pow icon indicating copy to clipboard operation
pow copied to clipboard

Published 20 hours ago verified publisher icon pow-auth

Suggestion: Activity log and session management extension

Open danschultzer opened this issue 5 years ago • 5 comments

Based on https://github.com/danschultzer/pow/issues/30#issuecomment-422832256.

An extension that persistently stores login history with additional information (like user agent and IP), and allows users to view and disable their current active sessions. Maybe this could be worked in with Telemetry.

danschultzer avatar Mar 03 '19 23:03 danschultzer

I really like the Telemetry idea, I think it's a great solution to replace the controller callbacks... Maybe first step would be to convert callbacks to events and then create this extension?

humancopy avatar Jun 06 '19 17:06 humancopy

Controller callbacks are different, since they interject the request and may change the results. I've been working on making them more pluggable in #82. Having it work very similar to plug is the cleanest way I can think of handling controller callbacks.

For log recording telemetry is perfect. We should add events for all the user actions in Pow, and have an extension to catch those telemetry events and record activity log.

danschultzer avatar Jun 06 '19 18:06 danschultzer

Controller callbacks are different, since they interject the request and may change the results.

Ah yes of course 😄

So I released the extension as a separate package so it might give some answer to anyone needing a simple solution until a more robust one is available: https://github.com/humancopy/pow_last_login

humancopy avatar Jun 07 '19 06:06 humancopy

Great!

I just pushed an experimental branch telemetry that executes a telemetry event on Plug.Session.create/3 calls. It can be used to catch and update db/cache with additional session info.

The docs describe how it works: https://github.com/danschultzer/pow/blob/4d6e4efba108872d5466b90d01a645c15c0bcd82/lib/pow.ex#L22-L42

This will work well for the activity log since the event metadata includes :user, :conn and session key(s). Both ip and user agent can be pulled, and we can track the individual sessions even as they constantly change the id's.

For the session management we only need to track when the session was first created, last session update, and current user agent/ip. Probably makes sense for the end user if we also keep some kind of persistent fingerprint from when the session is created.

danschultzer avatar Jun 07 '19 15:06 danschultzer

OWASP has some considerations for logging of session lifecycle here: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#logging-sessions-life-cycle-monitoring-creation-usage-and-destruction-of-session-ids

danschultzer avatar Jun 07 '19 19:06 danschultzer