users: track logins, signups, and other user events.

Add tracking of certain important user actions. These events include: * Logins * Logouts * Failed login attempts * Account creations * Account deletions * Password reset requests * Password changes * Email address changes This is similar to the mod actions log, except for account activity related to a single user. The information tracked includes the user, the event type (login, logout, etc), the timestamp, the user's IP address, IP geolocation information, the user's browser user agent, and the user's session ID from their session cookie. This information is visible to mods only. This is done with three models. The UserEvent model tracks the event type (login, logout, password change, etc) and the user. The UserEvent is tied to a UserSession, which contains the user's IP address and browser metadata. Finally, the IpGeolocation model contains the geolocation information for IPs, including the city, country, ISP, and whether the IP is a proxy. This tracking will be used for a few purposes: * Letting users view their account history, to detect things like logins from unrecognized IPs, failed logins attempts, password changes, etc. * Rate limiting failed login attempts. * Detecting sockpuppet accounts using their login history. * Detecting unauthorized account sharing.
2021-01-07 20:06:59 -06:00
parent 94e125709c
commit 65adcd09c2
39 changed files with 856 additions and 28 deletions
--- a/app/models/ip_geolocation.rb
+++ b/app/models/ip_geolocation.rb
@@ -0,0 +1,29 @@
+# An IpGeolocation contains metadata associated with an IP address, primarily geolocation data.
+
+class IpGeolocation < ApplicationRecord
+  has_many :user_sessions, foreign_key: :ip_addr, primary_key: :ip_addr
+
+  def self.visible(user)
+    if user.is_moderator?
+      all
+    else
+      none
+    end
+  end
+
+  def self.search(params)
+    q = search_attributes(params, :id, :created_at, :updated_at, :ip_addr, :network, :asn, :is_proxy, :latitude, :longitude, :organization, :time_zone, :continent, :country, :region, :city, :carrier)
+    q = q.apply_default_order(params)
+    q
+  end
+
+  def self.create_or_update!(ip_addr)
+    ip_lookup = IpLookup.new(ip_addr)
+    return nil if ip_lookup.is_local?
+    return nil if ip_lookup.ip_info.blank?
+
+    ip_geolocation = IpGeolocation.create_with(**ip_lookup.ip_info).create_or_find_by!(ip_addr: ip_addr)
+    ip_geolocation.update!(**ip_lookup.ip_info)
+    ip_geolocation
+  end
+end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -102,6 +102,7 @@ class User < ApplicationRecord
  has_many :bans, -> {order("bans.id desc")}
  has_many :received_upgrades, class_name: "UserUpgrade", foreign_key: :recipient_id, dependent: :destroy
  has_many :purchased_upgrades, class_name: "UserUpgrade", foreign_key: :purchaser_id, dependent: :destroy
+  has_many :user_events, dependent: :destroy
  has_one :recent_ban, -> {order("bans.id desc")}, :class_name => "Ban"

  has_one :api_key
--- a/app/models/user_event.rb
+++ b/app/models/user_event.rb
@@ -0,0 +1,54 @@
+# A UserEvent is used to track important events related to a user's account,
+# such as signups, logins, password changes, etc. A UserEvent is associated
+# with a UserSession, which contains the IP and browser information associated
+# with the event.
+
+class UserEvent < ApplicationRecord
+  belongs_to :user
+  belongs_to :user_session
+
+  enum category: {
+    login: 0,
+    failed_login: 50,
+    logout: 100,
+    user_creation: 200,
+    user_deletion: 300,
+    password_reset: 400,
+    password_change: 500,
+    email_change: 600,
+  }
+
+  delegate :session_id, :ip_addr, :ip_geolocation, to: :user_session
+  delegate :country, :city, :is_proxy?, to: :ip_geolocation, allow_nil: true
+
+  def self.visible(user)
+    if user.is_moderator?
+      all
+    else
+      where(user: user)
+    end
+  end
+
+  def self.search(params)
+    q = search_attributes(params, :id, :created_at, :updated_at, :category, :user, :user_session)
+    q = q.apply_default_order(params)
+    q
+  end
+
+  concerning :ConstructorMethods do
+    class_methods do
+      # Build an event but don't save it yet. The caller is expected to update the user, which will save the event.
+      def build_from_request(user, category, request)
+        ip_addr = request.remote_ip
+        IpGeolocation.create_or_update!(ip_addr)
+        user_session = UserSession.new(session_id: request.session[:session_id], ip_addr: ip_addr, user_agent: request.user_agent)
+
+        user.user_events.build(user: user, category: category, user_session: user_session)
+      end
+
+      def create_from_request!(...)
+        build_from_request(...).save!
+      end
+    end
+  end
+end
--- a/app/models/user_session.rb
+++ b/app/models/user_session.rb
@@ -0,0 +1,21 @@
+# A UserSession contains browser and IP metadata associated with a UserEvent. This
+# includes the user's session ID from their session cookie, their IP address,
+# and their browser user agent. This is used to track logins and other events.
+
+class UserSession < ApplicationRecord
+  belongs_to :ip_geolocation, foreign_key: :ip_addr, primary_key: :ip_addr, optional: true
+
+  def self.visible(user)
+    if user.is_moderator?
+      all
+    else
+      none
+    end
+  end
+
+  def self.search(params)
+    q = search_attributes(params, :id, :created_at, :updated_at, :session_id, :user_agent, :ip_addr, :ip_geolocation)
+    q = q.apply_default_order(params)
+    q
+  end
+end