Log successful and failed login attempts in a separate log file

We log the login parameter and the request IP address. Quoting the ENS: > [op.acc.5.r5.1] Se registrarán los accesos con éxito y los fallidos.
2023-04-20 13:24:15 +02:00
parent 2aff3b73f9
commit b7073691f1
6 changed files with 143 additions and 0 deletions
--- a/spec/controllers/users/sessions_controller_spec.rb
+++ b/spec/controllers/users/sessions_controller_spec.rb
@@ -22,4 +22,51 @@ describe Users::SessionsController do
      end
    end
  end
+
+  describe "access logs" do
+    context "when feature is enabled" do
+      before { allow(Rails.application.config).to receive(:authentication_logs).and_return(true) }
+
+      it "when a sign in process succeeds it calls the authentication logger" do
+        message = "The user citizen@consul.org with IP address: 0.0.0.0 successfully signed in."
+        expect(AuthenticationLogger).to receive(:log).with(message)
+
+        post :create, params: { user: { login: "citizen@consul.org", password: "12345678" }}
+      end
+
+      it "when a sign in process fails it calls the authentication logger" do
+        message = "The user citizen@consul.org with IP address: 0.0.0.0 failed to sign in."
+        expect(AuthenticationLogger).to receive(:log).with(message)
+
+        post :create, params: { user: { login: "citizen@consul.org", password: "wrong" }}
+      end
+
+      it "when maximum attempts is reached it tracks the user account lock" do
+        allow(User).to receive(:maximum_attempts).and_return(1)
+        message_1 = "The user citizen@consul.org with IP address: 0.0.0.0 failed to sign in."
+        message_2 = "The user citizen@consul.org with IP address: 0.0.0.0 reached maximum attempts " \
+                    "and it's temporarily locked."
+        expect(AuthenticationLogger).to receive(:log).once.with(message_1)
+        expect(AuthenticationLogger).to receive(:log).once.with(message_2)
+
+        post :create, params: { user: { login: "citizen@consul.org", password: "wrong" }}
+      end
+    end
+
+    context "when feature is disabled" do
+      before { allow(Rails.application.config).to receive(:authentication_logs).and_return(false) }
+
+      it "when a sign in process succeeds it does not call the authentication logger" do
+        expect(AuthenticationLogger).not_to receive(:log)
+
+        post :create, params: { user: { login: "citizen@consul.org", password: "12345678" }}
+      end
+
+      it "when a sign in process fails it does not call the authentication logger" do
+        expect(AuthenticationLogger).not_to receive(:log)
+
+        post :create, params: { user: { login: "citizen@consul.org", password: "wrong" }}
+      end
+    end
+  end
 end