jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

users: track logins, signups, and other user events.

Browse Source 
Add tracking of certain important user actions. These events include:

* Logins
* Logouts
* Failed login attempts
* Account creations
* Account deletions
* Password reset requests
* Password changes
* Email address changes

This is similar to the mod actions log, except for account activity
related to a single user.

The information tracked includes the user, the event type (login,
logout, etc), the timestamp, the user's IP address, IP geolocation
information, the user's browser user agent, and the user's session ID
from their session cookie. This information is visible to mods only.

This is done with three models. The UserEvent model tracks the event
type (login, logout, password change, etc) and the user. The UserEvent
is tied to a UserSession, which contains the user's IP address and
browser metadata. Finally, the IpGeolocation model contains the
geolocation information for IPs, including the city, country, ISP, and
whether the IP is a proxy.

This tracking will be used for a few purposes:

* Letting users view their account history, to detect things like logins
  from unrecognized IPs, failed logins attempts, password changes, etc.
* Rate limiting failed login attempts.
* Detecting sockpuppet accounts using their login history.
* Detecting unauthorized account sharing.
This commit is contained in:
evazion
2021-01-07 20:06:59 -06:00
parent 94e125709c
commit 65adcd09c2
39 changed files with 856 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/logical/concerns/searchable.rb
View File

@@ -193,7 +193,7 @@ module Searchable
search_text_attribute(name, params)
when :boolean
search_boolean_attribute(name, params)
when :integer, :datetime
when :integer, :float, :datetime
search_numeric_attribute(name, params)
when :inet
search_inet_attribute(name, params)

42
app/logical/ip_lookup.rb
View File

@@ -9,23 +9,51 @@ class IpLookup
Danbooru.config.ip_registry_api_key.present?
end
def initialize(ip_addr, api_key: Danbooru.config.ip_registry_api_key, cache_duration: 1.day)
@ip_addr = ip_addr
def initialize(ip_addr, api_key: Danbooru.config.ip_registry_api_key, cache_duration: 3.days)
@ip_addr = IPAddress.parse(ip_addr.to_s)
@api_key = api_key
@cache_duration = cache_duration
end
def info
def ip_info
return {} if response.blank?
{
ip_addr: ip_addr.to_s,
network: response.dig(:connection, :route),
asn: response.dig(:connection, :asn),
is_proxy: is_proxy?,
latitude: response.dig(:location, :latitude),
longitude: response.dig(:location, :longitude),
organization: response.dig(:connection, :organization),
time_zone: response.dig(:time_zone, :id),
continent: response.dig(:location, :continent, :code),
country: response.dig(:location, :country, :code),
region: response.dig(:location, :region, :code),
city: response.dig(:location, :city),
carrier: response.dig(:carrier, :name),
}.with_indifferent_access
end
def response
return {} if api_key.blank?
response = Danbooru::Http.cache(cache_duration).get("https://api.ipregistry.co/#{ip_addr}?key=#{api_key}")
response = Danbooru::Http.cache(cache_duration).get("https://api.ipregistry.co/#{ip_addr.to_s}?key=#{api_key}")
return {} if response.status != 200
json = response.parse.deep_symbolize_keys.with_indifferent_access
json
end
def is_proxy?
info[:security].present? && info[:security].values.any?
def is_local?
if ip_addr.ipv4?
ip_addr.loopback? || ip_addr.link_local? || ip_addr.private?
elsif ip_addr.ipv6?
ip_addr.loopback? || ip_addr.link_local? || ip_addr.unique_local?
end
end
memoize :info, :is_proxy?
def is_proxy?
response[:security].present? && response[:security].values.any?
end
memoize :response, :is_proxy?
end

27
app/logical/session_loader.rb
View File

@@ -10,12 +10,28 @@ class SessionLoader
end
def login(name, password)
user = User.find_by_name(name)&.authenticate_password(password)
return nil unless user
user = User.find_by_name(name)
session[:user_id] = user.id
user.update_column(:last_ip_addr, request.remote_ip)
user
if user.present? && user.authenticate_password(password)
session[:user_id] = user.id
UserEvent.build_from_request(user, :login, request)
user.last_logged_in_at = Time.now
user.last_ip_addr = request.remote_ip
user.save!
user
elsif user.nil?
nil # username incorrect
else
UserEvent.create_from_request!(user, :failed_login, request)
nil # password incorrect
end
end
def logout
session.delete(:user_id)
UserEvent.create_from_request!(CurrentUser.user, :logout, request)
end
def load
@@ -76,6 +92,7 @@ class SessionLoader
CurrentUser.user = user
end
# XXX use rails 6.1 signed ids (https://github.com/rails/rails/blob/6-1-stable/activerecord/CHANGELOG.md)
def load_param_user(signed_user_id)
session[:user_id] = Danbooru::MessageVerifier.new(:login).verify(signed_user_id)
load_session_user

11
app/logical/user_deletion.rb
View File

@@ -1,23 +1,26 @@
class UserDeletion
include ActiveModel::Validations
attr_reader :user, :password
attr_reader :user, :password, :request
validate :validate_deletion
def initialize(user, password)
def initialize(user, password, request)
@user = user
@password = password
@request = request
end
def delete!
return false if invalid?
clear_user_settings
remove_favorites
clear_saved_searches
rename
reset_password
create_mod_action
create_user_event
user
end
@@ -27,6 +30,10 @@ class UserDeletion
ModAction.log("user ##{user.id} deleted", :user_delete)
end
def create_user_event
UserEvent.create_from_request!(user, :user_deletion, request)
end
def clear_saved_searches
SavedSearch.where(user_id: user.id).destroy_all
end

6
app/logical/user_verifier.rb
View File

@@ -33,11 +33,7 @@ class UserVerifier
end
def is_local_ip?
if ip_address.ipv4?
ip_address.loopback? || ip_address.link_local? || ip_address.private?
elsif ip_address.ipv6?
ip_address.loopback? || ip_address.link_local? || ip_address.unique_local?
end
IpLookup.new(ip_address).is_local?
end
def is_logged_in?