Access Logs / Auditing

[bryan-robitaille]

There is a requirement to ensure that authentication actions are logged and stored for auditing/security purposes. The following events will be tracked: Successful Authentication, Session Termination (Logout), and Account Lockout. The single unsuccessful authentication event will not be tracked as an attacker can quickly overwhelm database performance by flooding the application with unsuccessful logins which in turn deteriorates performance application wide.

Log information:	Field Name	Type	Description
id	integer	Auto Generated Field
userID	string	A relational field to a FormUser based on FormUser ID
action	string	Action being recorded (Login, Locked, Lockout)
timestamp	datetime	Auto Generated Field

The logs will be stored in a new database table ‘AccessLog’ created with the following Prisma Model:

Login and Logout events can be triggered asynchronously by leveraging the ‘signIn’ and ‘signOut’ Next Auth Events. These events hook into the existing Next Auth process flow and provide non blocking logic to write to logs. The ‘user’ object is available in these events in order to create the logs with the proper FormUser ID.

Acceptance Criteria

• [ ] The Access Log can be queried through the relation on a FormUser ID.
• [ ] Next Auth Login and Logout Events properly create access log entries

[srtalbot]

Review this PR after we've pushed the first round of login updates.