feat(auth): wire login events into OAuth login helper

- Record success login event with risk scoring after OAuth token issuance - Import login-events repo + risk-scorer into oauth/routes - Best-effort recording — never blocks OAuth login flow
2026-03-12 11:19:11 -07:00 · 2026-03-12 11:19:11 -07:00 · 0f4be0c325
commit 0f4be0c325
parent 82d7f157d9
1 changed files with 33 additions and 0 deletions
--- a/services/platform-service/src/modules/auth/oauth/routes.ts
+++ b/services/platform-service/src/modules/auth/oauth/routes.ts
@ -23,6 +23,8 @@ import { OAuthGoogleSchema, OAuthMicrosoftSchema, OAuthAppleSchema } from './typ
 import type { UserDoc, AuthProviderDoc } from '../types.js';
 import * as subscriptionRepo from '../../subscriptions/repository.js';
 import * as licenseRepo from '../../licenses/repository.js';
+import * as loginEventRepo from '../login-events/repository.js';
+import { scoreLoginRisk } from '../login-events/risk-scorer.js';

 export async function oauthRoutes(app: FastifyInstance) {
  // ── Shared OAuth login helper ─────────────────────────────
@ -176,6 +178,37 @@ export async function oauthRoutes(app: FastifyInstance) {
    });
    const refreshToken = await jwt.createRefreshToken({ sub: user.id, productId });

+    // Record OAuth login event (best-effort)
+    const ip = req.ip || 'unknown';
+    const method = `oauth_${provider}` as 'oauth_google' | 'oauth_microsoft' | 'oauth_apple';
+    try {
+      const recentFailures = await loginEventRepo.countRecentFailures(user.id, 15 * 60 * 1000);
+      const risk = scoreLoginRisk({
+        ip,
+        isNewIp: true,
+        isNewDevice: true,
+        isDeviceTrusted: false,
+        recentFailures,
+        method,
+        hourOfDay: new Date().getHours(),
+      });
+      await loginEventRepo.record({
+        id: `le_${crypto.randomUUID()}`,
+        userId: user.id,
+        productId,
+        result: 'success',
+        method,
+        riskLevel: risk.level,
+        riskScore: risk.score,
+        ip,
+        userAgent: req.headers['user-agent'] as string | undefined,
+        riskFlags: risk.flags,
+        createdAt: new Date().toISOString(),
+      });
+    } catch {
+      /* best-effort */
+    }
+
    return {
      accessToken,
      refreshToken,