You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This fix closes the gap between explicit OAuth callback logins and real authenticated usage. Previously, activity tracking only recorded `user_login` when the `/getAToken` callback completed. Users who arrived with an already-authenticated session or seamless SSO reuse could browse the app without creating the login-style activity that the Control Center and profile dashboards rely on.
8
+
9
+
Version implemented:
10
+
`config.py` now reports `VERSION = "0.241.130"` for this fix.
11
+
12
+
## Issue Description
13
+
14
+
- Login analytics depended on an explicit callback event rather than the broader fact that the user had an authenticated browser session.
15
+
- Passive SSO or session reuse could authenticate the user successfully but leave login metrics empty or understated.
16
+
- Simply logging every authenticated request would have created noisy over-counting, especially for API-heavy pages.
17
+
18
+
## Root Cause
19
+
20
+
- The application treated `user_login` as a one-time OAuth callback event instead of a reusable authenticated-session signal.
21
+
- The authenticated request pipeline had no throttled activity writer for browser page access.
22
+
- The explicit callback flow had no session marker to prevent a duplicate login record on the immediate redirect to the landing page.
23
+
24
+
## Technical Changes
25
+
26
+
### Throttled Authenticated Request Tracking
27
+
28
+
Changes implemented:
29
+
30
+
- Added a shared authenticated-request helper in `functions_activity_logging.py` that records a `user_login` activity with `login_method = authenticated_request`.
31
+
- Added a session-scoped throttle window so repeated authenticated page loads do not emit a record on every request.
32
+
- Captured request metadata such as `request_path`, `request_method`, and `auth_signal` for later diagnostics.
Authenticated page visits now show up in the existing login analytics even when the user did not intentionally click a login button during that session.
42
+
43
+
### OAuth Callback Deduplication
44
+
45
+
Changes implemented:
46
+
47
+
- Marked the session immediately after the explicit `/getAToken` callback logs `user_login`.
48
+
- Reused that session marker to suppress an immediate second `user_login` on the redirect to `/`.
- Added a focused functional regression test that loads `functions_activity_logging.py` with stubbed dependencies so the new throttle and dedup behavior can be exercised without a live Cosmos dependency.
71
+
- Ran targeted compile checks on the edited Python files.
- Login metrics depended almost entirely on explicit OAuth callback completions.
86
+
- Passive SSO/session-reuse visits could authenticate successfully without contributing to login analytics.
87
+
- A naive request-level fix risked over-counting every authenticated browser/API request.
88
+
89
+
After:
90
+
91
+
- Authenticated browser page requests can emit a throttled `user_login` record when no recent login activity has been recorded in the current session.
92
+
- Explicit OAuth callback logins still record normally and are not immediately double-counted on redirect.
93
+
- Existing dashboards that already query `activity_type = 'user_login'` now see a more representative picture of real authenticated use.
94
+
95
+
## User Experience Impact
96
+
97
+
- Admins get more representative login activity in the Control Center and profile trends for users who rely on seamless SSO.
98
+
- Users do not see any UI change.
99
+
- Login metrics should remain substantially less noisy than per-request tracking because the authenticated-request signal is throttled and limited to browser GET requests.
0 commit comments