UserSessions - signals for changed IP and ua

[bgervan]

Are you open for PRs related to this?
The use case is: send security emails to users about changed user agent / IP for the same sessions.

Additionally, a history of the IPs could be stored in a separate field, for the same security concern, but this would be a second PR, as the first one is more important.

[pennersr]

Wondering, users seamlessly hop from wired, to wireless, to hotspot, back and forth again. As this can impact their IP, I would suspect you would be running into a lot of false positives if you decide to send security emails for this.

In any case, far as allauth is concerned:

• A session IP changed signal could be added to the UserSessionManager.create_from_request().
• I am not sure if actually sending an email is something allauth should be doing by default. If anything, only if ACCOUNT_EMAIL_NOTIFICATIONS is turned on. But I would hold off adding this for now.
• A history of IPs -- the UserSession model already has a data JSON field Assuming allauth would feature the above signals, couldn't you store the history there? You would also have the opportunity to include additional information, such as the date/time -- you cannot do that if you introduce a new field.

All in all, if we can keep it limited to only the signals part for allauth, then I think there rest can all be done inside your own project?

[bgervan]

Yes, I meant the signals only just wanted to give some background for the use case. Indeed the IP can be too much, but the ua is not something should change that much.

Btw, if we have ip locations, we can notify the users on IP change if the new IP is another country etc to filter false positives. (This is also scope for the app)

A session IP changed signal could be added to the UserSessionManager.create_from_request().

Yes, I wanted to put it there.

I am not sure if actually sending an email is something allauth should be doing by default. If anything, only if ACCOUNT_EMAIL_NOTIFICATIONS is turned on. But I would hold off adding this for now.

I agree, email sending for such warning are subject to the app

A history of IPs -- the UserSession model already has a data JSON field Assuming allauth would feature the above signals, couldn't you store the history there? You would also have the opportunity to include additional information, such as the date/time -- you cannot do that if you introduce a new field.

Yes, I can utilize that prop, I didn't check if that is used yet for anything.

So:
I can add signal triggers to create_from_request, by storing IP and ua history into data. I would also create a max history setting to avoid overgrowing field data.
I can add a settings to disable this history saving/checking as a whole, if you think thats useful.

I will come the first draft of the PR next week. Thanks.

[bgervan]

Here is the first draft: #4083