feat: Add login/logout audit logging (refs #10)

Backend:
- Add login event logging to getUserStatus() controller method
- Create POST /auth/track-logout endpoint for logout tracking

Frontend:
- Create useLogout hook that wraps Auth0 logout with audit tracking
- Update all logout locations to use the new hook (SettingsPage,
  Layout, MobileSettingsScreen, useDeletion)

Login events are logged when the frontend calls /auth/user-status after
Auth0 callback. Logout events are logged via fire-and-forget call to
/auth/track-logout before Auth0 logout.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/src/features/auth/api/auth.controller.ts

@@ -193,6 +193,9 @@ export class AuthController {
    * GET /api/auth/user-status
    * Get user status for routing decisions
    * Protected endpoint - requires JWT
+   *
+   * Note: This endpoint is called once per Auth0 callback (from CallbackPage/CallbackMobileScreen).
+   * We log the login event here since it's the first authenticated request after Auth0 redirect.
    */
   async getUserStatus(request: FastifyRequest, reply: FastifyReply) {
     try {
@@ -200,6 +203,17 @@ export class AuthController {
 
       const result = await this.authService.getUserStatus(userId);
 
+      // Log login event to audit trail (called once per Auth0 callback)
+      const ipAddress = this.getClientIp(request);
+      await auditLogService.info(
+        'auth',
+        userId,
+        'User login',
+        'user',
+        userId,
+        { ipAddress }
+      ).catch(err => logger.error('Failed to log login audit event', { error: err }));
+
       logger.info('User status retrieved', {
         userId: userId.substring(0, 8) + '...',
         emailVerified: result.emailVerified,
@@ -287,4 +301,43 @@ export class AuthController {
       });
     }
   }
+
+  /**
+   * POST /api/auth/track-logout
+   * Track user logout event for audit logging
+   * Protected endpoint - requires JWT
+   *
+   * Called by frontend before Auth0 logout to capture the logout event.
+   * Returns success even if audit logging fails (non-blocking).
+   */
+  async trackLogout(request: FastifyRequest, reply: FastifyReply) {
+    try {
+      const userId = (request as any).user.sub;
+      const ipAddress = this.getClientIp(request);
+
+      // Log logout event to audit trail
+      await auditLogService.info(
+        'auth',
+        userId,
+        'User logout',
+        'user',
+        userId,
+        { ipAddress }
+      ).catch(err => logger.error('Failed to log logout audit event', { error: err }));
+
+      logger.info('User logout tracked', {
+        userId: userId.substring(0, 8) + '...',
+      });
+
+      return reply.code(200).send({ success: true });
+    } catch (error: any) {
+      // Don't block logout on audit failure - always return success
+      logger.error('Failed to track logout', {
+        error,
+        userId: (request as any).user?.sub,
+      });
+
+      return reply.code(200).send({ success: true });
+    }
+  }
 }

backend/src/features/auth/api/auth.routes.ts

@@ -48,4 +48,10 @@ export const authRoutes: FastifyPluginAsync = async (
     preHandler: [fastify.authenticate],
     handler: authController.requestPasswordReset.bind(authController),
   });
+
+  // POST /api/auth/track-logout - Track logout event for audit (requires JWT)
+  fastify.post('/auth/track-logout', {
+    preHandler: [fastify.authenticate],
+    handler: authController.trackLogout.bind(authController),
+  });
 };

frontend/src/components/Layout.tsx

@@ -5,6 +5,7 @@
 import React from 'react';
 import { useAuth0 } from '@auth0/auth0-react';
 import { Link, useLocation } from 'react-router-dom';
+import { useLogout } from '../core/auth/useLogout';
 import { Container, Paper, Typography, Box, IconButton, Avatar } from '@mui/material';
 import HomeRoundedIcon from '@mui/icons-material/HomeRounded';
 import DirectionsCarRoundedIcon from '@mui/icons-material/DirectionsCarRounded';
@@ -26,7 +27,8 @@ interface LayoutProps {
 }
 
 export const Layout: React.FC<LayoutProps> = ({ children, mobileMode = false }) => {
-  const { user, logout } = useAuth0();
+  const { user } = useAuth0();
+  const { logout } = useLogout();
   const { sidebarOpen, toggleSidebar, setSidebarOpen } = useAppStore();
   const location = useLocation();
 
@@ -222,7 +224,7 @@ export const Layout: React.FC<LayoutProps> = ({ children, mobileMode = false })
             variant="secondary"
             size="sm"
             className="w-full"
-            onClick={() => logout({ logoutParams: { returnTo: window.location.origin } })}
+            onClick={() => logout()}
           >
             Sign Out
           </Button>

frontend/src/core/auth/useLogout.ts

@@ -0,0 +1,46 @@
+/**
+ * @ai-summary Custom logout hook with audit logging
+ * @ai-context Tracks logout event before Auth0 logout for audit trail
+ */
+
+import { useAuth0 } from '@auth0/auth0-react';
+import { useCallback } from 'react';
+
+/**
+ * Custom hook that wraps Auth0 logout with audit tracking.
+ * Calls /api/auth/track-logout before performing Auth0 logout.
+ * The audit call is fire-and-forget to ensure logout always completes.
+ */
+export const useLogout = () => {
+  const { logout: auth0Logout, getAccessTokenSilently } = useAuth0();
+
+  const logout = useCallback(async () => {
+    // Fire-and-forget audit call (don't block logout)
+    try {
+      const token = await getAccessTokenSilently({ cacheMode: 'on' as const });
+      if (token) {
+        // Use fetch directly to avoid axios interceptor issues during logout
+        fetch('/api/auth/track-logout', {
+          method: 'POST',
+          headers: {
+            'Authorization': `Bearer ${token}`,
+            'Content-Type': 'application/json',
+          },
+        }).catch(() => {
+          // Silently ignore errors - don't block logout
+        });
+      }
+    } catch {
+      // Token not available - proceed with logout anyway
+    }
+
+    // Perform Auth0 logout
+    auth0Logout({
+      logoutParams: {
+        returnTo: window.location.origin,
+      },
+    });
+  }, [auth0Logout, getAccessTokenSilently]);
+
+  return { logout };
+};

frontend/src/features/settings/hooks/useDeletion.ts

@@ -4,6 +4,7 @@
 
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
 import { useAuth0 } from '@auth0/auth0-react';
+import { useLogout } from '../../../core/auth/useLogout';
 import { profileApi } from '../api/profile.api';
 import { RequestDeletionRequest } from '../types/profile.types';
 import toast from 'react-hot-toast';
@@ -36,7 +37,7 @@ export const useDeletionStatus = () => {
 
 export const useRequestDeletion = () => {
   const queryClient = useQueryClient();
-  const { logout } = useAuth0();
+  const { logout } = useLogout();
 
   return useMutation({
     mutationFn: (data: RequestDeletionRequest) => profileApi.requestDeletion(data),
@@ -45,9 +46,9 @@ export const useRequestDeletion = () => {
       queryClient.invalidateQueries({ queryKey: ['user-profile'] });
       toast.success(response.data.message || 'Account deletion scheduled');
 
-      // Logout after 2 seconds
+      // Logout after 2 seconds (with audit tracking)
       setTimeout(() => {
-        logout({ logoutParams: { returnTo: window.location.origin } });
+        logout();
       }, 2000);
     },
     onError: (error: ApiError) => {

frontend/src/features/settings/mobile/MobileSettingsScreen.tsx

@@ -1,5 +1,6 @@
 import React, { useState } from 'react';
 import { useAuth0 } from '@auth0/auth0-react';
+import { useLogout } from '../../../core/auth/useLogout';
 import { GlassCard } from '../../../shared-minimal/components/mobile/GlassCard';
 import { MobileContainer } from '../../../shared-minimal/components/mobile/MobileContainer';
 import { useSettings } from '../hooks/useSettings';
@@ -75,7 +76,8 @@ const Modal: React.FC<ModalProps> = ({ isOpen, onClose, title, children }) => {
 };
 
 export const MobileSettingsScreen: React.FC = () => {
-  const { user, logout } = useAuth0();
+  const { user } = useAuth0();
+  const { logout } = useLogout();
   const { navigateToScreen } = useNavigationStore();
   const { settings, updateSetting, isLoading, error } = useSettings();
   const { data: profile, isLoading: profileLoading } = useProfile();
@@ -98,11 +100,7 @@ export const MobileSettingsScreen: React.FC = () => {
   }, [profile, isEditingProfile]);
 
   const handleLogout = () => {
-    logout({
+    logout();
-      logoutParams: {
-        returnTo: window.location.origin
-      }
-    });
   };
 
   const handleExportData = () => {

frontend/src/pages/SettingsPage.tsx

@@ -5,6 +5,7 @@
 import React, { useState } from 'react';
 import { useAuth0 } from '@auth0/auth0-react';
 import { useNavigate } from 'react-router-dom';
+import { useLogout } from '../core/auth/useLogout';
 import { useUnits } from '../core/units/UnitsContext';
 import { useAdminAccess } from '../core/auth/useAdminAccess';
 import { useProfile, useUpdateProfile } from '../features/settings/hooks/useProfile';
@@ -44,7 +45,8 @@ import CancelIcon from '@mui/icons-material/Cancel';
 import { Card } from '../shared-minimal/components/Card';
 
 export const SettingsPage: React.FC = () => {
-  const { user, logout } = useAuth0();
+  const { user } = useAuth0();
+  const { logout } = useLogout();
   const navigate = useNavigate();
   const { unitSystem, setUnitSystem } = useUnits();
   const { isAdmin, loading: adminLoading } = useAdminAccess();
@@ -73,7 +75,7 @@ export const SettingsPage: React.FC = () => {
   }, [profile, isEditingProfile]);
 
   const handleLogout = () => {
-    logout({ logoutParams: { returnTo: window.location.origin } });
+    logout();
   };
 
   const handleEditProfile = () => {