecases/get-saml-authentication-redirection-url_test.js

@@ -157,6 +157,7 @@ describe('Unit | UseCase | get-external-authentication-redirection-url', functio
           externalIdentifier: 'saml-id',
           createdAt: new Date('2020-01-01'),
           updatedAt: new Date('2020-02-01'),
+          lastLoggedAt: null,
         });
         userRepository.getBySamlId.withArgs('saml-id').resolves(user);
         authenticationMethodRepository.findOneByUserIdAndIdentityProvider
@@ -181,6 +182,7 @@ describe('Unit | UseCase | get-external-authentication-redirection-url', functio
           userFirstName: 'Vassili',
           userLastName: 'Lisitsa',
           externalIdentifier: 'saml-id',
+          lastLoggedAt: null,
         });
         expect(authenticationMethodRepository.update).to.have.been.calledWithExactly(expectedAuthenticationMethod);
       });

api/tests/shared/unit/domain/services/user-service_test.js

@@ -51,7 +51,7 @@ describe('Unit | Shared | Domain | Service | user-service', function () {
         hashedPassword,
       });
       userToCreateRepository.create.resolves(user);
-      const expectedAuthenticationMethod = omit(authenticationMethod, ['id', 'createdAt', 'updatedAt']);
+      const expectedAuthenticationMethod = omit(authenticationMethod, ['id', 'createdAt', 'updatedAt', 'lastLoggedAt']);
 
       //when
       await userService.createUserWithPassword({