feat: enhance login analytics (#2078)

cemalkilic · web-flow · commit 1aed4a27fdc5 · 2025-07-05T14:10:00.000+02:00
## Summary

Enhance login analytics mainly by adding missing provider information in
Supabase Auth. This ensures all authentication flows are properly
tracked with structured data.
diff --git a/internal/api/anonymous.go b/internal/api/anonymous.go
@@ -54,6 +54,6 @@ func (a *API) SignupAnonymously(w http.ResponseWriter, r *http.Request) error {
 		return apierrors.NewInternalServerError("Database error creating anonymous user").WithInternalError(err)
 	}
 
-	metering.RecordLogin("anonymous", newUser.ID)
+	metering.RecordLogin(metering.LoginTypeAnonymous, newUser.ID, nil)
 	return sendJSON(w, http.StatusOK, token)
 }
diff --git a/internal/api/external.go b/internal/api/external.go
@@ -15,6 +15,7 @@ import (
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/api/provider"
 	"github.com/supabase/auth/internal/conf"
+	"github.com/supabase/auth/internal/metering"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
 	"github.com/supabase/auth/internal/storage"
@@ -252,6 +253,13 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 		return err
 	}
 
+	// Record login for analytics - only when token is issued (not during pkce authorize)
+	if token != nil {
+		metering.RecordLogin(metering.LoginTypeOAuth, user.ID, &metering.LoginData{
+			Provider: providerType,
+		})
+	}
+
 	rurl := a.getExternalRedirectURL(r)
 	if flowState != nil {
 		// This means that the callback is using PKCE
diff --git a/internal/api/mfa.go b/internal/api/mfa.go
@@ -722,7 +722,10 @@ func (a *API) verifyTOTPFactor(w http.ResponseWriter, r *http.Request, params *V
 	if err != nil {
 		return err
 	}
-	metering.RecordLogin(string(models.MFACodeLoginAction), user.ID)
+
+	metering.RecordLogin(metering.LoginTypeMFA, user.ID, &metering.LoginData{
+		Provider: metering.ProviderMFATOTP,
+	})
 
 	return sendJSON(w, http.StatusOK, token)
 
@@ -850,7 +853,10 @@ func (a *API) verifyPhoneFactor(w http.ResponseWriter, r *http.Request, params *
 	if err != nil {
 		return err
 	}
-	metering.RecordLogin(string(models.MFACodeLoginAction), user.ID)
+
+	metering.RecordLogin(metering.LoginTypeMFA, user.ID, &metering.LoginData{
+		Provider: metering.ProviderMFAPhone,
+	})
 
 	return sendJSON(w, http.StatusOK, token)
 }
@@ -950,7 +956,10 @@ func (a *API) verifyWebAuthnFactor(w http.ResponseWriter, r *http.Request, param
 	if err != nil {
 		return err
 	}
-	metering.RecordLogin(string(models.MFACodeLoginAction), user.ID)
+
+	metering.RecordLogin(metering.LoginTypeMFA, user.ID, &metering.LoginData{
+		Provider: metering.ProviderMFAWebAuthn,
+	})
 
 	return sendJSON(w, http.StatusOK, token)
 }
diff --git a/internal/api/samlacs.go b/internal/api/samlacs.go
@@ -14,6 +14,7 @@ import (
 	"github.com/gofrs/uuid"
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/api/provider"
+	"github.com/supabase/auth/internal/metering"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
 	"github.com/supabase/auth/internal/storage"
@@ -328,6 +329,14 @@ func (a *API) handleSamlAcs(w http.ResponseWriter, r *http.Request) error {
 		return nil
 
 	}
+
+	// Record login for analytics - only when token is issued (not during pkce authorize)
+	if token != nil {
+		metering.RecordLogin(metering.LoginTypeSSO, token.User.ID, &metering.LoginData{
+			Provider: metering.ProviderSAML,
+		})
+	}
+
 	http.Redirect(w, r, token.AsRedirectURL(redirectTo, url.Values{}), http.StatusFound)
 
 	return nil
diff --git a/internal/api/signup.go b/internal/api/signup.go
@@ -322,7 +322,13 @@ func (a *API) Signup(w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return err
 		}
-		metering.RecordLogin("password", user.ID)
+		metering.RecordLogin(metering.LoginTypePassword, user.ID, &metering.LoginData{
+			Provider: params.Provider,
+			// add extra context to indicate this is immediate login right after signup
+			Extra: map[string]interface{}{
+				"immediate_login_after_signup": true,
+			},
+		})
 		return sendJSON(w, http.StatusOK, token)
 	}
 	if user.HasBeenInvited() {
diff --git a/internal/api/token.go b/internal/api/token.go
@@ -243,7 +243,9 @@ func (a *API) ResourceOwnerPasswordGrant(ctx context.Context, w http.ResponseWri
 
 	token.WeakPassword = weakPasswordError
 
-	metering.RecordLogin("password", user.ID)
+	metering.RecordLogin(metering.LoginTypePassword, user.ID, &metering.LoginData{
+		Provider: provider,
+	})
 	return sendJSON(w, http.StatusOK, token)
 }
 
@@ -318,6 +320,9 @@ func (a *API) PKCE(ctx context.Context, w http.ResponseWriter, r *http.Request)
 		return err
 	}
 
+	metering.RecordLogin(metering.LoginTypePKCE, user.ID, &metering.LoginData{
+		Provider: flowState.ProviderType,
+	})
 	return sendJSON(w, http.StatusOK, token)
 }
 
diff --git a/internal/api/token_oidc.go b/internal/api/token_oidc.go
@@ -10,6 +10,7 @@ import (
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/api/provider"
 	"github.com/supabase/auth/internal/conf"
+	"github.com/supabase/auth/internal/metering"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
 	"github.com/supabase/auth/internal/storage"
@@ -280,5 +281,9 @@ func (a *API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.R
 		}
 	}
 
+	metering.RecordLogin(metering.LoginTypeOIDC, token.User.ID, &metering.LoginData{
+		Provider: providerType,
+	})
+
 	return sendJSON(w, http.StatusOK, token)
 }
diff --git a/internal/api/token_refresh.go b/internal/api/token_refresh.go
@@ -276,7 +276,7 @@ func (a *API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r *h
 				return err
 			}
 		}
-		metering.RecordLogin("token", user.ID)
+		metering.RecordLogin(metering.LoginTypeToken, user.ID, nil)
 		return sendJSON(w, http.StatusOK, newTokenResponse)
 	}
 
diff --git a/internal/api/verify.go b/internal/api/verify.go
@@ -16,6 +16,7 @@ import (
 	"github.com/supabase/auth/internal/api/sms_provider"
 	"github.com/supabase/auth/internal/crypto"
 	mail "github.com/supabase/auth/internal/mailer"
+	"github.com/supabase/auth/internal/metering"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
 	"github.com/supabase/auth/internal/storage"
@@ -211,6 +212,9 @@ func (a *API) verifyGet(w http.ResponseWriter, r *http.Request, params *VerifyPa
 		q := url.Values{}
 		q.Set("type", params.Type)
 		rurl = token.AsRedirectURL(rurl, q)
+
+		metering.RecordLogin(metering.LoginTypeImplicit, token.User.ID, nil)
+
 	} else if isPKCEFlow(flowType) {
 		rurl, err = a.prepPKCERedirectURL(rurl, authCode)
 		if err != nil {
@@ -292,6 +296,16 @@ func (a *API) verifyPost(w http.ResponseWriter, r *http.Request, params *VerifyP
 			"code": strconv.Itoa(http.StatusOK),
 		})
 	}
+
+	// Record login for analytics - determine provider based on verification type
+	provider := metering.ProviderEmail // default
+	if params.Type == smsVerification || params.Type == phoneChangeVerification {
+		provider = metering.ProviderPhone
+	}
+	metering.RecordLogin(metering.LoginTypeOTP, user.ID, &metering.LoginData{
+		Provider: provider,
+	})
+
 	return sendJSON(w, http.StatusOK, token)
 }
 
diff --git a/internal/api/web3.go b/internal/api/web3.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/api/provider"
+	"github.com/supabase/auth/internal/metering"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/storage"
 	"github.com/supabase/auth/internal/utilities"
@@ -167,5 +168,16 @@ func (a *API) web3GrantSolana(ctx context.Context, w http.ResponseWriter, r *htt
 		}
 	}
 
+	// Record login for analytics with Web3 context
+	metering.RecordLogin(metering.LoginTypeWeb3, token.User.ID, &metering.LoginData{
+		Web3: &metering.Web3Data{
+			Chain:   params.Chain,
+			Network: parsedMessage.ChainID,
+			Address: parsedMessage.Address,
+			Domain:  parsedMessage.Domain,
+			URI:     parsedMessage.URI.String(),
+		},
+	})
+
 	return sendJSON(w, http.StatusOK, token)
 }
diff --git a/internal/metering/record.go b/internal/metering/record.go
@@ -5,13 +5,106 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+// LoginType represents the type of login method used
+type LoginType string
+
+// LoginType constants for consistent login analytics
+const (
+	LoginTypeAnonymous LoginType = "anonymous"
+	LoginTypeSSO       LoginType = "sso"
+	LoginTypeOAuth     LoginType = "oauth"
+	LoginTypeWeb3      LoginType = "web3"
+	LoginTypeImplicit  LoginType = "implicit"
+	LoginTypeOIDC      LoginType = "oidc"
+	LoginTypeOTP       LoginType = "otp"
+	LoginTypePassword  LoginType = "password"
+	LoginTypePKCE      LoginType = "pkce"
+	LoginTypeToken     LoginType = "token" // for refresh token flows, to be backward-compatible with existing data
+	LoginTypeMFA       LoginType = "mfa"   // for MFA verifications
+)
+
+// Provider constants for consistent login analytics
+const (
+	// Password/OTP based providers
+	ProviderEmail = "email"
+	ProviderPhone = "phone"
+
+	// MFA providers
+	ProviderMFATOTP     = "totp"
+	ProviderMFAPhone    = "phone"
+	ProviderMFAWebAuthn = "webauthn"
+
+	// SSO providers
+	ProviderSAML = "saml"
+)
+
+// LoginData contains structured data for login events
+type LoginData struct {
+	// Provider is the authentication provider (e.g., "email", "phone", "google", "github", "web3", etc.)
+	Provider string `json:"provider"`
+
+	// Web3 specific data (for blockchain authentication)
+	Web3 *Web3Data `json:"web3,omitempty"`
+
+	// Additional context for future extensibility
+	Extra map[string]interface{} `json:"extra,omitempty"`
+}
+
+// Web3Data contains Web3/blockchain-specific authentication data
+type Web3Data struct {
+	// Chain name (e.g., "ethereum", "polygon", "arbitrum")
+	Chain string `json:"chain,omitempty"`
+	// Network ID (e.g., "1" for mainnet)
+	Network string `json:"network,omitempty"`
+	// Wallet address that signed the message
+	Address string `json:"address,omitempty"`
+	// Domain
+	Domain string `json:"domain,omitempty"`
+	// URI
+	URI string `json:"uri,omitempty"`
+}
+
 var logger = logrus.StandardLogger().WithField("metering", true)
 
-func RecordLogin(loginType string, userID uuid.UUID) {
-	logger.WithFields(logrus.Fields{
+func RecordLogin(loginType LoginType, userID uuid.UUID, data *LoginData) {
+	fields := logrus.Fields{
 		"action":       "login",
-		"login_method": loginType,
+		"login_method": string(loginType),
 		"instance_id":  uuid.Nil.String(),
 		"user_id":      userID.String(),
-	}).Info("Login")
+	}
+
+	if data != nil {
+		if data.Provider != "" {
+			fields["provider"] = data.Provider
+		}
+
+		// Add Web3 context fields
+		if data.Web3 != nil {
+			if data.Web3.Chain != "" {
+				fields["web3_chain"] = data.Web3.Chain
+			}
+			if data.Web3.Network != "" {
+				fields["web3_network"] = data.Web3.Network
+			}
+			if data.Web3.Address != "" {
+				fields["web3_address"] = data.Web3.Address
+			}
+			if data.Web3.Domain != "" {
+				fields["web3_domain"] = data.Web3.Domain
+			}
+			if data.Web3.URI != "" {
+				fields["web3_uri"] = data.Web3.URI
+			}
+		}
+
+		// Add any extra fields
+		if data.Extra != nil {
+			for key, value := range data.Extra {
+				fields[key] = value
+			}
+		}
+	}
+
+	logger.WithFields(fields).Info("Login")
 }

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,6 @@ func (a API) SignupAnonymously(w http.ResponseWriter, r http.Request) error {`
`54`	`54`	`return apierrors.NewInternalServerError("Database error creating anonymous user").WithInternalError(err)`
`55`	`55`	`}`
`56`	`56`
`57`		`- metering.RecordLogin("anonymous", newUser.ID)`
	`57`	`+ metering.RecordLogin(metering.LoginTypeAnonymous, newUser.ID, nil)`
`58`	`58`	`return sendJSON(w, http.StatusOK, token)`
`59`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -243,7 +243,9 @@ func (a *API) ResourceOwnerPasswordGrant(ctx context.Context, w http.ResponseWri`
`243`	`243`
`244`	`244`	`token.WeakPassword = weakPasswordError`
`245`	`245`
`246`		`- metering.RecordLogin("password", user.ID)`
	`246`	`+ metering.RecordLogin(metering.LoginTypePassword, user.ID, &metering.LoginData{`
	`247`	`+ Provider: provider,`
	`248`	`+ })`
`247`	`249`	`return sendJSON(w, http.StatusOK, token)`
`248`	`250`	`}`
`249`	`251`
`@@ -318,6 +320,9 @@ func (a API) PKCE(ctx context.Context, w http.ResponseWriter, r http.Request)`
`318`	`320`	`return err`
`319`	`321`	`}`
`320`	`322`
	`323`	`+ metering.RecordLogin(metering.LoginTypePKCE, user.ID, &metering.LoginData{`
	`324`	`+ Provider: flowState.ProviderType,`
	`325`	`+ })`
`321`	`326`	`return sendJSON(w, http.StatusOK, token)`
`322`	`327`	`}`
`323`	`328`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ import (`
`10`	`10`	`"github.com/supabase/auth/internal/api/apierrors"`
`11`	`11`	`"github.com/supabase/auth/internal/api/provider"`
`12`	`12`	`"github.com/supabase/auth/internal/conf"`
	`13`	`+ "github.com/supabase/auth/internal/metering"`
`13`	`14`	`"github.com/supabase/auth/internal/models"`
`14`	`15`	`"github.com/supabase/auth/internal/observability"`
`15`	`16`	`"github.com/supabase/auth/internal/storage"`
`@@ -280,5 +281,9 @@ func (a API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r http.R`
`280`	`281`	`}`
`281`	`282`	`}`
`282`	`283`
	`284`	`+ metering.RecordLogin(metering.LoginTypeOIDC, token.User.ID, &metering.LoginData{`
	`285`	`+ Provider: providerType,`
	`286`	`+ })`
	`287`	`+`
`283`	`288`	`return sendJSON(w, http.StatusOK, token)`
`284`	`289`	`}`
Original file line number	Diff line number	Diff line change
`@@ -276,7 +276,7 @@ func (a API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r h`
`276`	`276`	`return err`
`277`	`277`	`}`
`278`	`278`	`}`
`279`		`- metering.RecordLogin("token", user.ID)`
	`279`	`+ metering.RecordLogin(metering.LoginTypeToken, user.ID, nil)`
`280`	`280`	`return sendJSON(w, http.StatusOK, newTokenResponse)`
`281`	`281`	`}`
`282`	`282`