feat: add audit trail for sign_in and sign_out (#7158)

* feat: add audit_trail for sign_in event * chore: ignore unrelated User model columns for auditing * chore: fix prepend call for webhook/automation rule * chore: add spec for sign_in event * chore: refactor sign_in auditlog method to enterprise namespace * feat: add sign_out audit trail * feat: review comments
2023-05-25 14:27:30 +05:30
parent 88cef88d80
commit 123fc73394
8 changed files with 98 additions and 3 deletions
--- a/spec/enterprise/controllers/enterprise/devise_overrides/session_controller_spec.rb
+++ b/spec/enterprise/controllers/enterprise/devise_overrides/session_controller_spec.rb
@@ -0,0 +1,53 @@
+require 'rails_helper'
+
+RSpec.describe 'Enterprise Audit API', type: :request do
+  let!(:account) { create(:account) }
+  let!(:user) { create(:user, password: 'Password1!', account: account) }
+
+  describe 'POST /sign_in' do
+    it 'creates a sign_in audit event wwith valid credentials' do
+      params = { email: user.email, password: 'Password1!' }
+
+      expect do
+        post new_user_session_url,
+             params: params,
+             as: :json
+      end.to change(Enterprise::AuditLog, :count).by(1)
+
+      expect(response).to have_http_status(:success)
+      expect(response.body).to include(user.email)
+
+      # Check if the sign_in event is created
+      user.reload
+      expect(user.audits.last.action).to eq('sign_in')
+      expect(user.audits.last.associated_id).to eq(account.id)
+      expect(user.audits.last.associated_type).to eq('Account')
+    end
+
+    it 'will not create a sign_in audit event with invalid credentials' do
+      params = { email: user.email, password: 'invalid' }
+      expect do
+        post new_user_session_url,
+             params: params,
+             as: :json
+      end.not_to change(Enterprise::AuditLog, :count)
+    end
+  end
+
+  describe 'DELETE /sign_out' do
+    context 'when it is an authenticated user' do
+      it 'signs out the user and creates an audit event' do
+        expect do
+          delete '/auth/sign_out', headers: user.create_new_auth_token
+        end.to change(Enterprise::AuditLog, :count).by(1)
+        expect(response).to have_http_status(:success)
+
+        user.reload
+
+        expect(user.audits.last.action).to eq('sign_out')
+        expect(user.audits.last.associated_id).to eq(account.id)
+        expect(user.audits.last.associated_type).to eq('Account')
+      end
+    end
+  end
+end