fix: retrieve internal user id instead and pass it to the UserSignIn …

…audit log instead of using the Cognito sub id (#3266)
cds-snc · Feb 22, 2024 · 981336f · 981336f
1 parent 2c2985c
commit 981336f
Showing 1 changed file with 25 additions and 1 deletion.
diff --git a/pages/api/auth/[...nextauth].ts b/pages/api/auth/[...nextauth].ts
@@ -115,7 +115,31 @@ export const authOptions: NextAuthOptions = {
   adapter: PrismaAdapter(prisma),
   events: {
     async signIn({ user }) {
-      logEvent(user.id, { type: "User", id: user.id }, "UserSignIn");
+      if (!user.email) {
+        throw new Error(
+          "Could not produce UserSignIn audit log because of undefined email information"
+        );
+      }
+
+      const internalUser = await prisma.user.findUnique({
+        where: {
+          email: user.email,
+        },
+        select: {
+          id: true,
+        },
+      });
+
+      if (internalUser === null) {
+        throw new Error("Could not produce UserSignIn audit log because user does not exist");
+      }
+
+      logEvent(
+        internalUser.id,
+        { type: "User", id: internalUser.id },
+        "UserSignIn",
+        `Cognito user unique identifier (sub): ${user.id}`
+      );
     },
     async signOut({ token }) {
       logEvent(token.userId, { type: "User", id: token.userId }, "UserSignOut");