chore(security events): add the session.destroy security event

Because:
 - we want to know when a user signs out of a session

This commit:
 - adds the 'session.destroy' security event
 - updates the inactive account deletion script to query for the event

Author: chenba

packages/db-migrations/databases/fxa/patches/patch-161-162.sql

@@ -0,0 +1,7 @@
+SET NAMES utf8mb4 COLLATE utf8mb4_bin;
+
+CALL assertPatchLevel('161');
+
+INSERT INTO securityEventNames(name) VALUES ('session.destroy');
+
+UPDATE dbMetadata SET value = '162' WHERE name = 'schema-patch-level';

packages/db-migrations/databases/fxa/patches/patch-162-161.sql

@@ -0,0 +1,3 @@
+-- DELETE FROM securityEventNames WHERE name='session.destroy';
+
+-- UPDATE dbMetadata SET value = '161' WHERE name = 'schema-patch-level';

packages/db-migrations/databases/fxa/target-patch.json

@@ -1,3 +1,3 @@
 {
-  "level": 161
+  "level": 162
 }

packages/fxa-auth-server/lib/inactive-accounts/active-status.ts

@@ -60,6 +60,7 @@ export const securityEventsQuery = (uid, activeByDateTimestamp) =>
       EVENT_NAMES['account.login'],
       EVENT_NAMES['account.password_reset_success'],
       EVENT_NAMES['account.password_changed'],
+      EVENT_NAMES['session.destroy'],
     ])
     .limit(1)
     .first();

packages/fxa-auth-server/lib/routes/account.ts

@@ -584,11 +584,11 @@ export class AccountHandler {
       });
     }
 
-    await this.db.securityEvent({
-      ipAddr: request.app.clientAddress,
+    await this.accountEventsManager.recordSecurityEvent(this.db, {
       name: 'account.create',
-      tokenId: sessionToken.id,
       uid: account.uid,
+      ipAddr: request.app.clientAddress,
+      tokenId: sessionToken.id,
     });
 
     return this.accountCreateResponse({

packages/fxa-auth-server/lib/routes/session.js

@@ -4,6 +4,7 @@
 
 'use strict';
 
+const { Container } = require('typedi');
 const error = require('../error');
 const isA = require('joi');
 const requestHelper = require('../routes/utils/request_helper');
@@ -15,6 +16,7 @@ const NodeRendererBindings =
 const SESSION_DOCS = require('../../docs/swagger/session-api').default;
 const DESCRIPTION = require('../../docs/swagger/shared/descriptions').default;
 const HEX_STRING = validators.HEX_STRING;
+const { AccountEventsManager } = require('../account-events');
 
 module.exports = function (
   log,
@@ -41,6 +43,7 @@ module.exports = function (
   );
 
   const otpOptions = config.otp;
+  const accountEventsManager = Container.get(AccountEventsManager);
 
   const routes = [
     {
@@ -89,6 +92,12 @@ module.exports = function (
         }
 
         await db.deleteSessionToken(sessionToken);
+        await accountEventsManager.recordSecurityEvent(db, {
+          name: 'session.destroy',
+          uid,
+          ipAddr: request.app.clientAddress,
+          tokenId: sessionToken.id,
+        });
 
         return {};
       },

packages/fxa-auth-server/scripts/delete-inactive-accounts/lib.ts

@@ -37,6 +37,7 @@ export const securityEventUidsQuery = (activeByDateTimestamp) =>
       EVENT_NAMES['account.login'],
       EVENT_NAMES['account.password_reset_success'],
       EVENT_NAMES['account.password_changed'],
+      EVENT_NAMES['session.destroy'],
     ])
     .as('securityEventUids');
 

packages/fxa-auth-server/test/local/routes/session.js

@@ -13,6 +13,8 @@ const sinon = require('sinon');
 const otplib = require('otplib');
 const assert = require('../../assert');
 const gleanMock = mocks.mockGlean();
+const { Container } = require('typedi');
+const { AccountEventsManager } = require('../../../lib/account-events');
 
 const ROOT_DIR = '../../..';
 
@@ -65,6 +67,11 @@ function makeRoutes(options = {}) {
   const glean = options.glean || gleanMock;
   const statsd = options.statsd || mocks.mockStatsd();
 
+  Container.set(
+    AccountEventsManager,
+    options.accountEventsManager || { recordSecurityEvent: sinon.stub() }
+  );
+
   const Password =
     options.Password || require('../../../lib/crypto/password')(log, config);
   const customs = options.customs || {
@@ -715,12 +722,19 @@ describe('/session/destroy', () => {
   let request;
   let log;
   let db;
+  let securityEventStub;
 
   beforeEach(() => {
     db = mocks.mockDB();
     log = mocks.mockLog();
     const config = {};
-    const routes = makeRoutes({ log, config, db });
+    securityEventStub = sinon.stub();
+    const routes = makeRoutes({
+      log,
+      config,
+      db,
+      accountEventsManager: { recordSecurityEvent: securityEventStub },
+    });
     route = getRoute(routes, '/session/destroy');
     request = mocks.mockRequest({
       credentials: {
@@ -734,6 +748,12 @@ describe('/session/destroy', () => {
   it('responds correctly when session is destroyed', () => {
     return runTest(route, request).then((res) => {
       assert.equal(Object.keys(res).length, 0);
+      sinon.assert.calledOnceWithExactly(securityEventStub, db, {
+        name: 'session.destroy',
+        uid: 'foo',
+        ipAddr: '63.245.221.32',
+        tokenId: undefined,
+      });
     });
   });
 

packages/fxa-shared/db/models/auth/security-event.ts

@@ -37,6 +37,7 @@ export const EVENT_NAMES = {
   'account.primary_secondary_swapped': 23,
   'account.password_reset_otp_sent': 24,
   'account.password_reset_otp_verified': 25,
+  'session.destroy': 26,
 } as const;
 
 export type SecurityEventNames = keyof typeof EVENT_NAMES;