Skip to content

feat(admin): expose accountAuthorizations on the admin panel#20659

Open
vbudhram wants to merge 1 commit into
mainfrom
FXA-13668
Open

feat(admin): expose accountAuthorizations on the admin panel#20659
vbudhram wants to merge 1 commit into
mainfrom
FXA-13668

Conversation

@vbudhram
Copy link
Copy Markdown
Contributor

@vbudhram vbudhram commented May 28, 2026

Because

  • Admins need visibility into which Firefox browser services (Sync, Smart Window, Relay, VPN) a user has authorized, to answer support questions about consent and connected services.
  • An earlier admin-panel exposure of this data was closed when the underlying accountAuthorizations table was reverted; that table has since been rebuilt as a consent ledger, so the admin surface needs to be rebuilt against the new shape.

This pull request

  • Adds DatabaseService.accountAuthorizations(uid) that reads per-(scope, service, clientId) rows from fxa_oauth, hex-encoding clientId and coercing BIGINT timestamps to numbers. Sort is lastAuthorizedTosAt desc with service / clientId tiebreakers; capped at 50 rows.
  • Resolves a new accountAuthorizations field on the account REST response in account.controller.ts, gated by the existing ConnectedServices admin feature.
  • Adds an AccountAuthorizations React component that renders Service / Scope / Client ID / First Authorized / Last Authorized columns, with an empty state.
  • Adds the new "Authorized Browser Services" section to the account detail page (PageAccountSearch/Account/index.tsx) with an explanatory note clarifying rows are OAuth consent records, not active usage.
  • Extends the AccountAuthorization and Account interfaces in fxa-admin-server/src/types.ts.

Issue that this pull request solves

Closes: https://mozilla-hub.atlassian.net/browse/FXA-13668

Checklist

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).
  • I have manually reviewed all AI generated code.

Other information

How to test:

  1. Run yarn start infrastructure then yarn start mza.
  2. Sign in to an account via fxa-settings and authorize a browser service flow (e.g. Sync, Relay).
  3. In the admin panel, search for that account by email or uid.
  4. Confirm an Authorized Browser Services section appears under Connected Services, with one row per (service, scope, clientId) showing the first and last consent timestamps.
  5. For an account with no consents, confirm the "This account has not authorized any browser services" empty state renders.

Notes:

  • Read-only against fxa_oauth.accountAuthorizations. No new migration or write path.
  • Gated by AdminPanelFeature.ConnectedServices (existing admin feature flag).

@vbudhram
feat(admin): expose accountAuthorizations on the admin panel
4537763 
Because:

- Admins need visibility into which Firefox browser services (Sync,
  Smart Window, Relay, VPN) a user has authorized so they can answer
  support questions about consent and connected services.
- The previous attempt landed against a table shape that was later
  reverted; this rebuilds the admin surface on top of the consent
  ledger introduced in the auth-server rebuild.

This commit:

- Adds an accountAuthorizations query on DatabaseService that reads
  the per-(uid, scope, service, clientId) rows from fxa_oauth and
  returns scope, service, clientId, firstAuthorizedTosAt, and
  lastAuthorizedTosAt. Rows are ordered by lastAuthorizedTosAt desc,
  clientId is hex-encoded for transport, and BIGINT timestamps are
  coerced to numbers to match the declared API type regardless of
  driver behaviour.
- Resolves the new field on the account REST response, gated by the
  existing ConnectedServices admin feature.
- Adds an Authorized Browser Services section to the account detail
  page rendering one row per (service, scope, clientId) with both
  the first and last consent timestamps, plus an explanatory note
  clarifying that rows are OAuth consent records, not active usage.
- Adds unit tests for the resolver, the React component, and the
  containing account page. The integration test creates the table
  inline so a stale fxa-shared:build cache cannot drop the test
  fixture.
Copilot AI review requested due to automatic review settings May 28, 2026 19:28
@vbudhram vbudhram requested a review from a team as a code owner May 28, 2026 19:28
@vbudhram vbudhram self-assigned this May 28, 2026
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Re-exposes the rebuilt accountAuthorizations ledger (per (scope, service, clientId) consent rows from fxa_oauth) on the FxA admin panel so support can see which Firefox browser services a user has authorized. The data flows from a new DatabaseService.accountAuthorizations(uid) reader, through a new REST controller resolver gated by the ConnectedServices admin feature, into a new React table on the account detail page.

Changes:

  • Add DatabaseService.accountAuthorizations(uid) and a controller resolver wiring it into the account REST response, plus matching AccountAuthorization/Account type updates.
  • Add an AccountAuthorizations React component (with empty state) and render it in a new "Authorized Browser Services" section on the account search page.
  • Add unit/integration tests (incl. inline accountAuthorizations table creation in the DB spec) and a tiny adminPanel.spec.ts formatting tweak.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
packages/fxa-admin-server/src/types.ts Add AccountAuthorization interface and accountAuthorizations field on Account.
packages/fxa-admin-server/src/rest/account/account.controller.ts Import type, fan-out new resolver in Promise.all, and add gated accountAuthorizations(account) method.
packages/fxa-admin-server/src/database/database.service.ts New accountAuthorizations reader: query fxa_oauth.accountAuthorizations, hex-encode clientId, coerce BIGINTs, limit 50.
packages/fxa-admin-server/src/database/database.service.spec.ts Inline-create the table fixture and add ordering/empty-result integration tests.
packages/fxa-admin-panel/src/components/PageAccountSearch/AccountAuthorizations/index.tsx New table component with empty state.
packages/fxa-admin-panel/src/components/PageAccountSearch/AccountAuthorizations/index.test.tsx Tests for empty/null/populated rendering.
packages/fxa-admin-panel/src/components/PageAccountSearch/Account/index.tsx Wire new prop and add "Authorized Browser Services" section with explanatory note.
packages/fxa-admin-panel/src/components/PageAccountSearch/Account/index.test.tsx Extend default fixture and add empty/populated rendering tests.
packages/functional-tests/tests/admin/adminPanel.spec.ts Reflow an overly long line; no behavior change.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@vbudhram vbudhram

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vbudhram