feat(glean): Capture 'scopes' in oauth access token creation Glean event

Because:
* We want to log granted scope info when access tokens are created

This commit:
* Adds a new 'scopes' option for the oauth token created Glean event

closes FXA-13288

Author: LZoog

packages/fxa-auth-server/lib/metrics/glean/index.spec.ts

@@ -2,7 +2,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-
 import { AppError } from '@fxa/accounts/errors';
 import { AuthRequest } from '../../types';
 
@@ -691,6 +690,40 @@ describe('Glean server side events', () => {
   });
 
   describe('oauth', () => {
+    describe('tokenCreated', () => {
+      it('normalizes space-separated scopes to sorted comma-separated', async () => {
+        const glean = gleanMetrics(config);
+        await glean.oauth.tokenCreated(request, {
+          scopes: 'https://identity.mozilla.com/apps/smartwindow profile:uid',
+        });
+        expect(gleanMocks['recordAccessTokenCreated']).toHaveBeenCalledTimes(1);
+        const metrics = gleanMocks['recordAccessTokenCreated'].mock.calls[0][0];
+        expect(metrics['scopes']).toBe(
+          'https://identity.mozilla.com/apps/smartwindow,profile:uid'
+        );
+      });
+
+      it('handles undefined scopes', async () => {
+        const glean = gleanMetrics(config);
+        await glean.oauth.tokenCreated(request, {
+          scopes: undefined,
+        });
+        expect(gleanMocks['recordAccessTokenCreated']).toHaveBeenCalledTimes(1);
+        const metrics = gleanMocks['recordAccessTokenCreated'].mock.calls[0][0];
+        expect(metrics['scopes']).toBe('');
+      });
+
+      it('handles scopes passed as an array', async () => {
+        const glean = gleanMetrics(config);
+        await glean.oauth.tokenCreated(request, {
+          scopes: ['profile', 'openid'],
+        });
+        expect(gleanMocks['recordAccessTokenCreated']).toHaveBeenCalledTimes(1);
+        const metrics = gleanMocks['recordAccessTokenCreated'].mock.calls[0][0];
+        expect(metrics['scopes']).toBe('openid,profile');
+      });
+    });
+
     describe('tokenChecked', () => {
       it('sends an empty ip address', async () => {
         const glean = gleanMetrics(config);
@@ -706,8 +739,7 @@ describe('Glean server side events', () => {
           scopes: undefined,
         });
         expect(gleanMocks['recordAccessTokenChecked']).toHaveBeenCalledTimes(1);
-        const metrics =
-          gleanMocks['recordAccessTokenChecked'].mock.calls[0][0];
+        const metrics = gleanMocks['recordAccessTokenChecked'].mock.calls[0][0];
         expect(metrics['scopes']).toBe('');
       });
 
@@ -717,8 +749,7 @@ describe('Glean server side events', () => {
           scopes: '',
         });
         expect(gleanMocks['recordAccessTokenChecked']).toHaveBeenCalledTimes(1);
-        const metrics =
-          gleanMocks['recordAccessTokenChecked'].mock.calls[0][0];
+        const metrics = gleanMocks['recordAccessTokenChecked'].mock.calls[0][0];
         expect(metrics['scopes']).toBe('');
       });
 
@@ -728,8 +759,7 @@ describe('Glean server side events', () => {
           scopes: ['profile', 'openid'],
         });
         expect(gleanMocks['recordAccessTokenChecked']).toHaveBeenCalledTimes(1);
-        const metrics =
-          gleanMocks['recordAccessTokenChecked'].mock.calls[0][0];
+        const metrics = gleanMocks['recordAccessTokenChecked'].mock.calls[0][0];
         expect(metrics['scopes']).toBe('openid,profile');
       });
 
@@ -739,8 +769,7 @@ describe('Glean server side events', () => {
           scopes: 'profile,openid',
         });
         expect(gleanMocks['recordAccessTokenChecked']).toHaveBeenCalledTimes(1);
-        const metrics =
-          gleanMocks['recordAccessTokenChecked'].mock.calls[0][0];
+        const metrics = gleanMocks['recordAccessTokenChecked'].mock.calls[0][0];
         expect(metrics['scopes']).toBe('openid,profile');
       });
     });
@@ -893,11 +922,12 @@ describe('Glean server side events', () => {
           request: req as any,
           error,
         });
-        expect(mockGleanObj.registration.error as jest.Mock).toHaveBeenCalledTimes(1);
-        expect(mockGleanObj.registration.error as jest.Mock).toHaveBeenCalledWith(
-          req,
-          { reason: 'REQUEST_BLOCKED' }
-        );
+        expect(
+          mockGleanObj.registration.error as jest.Mock
+        ).toHaveBeenCalledTimes(1);
+        expect(
+          mockGleanObj.registration.error as jest.Mock
+        ).toHaveBeenCalledWith(req, { reason: 'REQUEST_BLOCKED' });
       });
     });
 

packages/fxa-auth-server/lib/metrics/glean/index.ts

@@ -273,7 +273,20 @@ export function gleanMetrics(config: ConfigType) {
 
     oauth: {
       tokenCreated: createEventFn('access_token_created', {
-        additionalMetrics: extraKeyReasonCb,
+        additionalMetrics: (metrics) => ({
+          reason: metrics.reason ?? '',
+          scopes: metrics.scopes
+            ? // Array: in at least verify.js, getScopeValues() returns string[]
+              Array.isArray(metrics.scopes)
+              ? metrics.scopes.sort().join(',')
+              : // String: in at least token.js, ScopeSet.toString() returns space-separated scopes
+                metrics.scopes
+                  .split(/[,\s]+/)
+                  .filter(Boolean)
+                  .sort()
+                  .join(',')
+            : '',
+        }),
       }),
       tokenChecked: createEventFn('access_token_checked', {
         skipClientIp: true,

packages/fxa-auth-server/lib/metrics/glean/server_events.ts

@@ -409,6 +409,7 @@ class EventsServerEventLogger {
    * @param {string} utm_source - The source from where the user started.  For example, if the user clicked on a link on the Mozilla accounts web site, this value could be 'fx-website'.  The value has a max length of 128 characters with the alphanumeric characters, _ (underscore), forward slash (/), . (period), % (percentage sign), and - (hyphen) in the allowed set of characters..
    * @param {string} utm_term - This metric is similar to the `utm.source`; it is used in the Firefox browser.  For example, if the user started from about:welcome, then the value could be 'aboutwelcome-default-screen'.  The value has a max length of 128 characters with the alphanumeric characters, _ (underscore), forward slash (/), . (period), % (percentage sign), and - (hyphen) in the allowed set of characters..
    * @param {string} reason - additional context-dependent info, e.g. the cause of an error.
+   * @param {string} scopes - The OAuth scopes granted for the access token, in a comma-separated list.
    */
   recordAccessTokenCreated({
     user_agent,
@@ -428,6 +429,7 @@ class EventsServerEventLogger {
     utm_source,
     utm_term,
     reason,
+    scopes,
   }: {
     user_agent: string;
     ip_address: string;
@@ -446,12 +448,14 @@ class EventsServerEventLogger {
     utm_source: string;
     utm_term: string;
     reason: string;
+    scopes: string;
   }) {
     const event = {
       category: 'access_token',
       name: 'created',
       extra: {
         reason: String(reason),
+        scopes: String(scopes),
       },
     };
     this.#record({

packages/fxa-auth-server/lib/routes/oauth/token.js

@@ -533,6 +533,7 @@ module.exports = ({ log, oauthDB, db, mailer, devices, statsd, glean }) => {
       reason: params.reason
         ? `${params.grant_type}:${params.reason}`
         : params.grant_type,
+      scopes: grant.scope?.toString() || '',
     });
 
     if (tokens.keys_jwe) {

packages/fxa-auth-server/lib/routes/oauth/token.spec.ts

@@ -5,6 +5,7 @@
 import sinon from 'sinon';
 const Joi = require('joi');
 const { Container } = require('typedi');
+const ScopeSet = require('fxa-shared').oauth.scopes;
 
 const {
   OAUTH_SCOPE_OLD_SYNC,
@@ -24,14 +25,12 @@ const UID = 'eaf0';
 const CLIENT_SECRET =
   'b93ef8a8f3e553a430d7e5b904c6132b2722633af9f03128029201d24a97f2a8';
 const CLIENT_ID = '98e6508e88680e1b';
-const CODE =
-  'df6dcfe7bf6b54a65db5742cbcdce5c0a84a5da81a0bb6bdf5fc793eef041fc6';
+const CODE = 'df6dcfe7bf6b54a65db5742cbcdce5c0a84a5da81a0bb6bdf5fc793eef041fc6';
 const REFRESH_TOKEN = CODE;
 const PKCE_CODE_VERIFIER = 'au3dqDz2dOB0_vSikXCUf4S8Gc-37dL-F7sGxtxpR3R';
 const CODE_WITH_KEYS = 'afafaf';
 const CODE_WITHOUT_KEYS = 'f0f0f0';
-const GRANT_TOKEN_EXCHANGE =
-  'urn:ietf:params:oauth:grant-type:token-exchange';
+const GRANT_TOKEN_EXCHANGE = 'urn:ietf:params:oauth:grant-type:token-exchange';
 const SUBJECT_TOKEN_TYPE_REFRESH =
   'urn:ietf:params:oauth:token-type:refresh_token';
 const FIREFOX_IOS_CLIENT_ID = '1b1a3e44c54fbb58';
@@ -58,10 +57,13 @@ const tokenRoutesDepMocks = {
         is: Joi.string().required(),
         then: Joi.forbidden(),
       }),
-      clientSecret: Joi.string().hex().required().when('$headers.authorization', {
-        is: Joi.string().required(),
-        then: Joi.forbidden(),
-      }),
+      clientSecret: Joi.string()
+        .hex()
+        .required()
+        .when('$headers.authorization', {
+          is: Joi.string().required(),
+          then: Joi.forbidden(),
+        }),
     },
   },
   '../../oauth/grant': {
@@ -338,7 +340,51 @@ describe('/token POST', () => {
       sinon.assert.calledOnceWithExactly(
         mockGlean.oauth.tokenCreated,
         request,
-        { uid: UID, oauthClientId: CLIENT_ID, reason: 'authorization_code' }
+        {
+          uid: UID,
+          oauthClientId: CLIENT_ID,
+          reason: 'authorization_code',
+          scopes: '',
+        }
+      );
+    });
+
+    it('logs space-separated scopes from ScopeSet for the token created event', async () => {
+      const SMARTWINDOW_SCOPES =
+        'https://identity.mozilla.com/apps/smartwindow profile:uid';
+      resetAndMockDeps();
+      jest.doMock('../../oauth/grant', () => ({
+        generateTokens: tokenRoutesDepMocks['../../oauth/grant'].generateTokens,
+        validateRequestedGrant: () => ({
+          offline: true,
+          userId: buf(UID),
+          clientId: buf(CLIENT_ID),
+          scope: ScopeSet.fromString(SMARTWINDOW_SCOPES),
+        }),
+      }));
+      const mockGleanLocal = { oauth: { tokenCreated: sinon.stub() } };
+      const routes = require('./token')({
+        ...tokenRoutesArgMocks,
+        glean: mockGleanLocal,
+      });
+      const request = {
+        app: {},
+        payload: {
+          client_id: CLIENT_ID,
+          grant_type: 'fxa-credentials',
+        },
+        emitMetricsEvent: () => {},
+      };
+      await routes[0].config.handler(request);
+      sinon.assert.calledOnceWithExactly(
+        mockGleanLocal.oauth.tokenCreated,
+        request,
+        {
+          uid: UID,
+          oauthClientId: CLIENT_ID,
+          reason: 'fxa-credentials',
+          scopes: SMARTWINDOW_SCOPES,
+        }
       );
     });
   });
@@ -540,7 +586,8 @@ describe('token exchange grant_type', () => {
           canGrant: true,
           publicClient: true,
         }),
-        clientAuthValidators: tokenRoutesDepMocks['../../oauth/client'].clientAuthValidators,
+        clientAuthValidators:
+          tokenRoutesDepMocks['../../oauth/client'].clientAuthValidators,
       }));
       jest.doMock('../../oauth/grant', () => ({
         generateTokens: (grant: any) => {
@@ -677,8 +724,9 @@ describe('/oauth/token POST', () => {
         .rejects(new Error('should not be called'));
       jest.resetModules();
       jest.doMock('../../oauth/assertion', () => async () => true);
-      jest.doMock('../../oauth/client', () =>
-        tokenRoutesDepMocks['../../oauth/client']
+      jest.doMock(
+        '../../oauth/client',
+        () => tokenRoutesDepMocks['../../oauth/client']
       );
       jest.doMock('../../oauth/grant', () => ({
         generateTokens: (grant: any) => ({
@@ -690,8 +738,9 @@ describe('/oauth/token POST', () => {
         }),
         validateRequestedGrant: () => ({ offline: true, scope: 'testo' }),
       }));
-      jest.doMock('../../oauth/util', () =>
-        tokenRoutesDepMocks['../../oauth/util']
+      jest.doMock(
+        '../../oauth/util',
+        () => tokenRoutesDepMocks['../../oauth/util']
       );
       jest.doMock('../utils/oauth', () => ({
         newTokenNotification: newTokenNotificationStub,
@@ -758,8 +807,9 @@ describe('/oauth/token POST', () => {
       const newTokenNotificationStub = sinon.stub().resolves();
       jest.resetModules();
       jest.doMock('../../oauth/assertion', () => async () => true);
-      jest.doMock('../../oauth/client', () =>
-        tokenRoutesDepMocks['../../oauth/client']
+      jest.doMock(
+        '../../oauth/client',
+        () => tokenRoutesDepMocks['../../oauth/client']
       );
       jest.doMock('../../oauth/grant', () => ({
         generateTokens: (grant: any) => ({
@@ -771,8 +821,9 @@ describe('/oauth/token POST', () => {
         }),
         validateRequestedGrant: () => ({ offline: true, scope: 'testo' }),
       }));
-      jest.doMock('../../oauth/util', () =>
-        tokenRoutesDepMocks['../../oauth/util']
+      jest.doMock(
+        '../../oauth/util',
+        () => tokenRoutesDepMocks['../../oauth/util']
       );
       jest.doMock('../utils/oauth', () => ({
         newTokenNotification: newTokenNotificationStub,
@@ -838,20 +889,21 @@ describe('/oauth/token POST', () => {
         .rejects(new Error('should not be called'));
       jest.resetModules();
       jest.doMock('../../oauth/assertion', () => async () => true);
-      jest.doMock('../../oauth/client', () =>
-        tokenRoutesDepMocks['../../oauth/client']
+      jest.doMock(
+        '../../oauth/client',
+        () => tokenRoutesDepMocks['../../oauth/client']
       );
       jest.doMock('../../oauth/grant', () => ({
-        generateTokens:
-          tokenRoutesDepMocks['../../oauth/grant'].generateTokens,
+        generateTokens: tokenRoutesDepMocks['../../oauth/grant'].generateTokens,
         validateRequestedGrant: () => ({
           offline: true,
           scope: OAUTH_SCOPE_SESSION_TOKEN,
           clientId: buf(CLIENT_ID),
         }),
       }));
-      jest.doMock('../../oauth/util', () =>
-        tokenRoutesDepMocks['../../oauth/util']
+      jest.doMock(
+        '../../oauth/util',
+        () => tokenRoutesDepMocks['../../oauth/util']
       );
       jest.doMock('../utils/oauth', () => ({
         newTokenNotification: newTokenNotificationStub,
@@ -892,20 +944,21 @@ describe('/oauth/token POST', () => {
       const newTokenNotificationStub = sinon.stub().resolves();
       jest.resetModules();
       jest.doMock('../../oauth/assertion', () => async () => true);
-      jest.doMock('../../oauth/client', () =>
-        tokenRoutesDepMocks['../../oauth/client']
+      jest.doMock(
+        '../../oauth/client',
+        () => tokenRoutesDepMocks['../../oauth/client']
       );
       jest.doMock('../../oauth/grant', () => ({
-        generateTokens:
-          tokenRoutesDepMocks['../../oauth/grant'].generateTokens,
+        generateTokens: tokenRoutesDepMocks['../../oauth/grant'].generateTokens,
         validateRequestedGrant: () => ({
           offline: true,
           scope: 'testo',
           clientId: buf(CLIENT_ID),
         }),
       }));
-      jest.doMock('../../oauth/util', () =>
-        tokenRoutesDepMocks['../../oauth/util']
+      jest.doMock(
+        '../../oauth/util',
+        () => tokenRoutesDepMocks['../../oauth/util']
       );
       jest.doMock('../utils/oauth', () => ({
         newTokenNotification: newTokenNotificationStub,

packages/fxa-auth-server/test/oauth/routes/token.js

@@ -379,7 +379,12 @@ describe('/token POST', function () {
       sinon.assert.calledOnceWithExactly(
         mockGlean.oauth.tokenCreated,
         request,
-        { uid: UID, oauthClientId: CLIENT_ID, reason: 'authorization_code' }
+        {
+          uid: UID,
+          oauthClientId: CLIENT_ID,
+          reason: 'authorization_code',
+          scopes: '',
+        }
       );
     });
   });