User session tracking #93587

Oleg-Komarov · 2024-08-01T13:14:45+02:00

Oleg-Komarov commented

2024-08-01 13:14:45 +02:00

Motivation

A user needs to know how their account is being accessed/used.
At the very minimum, we need to display information about recent sign-ins and active sessions.

This PR adds:

a new "Active Sessions" page that lists existing sessions linked to a user, with an option to terminate a particular session;
an email that is sent to a confirmed email address when a new login happens from a different IP address.

Implementation

Builtin django sessions are lacking some essential features:

it's impossible to efficiently list all sessions belonging to a user
there is not enough metadata: when and where a session was created

This PR adds a cross table bid_main_user_session that links to both django_session and bid_main_user tables, and also stores info about sign-in timestamp, last activity timestamp, IP and User-Agent.
A UserSession object is updated (or created, for new sessions and for active sessions existing before the rollout) on every authenticated request to update the last_active_at field.
This is done in a new user_session_middleware.

A further improvement (intentionally excluded from the PR): use geoip2 to display an IP-based location in the Active Sessions listing and the email.

## Motivation A user needs to know how their account is being accessed/used. At the very minimum, we need to display information about recent sign-ins and active sessions. This PR adds: - a new "Active Sessions" page that lists existing sessions linked to a user, with an option to terminate a particular session; - an email that is sent to a confirmed email address when a new login happens from a different IP address. ## Implementation Builtin django sessions are lacking some essential features: - it's impossible to efficiently list all sessions belonging to a user - there is not enough metadata: when and where a session was created This PR adds a cross table `bid_main_user_session` that links to both `django_session` and `bid_main_user` tables, and also stores info about sign-in timestamp, last activity timestamp, IP and User-Agent. A `UserSession` object is updated (or created, for new sessions and for active sessions existing before the rollout) on every authenticated request to update the `last_active_at` field. This is done in a new `user_session_middleware`. A further improvement (intentionally excluded from the PR): use geoip2 to display an IP-based location in the Active Sessions listing and the email.

Oleg-Komarov added 6 commits 2024-08-01 13:14:48 +02:00

UserSession model: keep track of user session activity 1a98730e3a

add test f6ecf235a5

assume we always have a session 0662506ffe

send email about a login from a new IP 6bc5d1eccd

reorder columns in migration 1045f83da3

active sessions page a208437b94

Oleg-Komarov referenced this pull request

2024-08-01 13:15:07 +02:00

WIP: active-sessions #93586

Oleg-Komarov added 1 commit 2024-08-01 13:42:48 +02:00

delete UserSession records on user.anonymize 392952e6bd

Oleg-Komarov added 1 commit 2024-08-01 14:50:29 +02:00

Check that email is confirmed before sending a new user session email 5b78784144

Oleg-Komarov changed title from ~~WIP: User session tracking~~ to User session tracking

2024-08-01 14:59:55 +02:00

Oleg-Komarov added 1 commit 2024-08-01 15:00:23 +02:00

Merge branch 'main' into user-session f3854edcfd

Anna Sirota reviewed 2024-08-02 11:41:15 +02:00

bid_main/email.py Outdated

						
				@ -260,0 +277,4 @@

				            recipient_list=[email],

				            fail_silently=False,

				        )

				    except (smtplib.SMTPException, OSError):

Anna Sirota commented

2024-08-02 11:21:10 +02:00

might be better to make this a background task instead of wrapping into except.

Oleg-Komarov marked this conversation as resolved

bid_main/models.py Outdated

						
				@ -649,0 +689,4 @@

				    def device(self):

				        if self.user_agent:

				            return user_agents.parse(self.user_agent)

				        else:

Anna Sirota commented

2024-08-02 11:28:37 +02:00

superfluous else

Oleg-Komarov marked this conversation as resolved

bid_main/signals.py

						
				@ -38,1 +38,3 @@

				        if user.has_confirmed_email:

				            try:

				                email.send_new_user_session(user_session)

Anna Sirota commented

2024-08-02 11:30:13 +02:00

should be a call of a task

Oleg-Komarov marked this conversation as resolved

bid_main/views/normal_pages.py Outdated

						
				@ -432,0 +448,4 @@

				class TerminateSessionView(LoginRequiredMixin, View):

				    def post(self, request, *args, **kwargs):

				        if user_session := self.request.user.sessions.filter(pk=kwargs.get('pk', 0)).first():

Anna Sirota commented

2024-08-02 11:40:11 +02:00

getting the pk (pk = kwargs['pk']: it's fine to expect it to be present at this point) and filtering the session on the separate line would make this more readable.

getting the `pk` (`pk = kwargs['pk']`: it's fine to expect it to be present at this point) and filtering the session on the separate line would make this more readable.

Oleg-Komarov marked this conversation as resolved

Oleg-Komarov added 2 commits 2024-08-02 15:34:24 +02:00

improve readability 1f4e4db0d6

move email notification to a background task d3a6bc2556

Oleg-Komarov added 1 commit 2024-08-02 15:37:35 +02:00

remove agent_is_trusted from this branch e48b15c7c9

Oleg-Komarov added 1 commit 2024-08-02 15:41:20 +02:00

change email subject 623c7c4cdb

Oleg-Komarov added 1 commit 2024-08-02 15:43:43 +02:00

subject is not used in template 6345c8316b

Oleg-Komarov added 1 commit 2024-08-02 15:48:37 +02:00

remore redundant atomic decorator 72a75023c8