Feature getodk/central#1104: Added lastLoginAt field

Author: sadiqkhoja

docs/api.yaml

@@ -45,6 +45,9 @@ info:
     **Added**:
     - New endpoint [GET /projects/:id/datasets/:name/entities/creators](/central-api-entity-management/#entities-creators) to retrieve a list of all Actors who have created Entities in a Dataset, sorted by display name.
 
+    **Changed**:
+    - [GET /users](/central-api-accounts-and-users/#listing-users) and [GET /users/:actorId](/central-api-accounts-and-users/#getting-user-details) now include `lastLoginAt` field.
+
     ## ODK Central v2025.2
 
     **Added**:
@@ -12183,6 +12186,12 @@ components:
               type: string
               description: The email address of the user
               example:
+            lastLoginAt:
+              type: string
+              format: date-time
+              nullable: true
+              description: The timestamp of when the user last logged in. Will be null if the user has never logged in.
+              example: "2025-01-15T10:30:00.000Z"
     AppUser:
       allOf: 
         - $ref: '#/components/schemas/Actor'

lib/http/sessions.js

@@ -16,14 +16,15 @@ const HTTPS_ENABLED = config.get('default.env.domain').startsWith('https://');
 // See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#__host-
 const SESSION_COOKIE = HTTPS_ENABLED ? '__Host-session' : 'session';
 
-const createUserSession = ({ Audits, Sessions }, headers, user) => Promise.all([
+const createUserSession = ({ Audits, Sessions, Users }, headers, user) => Promise.all([
   Sessions.create(user.actor),
   // Logging here rather than defining Sessions.create.audit, because
   // Sessions.create.audit would require auth. Logging here also makes
   // it easy to access `headers`.
   Audits.log(user.actor, 'user.session.create', user.actor, {
     userAgent: headers['user-agent']
-  })
+  }),
+  Users.updateLastLoginAt(user)
 ])
   .then(([ session ]) => (_, response) => {
     response.cookie(SESSION_COOKIE, session.token, {

lib/model/frames.js

@@ -198,7 +198,7 @@ Submission.Attachment = class extends Frame.define(
 class User extends Frame.define(
   table('users'), aux(Actor),
   'actorId',                            'password',
-  'email',      readable, writable,
+  'email',      readable, writable,     'lastLoginAt', readable,
   species('user')
 ) {
   forV1OnlyCopyEmailToDisplayName() {

lib/model/migrations/20250910-01-add-last-login-at-column.js

@@ -0,0 +1,16 @@
+// Copyright 2025 ODK Central Developers
+// See the NOTICE file at the top-level directory of this distribution and at
+// https://github.com/getodk/central-backend/blob/master/NOTICE.
+// This file is part of ODK Central. It is subject to the license terms in
+// the LICENSE file found in the top-level directory of this distribution and at
+// https://www.apache.org/licenses/LICENSE-2.0. No part of ODK Central,
+// including this file, may be copied, modified, propagated, or distributed
+// except according to the terms contained in the LICENSE file.
+//
+const up = (db) =>
+  db.raw('ALTER TABLE users ADD COLUMN "lastLoginAt" TIMESTAMP(3)');
+
+const down = (db) =>
+  db.raw('ALTER TABLE users DROP COLUMN "lastLoginAt"');
+
+module.exports = { up, down };

lib/model/migrations/20250910-02-backfill-last-login-at.js

@@ -0,0 +1,29 @@
+// Copyright 2025 ODK Central Developers
+// See the NOTICE file at the top-level directory of this distribution and at
+// https://github.com/getodk/central-backend/blob/master/NOTICE.
+// This file is part of ODK Central. It is subject to the license terms in
+// the LICENSE file found in the top-level directory of this distribution and at
+// https://www.apache.org/licenses/LICENSE-2.0. No part of ODK Central,
+// including this file, may be copied, modified, propagated, or distributed
+// except according to the terms contained in the LICENSE file.
+//
+const up = (db) =>
+  db.raw(`
+    UPDATE users 
+    SET "lastLoginAt" = latest_login."loggedAt"
+    FROM (
+      SELECT 
+        "actorId",
+        MAX("loggedAt") as "loggedAt"
+      FROM audits 
+      WHERE action = 'user.session.create' 
+        AND "actorId" IS NOT NULL
+      GROUP BY "actorId"
+    ) AS latest_login
+    WHERE users."actorId" = latest_login."actorId";
+  `);
+
+const down = (db) =>
+  db.raw(`UPDATE users SET "lastLoginAt" = NULL;`);
+
+module.exports = { up, down };

lib/model/query/users.js

@@ -46,6 +46,9 @@ invalidatePassword.audit = (user) => (log) => log('user.update', user.actor, {
   data: { password: null }
 });
 
+const updateLastLoginAt = (user) => ({ run }) =>
+  run(sql`UPDATE users SET "lastLoginAt"=clock_timestamp() WHERE "actorId"=${user.actor.id}`);
+
 const provisionPasswordResetToken = (user) => ({ Actors, Assignments, Sessions }) => {
   const expiresAt = new Date();
   expiresAt.setDate(expiresAt.getDate() + 1);
@@ -89,6 +92,6 @@ module.exports = {
   create, update,
   updatePassword, invalidatePassword, provisionPasswordResetToken,
   getAll, getByEmail, getByActorId,
-  emailEverExisted
+  emailEverExisted, updateLastLoginAt
 };
 

lib/resources/sessions.js

@@ -38,7 +38,7 @@ module.exports = (service, endpoint, anonymousEndpoint) => {
             (verified) => (verified !== true),
             noargs(Problem.user.authenticationFailed)
           ))
-          .then(() => createUserSession({ Audits, Sessions }, headers, user)));
+          .then(() => createUserSession({ Audits, Sessions, Users }, headers, user)));
     }));
   }
 

test/assertions.js

@@ -97,7 +97,7 @@ should.Assertion.add('User', function() {
   this.params = { operator: 'to be a User' };
 
   this.obj.should.be.an.Actor();
-  Object.keys(this.obj).should.containDeep([ 'email' ]);
+  Object.keys(this.obj).should.containDeep([ 'email', 'lastLoginAt' ]);
   this.obj.email.should.be.a.String();
 });
 

test/db-migrations/20250910-02-backfill-last-login-at.spec.js

@@ -0,0 +1,50 @@
+const { assertTableContents, describeMigration, rowsExistFor } = require('./utils');
+
+describeMigration('20250910-02-backfill-last-login-at', ({ runMigrationBeingTested }) => {
+  before(async () => {
+    // Set up test data: create actors, users, and audit records
+    await rowsExistFor('actees',
+      { id: 'actee1', species: 'user' },
+      { id: 'actee2', species: 'user' },
+      { id: 'actee3', species: 'user' }
+    );
+
+    await rowsExistFor('actors',
+      { id: 1, type: 'user', acteeId: 'actee1', displayName: 'Alice', createdAt: new Date('2025-01-01T10:00:00Z') },
+      { id: 2, type: 'user', acteeId: 'actee2', displayName: 'Bob', createdAt: new Date('2025-01-01T11:00:00Z') },
+      { id: 3, type: 'user', acteeId: 'actee3', displayName: 'Charlie', createdAt: new Date('2025-01-01T12:00:00Z') }
+    );
+
+    await rowsExistFor('users',
+      { actorId: 1, email: '[email protected]', lastLoginAt: null },
+      { actorId: 2, email: '[email protected]', lastLoginAt: null },
+      { actorId: 3, email: '[email protected]', lastLoginAt: null }
+    );
+
+    // Create audit records - Alice has multiple logins, Bob has one, Charlie has none
+    await rowsExistFor('audits',
+      // Alice's login sessions (most recent should be picked)
+      { actorId: 1, action: 'user.session.create', acteeId: 'actee1', loggedAt: new Date('2025-01-10T10:00:00Z') },
+      { actorId: 1, action: 'user.session.create', acteeId: 'actee1', loggedAt: new Date('2025-01-15T14:30:00Z') },
+      { actorId: 1, action: 'user.session.create', acteeId: 'actee1', loggedAt: new Date('2025-01-12T09:15:00Z') },
+
+      // Bob's single login session
+      { actorId: 2, action: 'user.session.create', acteeId: 'actee2', loggedAt: new Date('2025-01-08T16:45:00Z') },
+    );
+
+    await runMigrationBeingTested();
+  });
+
+  it('should backfill lastLoginAt with most recent login timestamp for users with login history', async () => {
+    await assertTableContents('users',
+      // Alice should get her most recent login time (2025-01-15T14:30:00Z)
+      { actorId: 1, email: '[email protected]', lastLoginAt: 1736969400000 },
+
+      // Bob should get his only login time (2025-01-08T16:45:00Z)
+      { actorId: 2, email: '[email protected]', lastLoginAt: 1736372700000 },
+
+      // Charlie should remain null (never logged in)
+      { actorId: 3, email: '[email protected]', lastLoginAt: null }
+    );
+  });
+});

test/integration/api/audits.js

@@ -64,7 +64,8 @@ describe('/audits', () => {
               audits[0].details.should.eql({ data: {
                 actorId: david.actor.id,
                 email: '[email protected]',
-                password: null
+                password: null,
+                lastLoginAt: null
               } });
               audits[0].loggedAt.should.be.a.recentIsoDate();
 
@@ -127,7 +128,8 @@ describe('/audits', () => {
               audits[0].details.should.eql({ data: {
                 actorId: david.actor.id,
                 email: '[email protected]',
-                password: null
+                password: null,
+                lastLoginAt: null
               } });
               audits[0].loggedAt.should.be.a.recentIsoDate();