Website: add support for new usage statistics

[eashaw]

Closes: #42049

Changes:

• Added four attributes to the HistoricalUsageSnapshot model: oktaConditionalAccessConfigured, conditionalAccessEnabled, conditionalAccessBypassDisabled, and entraConditionalAccessConfigured
• Added the new usage statistics as inputs to the receive-usage-analytics webhook

Note: Before this PR can be merged, the website's database needs to be migrated to add the new columns.

Summary by CodeRabbit

• New Features
  • Added tracking for conditional access configuration states across Okta and Entra platforms, including bypass and enablement status.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Pull request overview

Adds new Windows conditional access–related usage metrics to the fleetdm.com website’s usage analytics ingestion path, so incoming statistics from Fleet can be persisted for later reporting/analysis.

Changes:

• Extended the HistoricalUsageSnapshot model with four new boolean attributes for conditional access metrics.
• Updated the receive-usage-analytics webhook controller to accept (and default) the new metrics in the inbound payload.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
website/api/models/HistoricalUsageSnapshot.js	Adds four required boolean columns to persist the new usage statistics.
website/api/controllers/webhooks/receive-usage-analytics.js	Accepts the new metrics as webhook inputs with false defaults and stores them with the snapshot.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Walkthrough

The changes add four new boolean fields related to conditional access configuration to the usage analytics tracking system. These fields (oktaConditionalAccessConfigured, entraConditionalAccessConfigured, conditionalAccessBypassDisabled, and conditionalAccessEnabled) are added to the webhook controller's input schema with default values of false, and corresponding attributes are added to the HistoricalUsageSnapshot model as required boolean fields. This enables the persistence and tracking of conditional access configuration metrics in historical usage snapshots.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Website: add support for new usage statistics' accurately and concisely describes the main change of adding four conditional access-related attributes to the HistoricalUsageSnapshot model and webhook inputs.
Description check	✅ Passed	The description adequately explains the changes, references the related issue #42049, lists all four new attributes, and notes the requirement for database migration.
Linked Issues check	✅ Passed	The PR successfully implements the required metrics for Windows conditional access by adding the four new boolean attributes to HistoricalUsageSnapshot model and receive-usage-analytics webhook inputs as specified in issue #42049.
Out of Scope Changes check	✅ Passed	All changes are within scope: only the four specified conditional access attributes were added to the model and webhook controller inputs, with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch website-update-historical-usage-snapshot-model

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@website/api/models/HistoricalUsageSnapshot.js`:
- Around line 54-57: The HistoricalUsageSnapshot model now requires four new
boolean attributes (oktaConditionalAccessConfigured,
entraConditionalAccessConfigured, conditionalAccessBypassDisabled,
conditionalAccessEnabled); add a DB migration that alters the
historical_usage_snapshot table to add these four columns with appropriate NOT
NULL boolean types and sensible default values (so existing rows are backfilled)
before merging; ensure the migration file name references the change, the schema
matches the Sails model attribute names, and run/test the migration against a
staging DB to confirm HistoricalUsageSnapshot.create(...) will succeed in
production with migrate: 'safe'.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5fbf3ede-cbb7-4d7c-ba01-8d98bea128ee

📥 Commits

Reviewing files that changed from the base of the PR and between e1f93cb and 09c8f55.

📒 Files selected for processing (2)

• website/api/controllers/webhooks/receive-usage-analytics.js
• website/api/models/HistoricalUsageSnapshot.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Locate migration/schema files =="
fd -i 'migrat|schema|sql'

echo
echo "== Find references to new fields outside model/controller =="
rg -n --no-heading 'oktaConditionalAccessConfigured|entraConditionalAccessConfigured|conditionalAccessBypassDisabled|conditionalAccessEnabled' \
  -g '!website/api/models/HistoricalUsageSnapshot.js' \
  -g '!website/api/controllers/webhooks/receive-usage-analytics.js'

echo
echo "== Check migration/schema files for the 4 new columns =="
rg -n --no-heading 'oktaConditionalAccessConfigured|entraConditionalAccessConfigured|conditionalAccessBypassDisabled|conditionalAccessEnabled' \
  --iglob '*migrat*' --iglob '*schema*' --iglob '*.sql'

Repository: fleetdm/fleet

Length of output: 14874

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check schema.sql for historical_usage_snapshot table =="
rg -A 30 'CREATE TABLE.*historical_usage_snapshot' server/datastore/mysql/schema.sql

echo
echo "== List recent migration files (last 10) =="
ls -t server/datastore/mysql/migrations/tables/*.go | head -10

echo
echo "== Check the most recent migration file for these fields =="
LATEST_MIGRATION=$(ls -t server/datastore/mysql/migrations/tables/*.go | grep -v test | head -1)
echo "Latest migration: $LATEST_MIGRATION"
echo "Content preview:"
head -50 "$LATEST_MIGRATION"

echo
echo "== Search for any migration mentioning conditional access =="
rg -l 'conditional' server/datastore/mysql/migrations/tables/

Repository: fleetdm/fleet

Length of output: 115

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check website directory structure for migrations/database files =="
find website -type f -name '*migrat*' -o -name '*schema*' -o -name '*.sql' 2>/dev/null | head -20

echo
echo "== Read the actual HistoricalUsageSnapshot.js file =="
cat -n website/api/models/HistoricalUsageSnapshot.js

echo
echo "== Read the webhook controller file =="
cat -n website/api/controllers/webhooks/receive-usage-analytics.js

Repository: fleetdm/fleet

Length of output: 10338

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check for Sails.js migrations directory in website =="
find website -type d -name migrations 2>/dev/null

echo
echo "== Check for Sails.js config files =="
find website/config -type f 2>/dev/null | head -20

echo
echo "== Search for auto-migrate or migrate config =="
rg -l 'migrate|autoMigrations' website/config/ 2>/dev/null || echo "Not found in config"

echo
echo "== Check if there's a .sailsrc or other Sails config =="
find website -maxdepth 2 -type f \( -name '.sailsrc*' -o -name 'app.js' -o -name 'package.json' \) 2>/dev/null

echo
echo "== Check website package.json for version and config =="
cat website/package.json | grep -A 5 -E '"sails"|"version"' | head -20

Repository: fleetdm/fleet

Length of output: 1422

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check Sails.js models config for migration strategy =="
cat -n website/config/models.js

echo
echo "== Check Sails.js datastores config =="
cat -n website/config/datastores.js

echo
echo "== Check .sailsrc config =="
cat website/.sailsrc

Repository: fleetdm/fleet

Length of output: 11393

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check production environment config =="
cat -n website/config/env/production.js | head -100

echo
echo "== Look for any migration tooling or scripts =="
find website -type f -name '*migrat*' 2>/dev/null

echo
echo "== Check if there are any SQL or schema backup files =="
find website -type f \( -name '*.sql' -o -name '*schema*' \) 2>/dev/null

Repository: fleetdm/fleet

Length of output: 7395

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check bootstrap.js for any schema setup =="
cat -n website/config/bootstrap.js

echo
echo "== Search for any recent changes to migration/schema files =="
git log --oneline --all -- '*migrat*' '*schema*' | head -20

echo
echo "== Look for any database dump or seed files =="
find website -type f -name '*.sql' -o -name '*seed*' -o -name '*dump*' 2>/dev/null

Repository: fleetdm/fleet

Length of output: 7513

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check the commit that added new usage statistics =="
git show 09c8f558 --stat

echo
echo "== Get full diff for that commit =="
git show 09c8f558 --name-status

Repository: fleetdm/fleet

Length of output: 50371

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check which files were added/modified in commit 09c8f558 =="
git show 09c8f558 --name-only | grep -E '(migrat|schema|\.sql|HistoricalUsageSnapshot)' | head -30

Repository: fleetdm/fleet

Length of output: 1645

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Get specific files changed in the commit (more targeted) =="
git diff-tree --no-commit-id --name-only -r 09c8f558 | grep -E 'website.*' | head -20

echo
echo "== Check if there's a migration file for these fields =="
git diff 09c8f558~1..09c8f558 -- website/ | grep -A 5 -B 5 'oktaConditionalAccess\|entraConditionalAccess\|conditionalAccessBypass' | head -50

Repository: fleetdm/fleet

Length of output: 119

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== List files in the website/api directory =="
git show 09c8f558:website/api/models/HistoricalUsageSnapshot.js 2>/dev/null | head -60 || echo "File may not exist in that commit"

echo
echo "== Check the actual diff for HistoricalUsageSnapshot =="
git log --all --oneline -- website/api/models/HistoricalUsageSnapshot.js | head -5

echo
echo "== Show recent changes to HistoricalUsageSnapshot =="
git log -p --all -- website/api/models/HistoricalUsageSnapshot.js | grep -A 30 -B 5 'oktaConditionalAccess\|entraConditionalAccess' | head -80

Repository: fleetdm/fleet

Length of output: 4042

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check if website has a db/ directory with migrations =="
find website -type d -name 'db' -o -type d -name 'database' -o -type d -name 'migrations' 2>/dev/null

echo
echo "== Look for any SQL setup files in website =="
find website -name '*.sql' 2>/dev/null

echo
echo "== Check Sails.js bootstrap or database initialization =="
grep -r 'HistoricalUsageSnapshot' website/config/ 2>/dev/null || echo "No bootstrap config found for model"

echo
echo "== Check if migration/initialization happens in database setup =="
ls -la website/config/env/ | grep -E 'production|development'

echo
echo "== Look for any database-related hooks =="
find website -type f -name '*hook*' 2>/dev/null | head -10

Repository: fleetdm/fleet

Length of output: 1430

---

Ensure the database migration exists for these four required columns before merge.

Lines 54–57 add four required model attributes. In production, Sails.js runs with migrate: 'safe' (see website/config/env/production.js line 93), which disables auto-migrations to prevent accidental data loss. If the historical_usage_snapshot table lacks these columns when the analytics webhook calls HistoricalUsageSnapshot.create(...), the database INSERT will fail at runtime.

Verify that a database migration adds all four columns (oktaConditionalAccessConfigured, entraConditionalAccessConfigured, conditionalAccessBypassDisabled, conditionalAccessEnabled) with appropriate defaults for existing rows before deployment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/api/models/HistoricalUsageSnapshot.js` around lines 54 - 57, The
HistoricalUsageSnapshot model now requires four new boolean attributes
(oktaConditionalAccessConfigured, entraConditionalAccessConfigured,
conditionalAccessBypassDisabled, conditionalAccessEnabled); add a DB migration
that alters the historical_usage_snapshot table to add these four columns with
appropriate NOT NULL boolean types and sensible default values (so existing rows
are backfilled) before merging; ensure the migration file name references the
change, the schema matches the Sails model attribute names, and run/test the
migration against a staging DB to confirm HistoricalUsageSnapshot.create(...)
will succeed in production with migrate: 'safe'.