getlago · jdenquin · Feb 24, 2025 · Feb 24, 2025 · nudded · Feb 24, 2025
diff --git a/app/graphql/types/user_type.rb b/app/graphql/types/user_type.rb
@@ -14,6 +14,9 @@ class UserType < Types::BaseObject
     field :created_at, GraphQL::Types::ISO8601DateTime, null: false
     field :updated_at, GraphQL::Types::ISO8601DateTime, null: false
 
+    field :last_login_at, GraphQL::Types::ISO8601DateTime, null: true
+    field :last_login_method, Types::Users::LoginMethodEnum, null: true
+
     def memberships
       object.memberships.active.includes(:organization)
     end

diff --git a/app/graphql/types/users/login_method_enum.rb b/app/graphql/types/users/login_method_enum.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Types
+  module Users
+    class LoginMethodEnum < Types::BaseEnum
+      graphql_name "UserLoginMethod"
+
+      User::LOGIN_METHODS.each do |type|
+        value type
+      end
+    end
+  end
+end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -4,6 +4,14 @@ class User < ApplicationRecord
   include PaperTrailTraceable
   has_secure_password
 
+  LOGIN_METHODS = [
+    :email,
+    :google,
+    :okta
+  ].freeze
+
+  enum :last_login_method, LOGIN_METHODS
+
   has_many :password_resets
 
   has_many :memberships
@@ -19,20 +27,26 @@ class User < ApplicationRecord
   has_many :subscriptions, through: :customers
 
   validates :email, presence: true
-  validates :password, presence: true
+  validates :password, presence: true, on: :create
 
   def can?(permission, organization:)
     memberships.find { |m| m.organization_id == organization.id }&.can?(permission)
   end
+
+  def touch_last_login!(method)
+    update!(last_login_method: method, last_login_at: Time.current)
+  end
 end
 
 # == Schema Information
 #
 # Table name: users
 #
-#  id              :uuid             not null, primary key
-#  email           :string
-#  password_digest :string
-#  created_at      :datetime         not null
-#  updated_at      :datetime         not null
+#  id                :uuid             not null, primary key
+#  email             :string
+#  last_login_at     :datetime
+#  last_login_method :integer
+#  password_digest   :string
+#  created_at        :datetime         not null
+#  updated_at        :datetime         not null
 #
diff --git a/app/services/auth/google_service.rb b/app/services/auth/google_service.rb
@@ -31,7 +31,9 @@ def login(code)
         return result.single_validation_failure!(error_code: "user_does_not_exist")
       end
 
-      UsersService.new.new_token(user)
+      result = UsersService.new.new_token(user)
+      user.touch_last_login!(:google)
+      result
     rescue Google::Auth::IDTokens::SignatureError
       result.single_validation_failure!(error_code: "invalid_google_token")
     rescue Signet::AuthorizationError
@@ -44,7 +46,7 @@ def register_user(code, organization_name)
 
       google_oidc = oidc_verifier(code:)
 
-      UsersService.new.register(google_oidc["email"], SecureRandom.hex, organization_name)
+      UsersService.new.register(google_oidc["email"], SecureRandom.hex, organization_name, method: :google)
     rescue Google::Auth::IDTokens::SignatureError
       result.single_validation_failure!(error_code: "invalid_google_token")
     rescue Signet::AuthorizationError
@@ -68,7 +70,8 @@ def accept_invite(code, invite_token)
         invite:,
         email: google_oidc["email"],
         token: invite_token,
-        password: SecureRandom.hex
+        password: SecureRandom.hex,
+        method: :google
       )
     rescue Google::Auth::IDTokens::SignatureError
       result.single_validation_failure!(error_code: "invalid_google_token")

diff --git a/app/services/auth/okta/accept_invite_service.rb b/app/services/auth/okta/accept_invite_service.rb
@@ -22,7 +22,8 @@ def call
           invite: result.invite,
           email: result.email,
           token: invite_token,
-          password: SecureRandom.hex
+          password: SecureRandom.hex,
+          method: :okta
         )
       rescue ValidationError => e
         result.single_validation_failure!(error_code: e.message)

diff --git a/app/services/auth/okta/login_service.rb b/app/services/auth/okta/login_service.rb
@@ -20,7 +20,9 @@ def call
         find_or_create_user
         find_or_create_membership
 
-        UsersService.new.new_token(result.user)
+        result.token = UsersService.new.new_token(result.user)
+        result.user.touch_last_login!(:okta)
+        result.token
       rescue ValidationError => e
         result.single_validation_failure!(error_code: e.message)
         result

diff --git a/app/services/invites/accept_service.rb b/app/services/invites/accept_service.rb
@@ -7,10 +7,9 @@ def call(**args)
       return result.not_found_failure!(resource: "invite") unless invite
 
       ActiveRecord::Base.transaction do
-        result = UsersService.new.register_from_invite(invite, args[:password])
+        result = UsersService.new.register_from_invite(invite, args[:password], method: args[:method])
 
         invite.recipient = result.membership
-
         invite.mark_as_accepted!
 
         result

diff --git a/app/services/users_service.rb b/app/services/users_service.rb
@@ -1,22 +1,25 @@
 # frozen_string_literal: true
 
 class UsersService < BaseService
-  def login(email, password)
+  def login(email, password, method: :email)
     result.user = User.find_by(email:)&.authenticate(password)
 
     unless result.user.present? && result.user.memberships&.active&.any?
       return result.single_validation_failure!(error_code: "incorrect_login_or_password")
     end
 
-    result.token = generate_token if result.user
+    if result.user
+      result.token = generate_token
+      result.user.touch_last_login!(method)
+    end
 
     # NOTE: We're tracking the first membership linked to the user.
     SegmentIdentifyJob.perform_later(membership_id: "membership/#{result.user.memberships.first.id}")
 
     result
   end
 
-  def register(email, password, organization_name)
+  def register(email, password, organization_name, method: :email)
     if ENV.fetch("LAGO_DISABLE_SIGNUP", "false") == "true"
       return result.not_allowed_failure!(code: "signup_disabled")
     end
@@ -42,17 +45,19 @@ def register(email, password, organization_name)
       )
 
       result.token = generate_token
+      result
     rescue ActiveRecord::RecordInvalid => e
       result.record_validation_failure!(record: e.record)
     end
 
     SegmentIdentifyJob.perform_later(membership_id: "membership/#{result.membership.id}")
     track_organization_registered(result.organization, result.membership)
 
+    result.user.touch_last_login!(method)
     result
   end
 
-  def register_from_invite(invite, password)
+  def register_from_invite(invite, password, method: :email)
     ActiveRecord::Base.transaction do
       result.user = User.find_or_create_by!(email: invite.email) { |u| u.password = password }
       result.organization = invite.organization
@@ -66,8 +71,10 @@ def register_from_invite(invite, password)
       result.token = generate_token
     rescue ActiveRecord::RecordInvalid => e
       result.record_validation_failure!(record: e.record)
+      return result
     end
 
+    result.user.touch_last_login!(method)
     result
   end
 

diff --git a/db/migrate/20250224095824_add_last_login_at_to_users.rb b/db/migrate/20250224095824_add_last_login_at_to_users.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class AddLastLoginAtToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :last_login_at, :datetime, null: true
+    add_column :users, :last_login_method, :integer, null: true
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
diff --git a/schema.graphql b/schema.graphql
diff --git a/schema.json b/schema.json
diff --git a/spec/services/invites/accept_service_spec.rb b/spec/services/invites/accept_service_spec.rb
@@ -12,7 +12,8 @@
   let(:accept_args) do
     {
       token: invite.token,
-      password: "ILoveLago!"
+      password: "ILoveLago!",
+      method: :email
     }
   end