adminfront 개요 통계 추가

2026-05-06 16:14:52 +09:00
parent 6cdd0fd81e
commit 13dee9ae9b
24 changed files with 2082 additions and 297 deletions
--- a/backend/internal/handler/admin_handler.go
+++ b/backend/internal/handler/admin_handler.go
@@ -1,17 +1,29 @@
 package handler

 import (
+	"baron-sso-backend/internal/domain"
 	"baron-sso-backend/internal/repository"
 	"baron-sso-backend/internal/service"
+	"context"
 	"runtime"
+	"strconv"
+	"strings"
 	"time"

 	"github.com/gofiber/fiber/v2"
 )

+type adminHydraClientLister interface {
+	ListClients(ctx context.Context, limit, offset int) ([]domain.HydraClient, error)
+}
+
 type AdminHandler struct {
-	Keto       service.KetoService
-	KetoOutbox repository.KetoOutboxRepository
+	Keto           service.KetoService
+	KetoOutbox     repository.KetoOutboxRepository
+	RPUsageQueries domain.RPUsageQueryRepository
+	TenantRepo     repository.TenantRepository
+	Hydra          adminHydraClientLister
+	AuditRepo      domain.AuditRepository
 }

 func NewAdminHandler(keto service.KetoService, ketoOutbox repository.KetoOutboxRepository) *AdminHandler {
@@ -21,6 +33,76 @@ func NewAdminHandler(keto service.KetoService, ketoOutbox repository.KetoOutboxR
 	}
 }

+func (h *AdminHandler) GetRPUsageDaily(c *fiber.Ctx) error {
+	if h == nil || h.RPUsageQueries == nil {
+		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{
+			"error": "rp usage query service unavailable",
+		})
+	}
+	days := 14
+	if raw := c.Query("days"); raw != "" {
+		if parsed, err := strconv.Atoi(raw); err == nil {
+			days = parsed
+		}
+	}
+	period := normalizeRPUsagePeriod(c.Query("period"))
+	tenantID, allowed := h.authorizedRPUsageTenantID(c, strings.TrimSpace(c.Query("tenantId")))
+	if !allowed {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{
+			"error": "forbidden: tenant rp usage stats permission denied",
+		})
+	}
+	items, err := h.RPUsageQueries.FindRPUsage(c.Context(), domain.RPUsageQuery{
+		Days:     days,
+		Period:   period,
+		TenantID: tenantID,
+	})
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{
+			"error": err.Error(),
+		})
+	}
+	return c.JSON(fiber.Map{
+		"items":    items,
+		"days":     days,
+		"period":   period,
+		"tenantId": tenantID,
+	})
+}
+
+func normalizeRPUsagePeriod(period string) string {
+	switch strings.ToLower(strings.TrimSpace(period)) {
+	case "week":
+		return "week"
+	case "month":
+		return "month"
+	default:
+		return "day"
+	}
+}
+
+func (h *AdminHandler) authorizedRPUsageTenantID(c *fiber.Ctx, requestedTenantID string) (string, bool) {
+	profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
+	if profile != nil && domain.NormalizeRole(profile.Role) == domain.RoleSuperAdmin {
+		return requestedTenantID, true
+	}
+	tenantID := requestedTenantID
+	if tenantID == "" && profile != nil && profile.TenantID != nil {
+		tenantID = strings.TrimSpace(*profile.TenantID)
+	}
+	if tenantID == "" {
+		return "", false
+	}
+	if h == nil || h.Keto == nil || profile == nil || strings.TrimSpace(profile.ID) == "" {
+		return "", false
+	}
+	allowed, err := h.Keto.CheckPermission(c.Context(), "User:"+profile.ID, "Tenant", tenantID, "view_rp_usage_stats")
+	if err != nil || !allowed {
+		return "", false
+	}
+	return tenantID, true
+}
+
 func (h *AdminHandler) CheckAuth(c *fiber.Ctx) error {
 	return c.Status(fiber.StatusOK).JSON(fiber.Map{"status": "ok"})
 }
@@ -29,10 +111,14 @@ func (h *AdminHandler) CheckAuth(c *fiber.Ctx) error {
 func (h *AdminHandler) GetSystemStats(c *fiber.Ctx) error {
 	var m runtime.MemStats
 	runtime.ReadMemStats(&m)
+	ctx := c.Context()

 	stats := fiber.Map{
-		"goroutines": runtime.NumGoroutine(),
-		"cpus":       runtime.NumCPU(),
+		"totalTenants":   h.countTenants(ctx),
+		"oidcClients":    h.countOIDCClients(ctx),
+		"auditEvents24h": h.countAuditEventsSince(ctx, time.Now().UTC().Add(-24*time.Hour)),
+		"goroutines":     runtime.NumGoroutine(),
+		"cpus":           runtime.NumCPU(),
 		"memory": fiber.Map{
 			"alloc":      m.Alloc,
 			"totalAlign": m.TotalAlloc,
@@ -44,3 +130,59 @@ func (h *AdminHandler) GetSystemStats(c *fiber.Ctx) error {

 	return c.Status(fiber.StatusOK).JSON(stats)
 }
+
+func (h *AdminHandler) countTenants(ctx context.Context) int64 {
+	if h == nil || h.TenantRepo == nil {
+		return 0
+	}
+	_, total, err := h.TenantRepo.List(ctx, 1, 0, "")
+	if err != nil {
+		return 0
+	}
+	return total
+}
+
+func (h *AdminHandler) countOIDCClients(ctx context.Context) int64 {
+	if h == nil || h.Hydra == nil {
+		return 0
+	}
+	const pageSize = 500
+	var total int64
+	for offset := 0; ; offset += pageSize {
+		clients, err := h.Hydra.ListClients(ctx, pageSize, offset)
+		if err != nil {
+			return total
+		}
+		for _, client := range clients {
+			if isHiddenSystemClient(client) {
+				continue
+			}
+			total++
+		}
+		if len(clients) < pageSize {
+			break
+		}
+	}
+	return total
+}
+
+func (h *AdminHandler) countAuditEventsSince(ctx context.Context, since time.Time) int64 {
+	if h == nil || h.AuditRepo == nil {
+		return 0
+	}
+	count, err := h.AuditRepo.CountEventsSince(ctx, since)
+	if err == nil && count > 0 {
+		return count
+	}
+	logs, pageErr := h.AuditRepo.FindPage(ctx, 10000, nil, "")
+	if pageErr != nil {
+		return count
+	}
+	var fallbackCount int64
+	for _, log := range logs {
+		if !log.Timestamp.Before(since) {
+			fallbackCount++
+		}
+	}
+	return fallbackCount
+}
--- a/backend/internal/handler/admin_handler_test.go
+++ b/backend/internal/handler/admin_handler_test.go
@@ -0,0 +1,156 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/service"
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/require"
+)
+
+type fakeRPUsageQueryRepo struct {
+	query domain.RPUsageQuery
+	items []domain.RPUsageDailyMetric
+}
+
+func (f *fakeRPUsageQueryRepo) FindRPUsage(ctx context.Context, query domain.RPUsageQuery) ([]domain.RPUsageDailyMetric, error) {
+	f.query = query
+	return f.items, nil
+}
+
+type fakeAdminKeto struct {
+	allowed  bool
+	subject  string
+	object   string
+	relation string
+}
+
+func (f *fakeAdminKeto) CheckPermission(ctx context.Context, subject, namespace, object, relation string) (bool, error) {
+	f.subject = subject
+	f.object = object
+	f.relation = relation
+	return f.allowed, nil
+}
+
+func (f *fakeAdminKeto) CreateRelation(ctx context.Context, namespace, object, relation, subject string) error {
+	return nil
+}
+
+func (f *fakeAdminKeto) DeleteRelation(ctx context.Context, namespace, object, relation, subject string) error {
+	return nil
+}
+
+func (f *fakeAdminKeto) ListRelations(ctx context.Context, namespace, object, relation, subject string) ([]service.RelationTuple, error) {
+	return nil, nil
+}
+
+func (f *fakeAdminKeto) ListObjects(ctx context.Context, namespace, relation, subject string) ([]string, error) {
+	return nil, nil
+}
+
+type fakeOverviewAuditRepo struct {
+	mockAuditRepo
+	since time.Time
+	count int64
+}
+
+func (f *fakeOverviewAuditRepo) CountEventsSince(ctx context.Context, since time.Time) (int64, error) {
+	f.since = since
+	return f.count, nil
+}
+
+func TestAdminHandler_GetRPUsageDaily(t *testing.T) {
+	repo := &fakeRPUsageQueryRepo{
+		items: []domain.RPUsageDailyMetric{
+			{
+				Date:           "2026-05-06",
+				TenantID:       "tenant-1",
+				TenantType:     domain.TenantTypeCompany,
+				ClientID:       "orgfront",
+				ClientName:     "OrgFront",
+				LoginRequests:  12,
+				OtherRequests:  4,
+				UniqueSubjects: 8,
+			},
+		},
+	}
+	h := &AdminHandler{RPUsageQueries: repo}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Get("/api/v1/admin/rp-usage/daily", h.GetRPUsageDaily)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/rp-usage/daily?days=7&period=week&tenantId=tenant-1", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	require.Equal(t, 7, repo.query.Days)
+	require.Equal(t, "week", repo.query.Period)
+	require.Equal(t, "tenant-1", repo.query.TenantID)
+
+	var body struct {
+		Items    []domain.RPUsageDailyMetric `json:"items"`
+		Days     int                         `json:"days"`
+		Period   string                      `json:"period"`
+		TenantID string                      `json:"tenantId"`
+	}
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	require.Equal(t, 7, body.Days)
+	require.Equal(t, "week", body.Period)
+	require.Equal(t, "tenant-1", body.TenantID)
+	require.Len(t, body.Items, 1)
+	require.Equal(t, "orgfront", body.Items[0].ClientID)
+	require.Equal(t, uint64(12), body.Items[0].LoginRequests)
+}
+
+func TestAdminHandler_GetRPUsageDailyChecksTenantPermission(t *testing.T) {
+	repo := &fakeRPUsageQueryRepo{}
+	keto := &fakeAdminKeto{allowed: true}
+	h := &AdminHandler{RPUsageQueries: repo, Keto: keto}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			ID:   "user-1",
+			Role: domain.RoleTenantAdmin,
+		})
+		return c.Next()
+	})
+	app.Get("/api/v1/admin/rp-usage/daily", h.GetRPUsageDaily)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/rp-usage/daily?tenantId=tenant-allowed", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	require.Equal(t, "User:user-1", keto.subject)
+	require.Equal(t, "tenant-allowed", keto.object)
+	require.Equal(t, "view_rp_usage_stats", keto.relation)
+	require.Equal(t, "tenant-allowed", repo.query.TenantID)
+}
+
+func TestAdminHandler_GetSystemStatsIncludesOverviewMetrics(t *testing.T) {
+	auditRepo := &fakeOverviewAuditRepo{count: 22}
+	h := &AdminHandler{AuditRepo: auditRepo}
+	app := fiber.New()
+	app.Get("/api/v1/admin/stats", h.GetSystemStats)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/stats", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body map[string]any
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	require.Contains(t, body, "totalTenants")
+	require.Contains(t, body, "oidcClients")
+	require.Contains(t, body, "auditEvents24h")
+	require.Equal(t, float64(22), body["auditEvents24h"])
+	require.Equal(t, time.UTC, auditRepo.since.Location())
+}
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -29,6 +29,7 @@ import (
 	"github.com/go-jose/go-jose/v4"
 	josejwt "github.com/go-jose/go-jose/v4/jwt"
 	"github.com/gofiber/fiber/v2"
+	"github.com/lib/pq"
 )

 const (
@@ -101,6 +102,7 @@ type AuthHandler struct {
 	UserRepo           repository.UserRepository
 	ConsentRepo        repository.ClientConsentRepository
 	RPUserMetadataRepo repository.RPUserMetadataRepository
+	RPUsageSink        domain.RPUsageEventSink
 }

 type signupState struct {
@@ -245,6 +247,92 @@ func NewAuthHandler(redisService domain.RedisRepository, idpProvider domain.Iden
 	}
 }

+func (h *AuthHandler) emitRPUsageAuthorizationGranted(c *fiber.Ctx, consentRequest *domain.HydraConsentRequest, profile *domain.UserProfileResponse, sessionID string, autoAccepted bool, correlationID string) error {
+	if consentRequest == nil {
+		return nil
+	}
+	return h.emitRPUsageEvent(c, domain.RPUsageEventTypeAuthorizationGranted, consentRequest.Subject, consentRequest.Client, consentRequest.RequestedScope, profile, sessionID, "hydra_consent", correlationID, domain.JSONMap{
+		"auto_accepted": autoAccepted,
+		"scopes":        consentRequest.RequestedScope,
+	})
+}
+
+func (h *AuthHandler) emitRPUsageAuthorizationRevoked(c *fiber.Ctx, subject string, clientID string, profile *domain.UserProfileResponse, sessionID string) error {
+	return h.emitRPUsageEvent(c, domain.RPUsageEventTypeAuthorizationRevoked, subject, domain.HydraClient{ClientID: clientID}, nil, profile, sessionID, "hydra_consent", clientID, domain.JSONMap{})
+}
+
+func (h *AuthHandler) emitRPUsageEvent(c *fiber.Ctx, eventType string, subject string, client domain.HydraClient, scopes []string, profile *domain.UserProfileResponse, sessionID string, source string, correlationID string, payload domain.JSONMap) error {
+	if h.RPUsageSink == nil {
+		return nil
+	}
+	clientID := strings.TrimSpace(client.ClientID)
+	if clientID == "" || strings.TrimSpace(subject) == "" {
+		return nil
+	}
+	tenantID, tenantType := rpUsageTenantFromProfile(profile)
+	event := domain.RPUsageEvent{
+		EventType:     eventType,
+		Subject:       strings.TrimSpace(subject),
+		TenantID:      tenantID,
+		TenantType:    tenantType,
+		ClientID:      clientID,
+		ClientName:    strings.TrimSpace(client.ClientName),
+		SessionID:     strings.TrimSpace(sessionID),
+		Scopes:        pq.StringArray(scopes),
+		Source:        source,
+		CorrelationID: strings.TrimSpace(correlationID),
+		Payload:       payload,
+		OccurredAt:    time.Now(),
+	}
+	if event.Payload == nil {
+		event.Payload = domain.JSONMap{}
+	}
+	if event.ClientName != "" {
+		event.Payload["client_name"] = event.ClientName
+	}
+	if tenantID != "" {
+		event.Payload["tenant_id"] = tenantID
+	}
+	if tenantType != "" {
+		event.Payload["tenant_type"] = tenantType
+	}
+	if c != nil {
+		event.Payload["ip_address"] = c.IP()
+		event.Payload["user_agent"] = string(c.Request().Header.UserAgent())
+	}
+	ctx := context.Background()
+	if c != nil && c.UserContext() != nil {
+		ctx = c.UserContext()
+	}
+	return h.RPUsageSink.EmitRPUsageEvent(ctx, event)
+}
+
+func rpUsageTenantFromProfile(profile *domain.UserProfileResponse) (string, string) {
+	if profile == nil {
+		return "", ""
+	}
+	tenantID := ""
+	if profile.SessionTenantID != nil {
+		tenantID = strings.TrimSpace(*profile.SessionTenantID)
+	}
+	if tenantID == "" && profile.TenantID != nil {
+		tenantID = strings.TrimSpace(*profile.TenantID)
+	}
+	tenantType := ""
+	if profile.Tenant != nil {
+		switch strings.ToUpper(strings.TrimSpace(profile.Tenant.Type)) {
+		case domain.TenantTypeCompany, domain.TenantTypeOrganization:
+			tenantType = strings.ToUpper(strings.TrimSpace(profile.Tenant.Type))
+			if tenantID == "" {
+				tenantID = strings.TrimSpace(profile.Tenant.ID)
+			}
+		case domain.TenantTypeUserGroup, domain.TenantTypePersonal:
+			return "", ""
+		}
+	}
+	return tenantID, tenantType
+}
+
 // --- Signup Flow Handlers ---

 // CheckEmail - 이메일 사용 가능 여부를 확인합니다.
@@ -5323,6 +5411,12 @@ func (h *AuthHandler) RevokeLinkedRp(c *fiber.Ctx) error {
 	if err != nil || subject == "" {
 		return fiber.NewError(fiber.StatusUnauthorized, "Authentication required")
 	}
+	profile, profileErr := h.resolveCurrentProfile(c)
+	if (profileErr != nil || profile == nil) && subject != "" {
+		if fallbackProfile, fallbackErr := h.resolveProfileForSubject(c.Context(), subject); fallbackErr == nil {
+			profile = fallbackProfile
+		}
+	}

 	slog.Info("RevokeLinkedRp called", "subject", subject, "client_id", clientID)

@@ -5354,6 +5448,11 @@ func (h *AuthHandler) RevokeLinkedRp(c *fiber.Ctx) error {
 		})
 	}

+	if err := h.emitRPUsageAuthorizationRevoked(c, subject, clientID, profile, h.resolveCurrentSessionID(c)); err != nil {
+		slog.Error("failed to emit rp usage event for revoked consent", "error", err, "client_id", clientID, "subject", subject)
+		return fiber.NewError(fiber.StatusInternalServerError, "Failed to record RP usage event")
+	}
+
 	h.triggerBackchannelLogoutForClient(c.Context(), c, subject, clientID, "")

 	return c.Status(fiber.StatusOK).JSON(fiber.Map{
@@ -5434,6 +5533,10 @@ func (h *AuthHandler) GetConsentRequest(c *fiber.Ctx) error {
 					sessionClaims = h.withRPProfileClaims(c.Context(), sessionClaims, consentRequest.Client, consentRequest.Subject)
 					acceptResp, err := h.Hydra.AcceptConsentRequest(c.Context(), challenge, consentRequest, sessionClaims)
 					if err == nil {
+						if err := h.emitRPUsageAuthorizationGranted(c, consentRequest, profile, currentSessionID, true, challenge); err != nil {
+							slog.Error("failed to emit rp usage event for local consent auto-accept", "error", err, "client_id", consentRequest.Client.ClientID, "subject", consentRequest.Subject)
+							return fiber.NewError(fiber.StatusInternalServerError, "Failed to record RP usage event")
+						}
 						return c.JSON(acceptResp)
 					}
 					slog.Error("failed to force auto-accept based on local DB", "error", err)
@@ -5516,6 +5619,11 @@ func (h *AuthHandler) GetConsentRequest(c *fiber.Ctx) error {
 					})
 				}

+				if err := h.emitRPUsageAuthorizationGranted(c, consentRequest, profile, currentSessionID, true, challenge); err != nil {
+					slog.Error("failed to emit rp usage event for skip consent", "error", err, "client_id", consentRequest.Client.ClientID, "subject", consentRequest.Subject)
+					return fiber.NewError(fiber.StatusInternalServerError, "Failed to record RP usage event")
+				}
+
 				slog.Info("Consent skipped and auto-accepted", "subject", consentRequest.Subject, "client", consentRequest.Client.ClientID, "session_id", currentSessionID)
 				return c.JSON(acceptResp)
 			}
@@ -5705,6 +5813,11 @@ func (h *AuthHandler) AcceptConsentRequest(c *fiber.Ctx) error {
 		})
 	}

+	if err := h.emitRPUsageAuthorizationGranted(c, consentRequest, profile, currentSessionID, false, req.ConsentChallenge); err != nil {
+		slog.Error("failed to emit rp usage event for accepted consent", "error", err, "client_id", consentRequest.Client.ClientID, "subject", consentRequest.Subject)
+		return fiber.NewError(fiber.StatusInternalServerError, "Failed to record RP usage event")
+	}
+
 	return c.JSON(acceptResp)
 }

--- a/backend/internal/handler/auth_handler_client_test.go
+++ b/backend/internal/handler/auth_handler_client_test.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"baron-sso-backend/internal/domain"
 	"baron-sso-backend/internal/service"
+	"baron-sso-backend/internal/utils"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -38,12 +39,14 @@ func TestRevokeLinkedRp_Success(t *testing.T) {
 	defer func() { http.DefaultClient = origDefault }()

 	auditRepo := &mockAuditRepo{}
+	rpUsageSink := &mockRPUsageEventSink{}
 	h := &AuthHandler{
 		Hydra: &service.HydraAdminService{
 			AdminURL:   "http://hydra.test",
 			HTTPClient: client,
 		},
-		AuditRepo: auditRepo,
+		AuditRepo:   auditRepo,
+		RPUsageSink: rpUsageSink,
 	}
 	app := fiber.New()
 	app.Delete("/api/v1/user/rp/linked/:id", h.RevokeLinkedRp)
@@ -54,6 +57,16 @@ func TestRevokeLinkedRp_Success(t *testing.T) {
 	resp, _ := app.Test(req, -1)
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
 	assert.Equal(t, 1, len(auditRepo.logs))
+	assert.Equal(t, "consent.revoked", auditRepo.logs[0].EventType)
+	assert.Equal(t, "user-123", auditRepo.logs[0].UserID)
+	assert.Equal(t, "success", auditRepo.logs[0].Status)
+	auditDetails, err := utils.ParseAuditDetails(auditRepo.logs[0].Details)
+	assert.NoError(t, err)
+	assert.Equal(t, "app-1", auditDetails["client_id"])
+	assert.Equal(t, 1, len(rpUsageSink.events))
+	assert.Equal(t, domain.RPUsageEventTypeAuthorizationRevoked, rpUsageSink.events[0].EventType)
+	assert.Equal(t, "user-123", rpUsageSink.events[0].Subject)
+	assert.Equal(t, "app-1", rpUsageSink.events[0].ClientID)
 }

 func TestRevokeLinkedRp_SendsBackchannelLogoutTokenWhenConfigured(t *testing.T) {
--- a/backend/internal/handler/auth_handler_consent_test.go
+++ b/backend/internal/handler/auth_handler_consent_test.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"baron-sso-backend/internal/domain"
 	"baron-sso-backend/internal/service"
+	"baron-sso-backend/internal/utils"
 	"bytes"
 	"context"
 	"encoding/json"
@@ -305,6 +306,7 @@ func TestGetConsentRequest_Skip_AutoAccept(t *testing.T) {
 	defer func() { http.DefaultClient = origDefault }()

 	consentRepo := &mockConsentRepo{}
+	rpUsageSink := &mockRPUsageEventSink{}
 	mockKratosAdmin := &MockKratosAdminServiceForConsent{}

 	h := &AuthHandler{
@@ -314,6 +316,7 @@ func TestGetConsentRequest_Skip_AutoAccept(t *testing.T) {
 		},
 		KratosAdmin: mockKratosAdmin,
 		ConsentRepo: consentRepo,
+		RPUsageSink: rpUsageSink,
 	}
 	mockKratosAdmin.On("GetIdentity", mock.Anything, "user-123").Return(&service.KratosIdentity{
 		ID: "user-123",
@@ -332,6 +335,11 @@ func TestGetConsentRequest_Skip_AutoAccept(t *testing.T) {
 	var body map[string]interface{}
 	json.NewDecoder(resp.Body).Decode(&body)
 	assert.Equal(t, "http://rp/cb", body["redirectTo"])
+	assert.Equal(t, 1, len(rpUsageSink.events))
+	assert.Equal(t, domain.RPUsageEventTypeAuthorizationGranted, rpUsageSink.events[0].EventType)
+	assert.Equal(t, "client-app", rpUsageSink.events[0].ClientID)
+	assert.Equal(t, "challenge-skip", rpUsageSink.events[0].CorrelationID)
+	assert.Equal(t, true, rpUsageSink.events[0].Payload["auto_accepted"])
 }

 func TestAcceptConsentRequest_Normal(t *testing.T) {
@@ -370,6 +378,7 @@ func TestAcceptConsentRequest_Normal(t *testing.T) {

 	auditRepo := &mockAuditRepo{}
 	consentRepo := &mockConsentRepo{}
+	rpUsageSink := &mockRPUsageEventSink{}
 	mockKratosAdmin := &MockKratosAdminServiceForConsent{}

 	h := &AuthHandler{
@@ -380,6 +389,7 @@ func TestAcceptConsentRequest_Normal(t *testing.T) {
 		KratosAdmin: mockKratosAdmin,
 		AuditRepo:   auditRepo,
 		ConsentRepo: consentRepo,
+		RPUsageSink: rpUsageSink,
 	}
 	mockKratosAdmin.On("GetIdentity", mock.Anything, "user-123").Return(&service.KratosIdentity{
 		ID: "user-123",
@@ -402,6 +412,21 @@ func TestAcceptConsentRequest_Normal(t *testing.T) {
 	assert.Equal(t, http.StatusOK, resp.StatusCode)

 	assert.Equal(t, 1, len(auditRepo.logs))
+	assert.Equal(t, "consent.granted", auditRepo.logs[0].EventType)
+	assert.Equal(t, "user-123", auditRepo.logs[0].UserID)
+	assert.Equal(t, "success", auditRepo.logs[0].Status)
+	auditDetails, err := utils.ParseAuditDetails(auditRepo.logs[0].Details)
+	assert.NoError(t, err)
+	assert.Equal(t, "client-app", auditDetails["client_id"])
+	assert.Equal(t, "Test App", auditDetails["client_name"])
+	assert.Equal(t, []interface{}{"openid"}, auditDetails["scopes"])
+	assert.Equal(t, 1, len(rpUsageSink.events))
+	assert.Equal(t, domain.RPUsageEventTypeAuthorizationGranted, rpUsageSink.events[0].EventType)
+	assert.Equal(t, "user-123", rpUsageSink.events[0].Subject)
+	assert.Equal(t, "client-app", rpUsageSink.events[0].ClientID)
+	assert.Equal(t, "Test App", rpUsageSink.events[0].ClientName)
+	assert.Equal(t, []string{"openid"}, []string(rpUsageSink.events[0].Scopes))
+	assert.Equal(t, "hydra_consent", rpUsageSink.events[0].Source)
 }

 func TestAcceptConsentRequest_EnforcesMandatoryTenantScope(t *testing.T) {
--- a/backend/internal/handler/common_test.go
+++ b/backend/internal/handler/common_test.go
@@ -109,12 +109,29 @@ func (m *mockAuditRepo) CountFailuresSince(ctx context.Context, since time.Time,
 	return 0, nil
 }

+func (m *mockAuditRepo) CountEventsSince(ctx context.Context, since time.Time) (int64, error) {
+	return 0, nil
+}
+
 func (m *mockAuditRepo) CountActiveSessionsSince(ctx context.Context, since time.Time, tenantID string) (int64, error) {
 	return 0, nil
 }

 func (m *mockAuditRepo) Ping(ctx context.Context) error { return nil }

+type mockRPUsageEventSink struct {
+	events []domain.RPUsageEvent
+	err    error
+}
+
+func (m *mockRPUsageEventSink) EmitRPUsageEvent(ctx context.Context, event domain.RPUsageEvent) error {
+	if m.err != nil {
+		return m.err
+	}
+	m.events = append(m.events, event)
+	return nil
+}
+
 type mockOathkeeperRepo struct {
 	logs []domain.OathkeeperAccessLog
 }