bid_main/email.py

@@ -257,3 +257,42 @@ def check_verification_payload(
 
     log.debug("verification OK")
     return VerificationResult.OK, payload
+
+
+def send_new_user_session(session):
+    if not hasattr(session, 'user'):
+        log.error('programming error: called for a session without a user')
+        return False
+    user = session.user
+
+    # sending only a text/plain email to reduce the room for look-alike phishing emails
+    email_body_txt, subject = construct_new_user_session(session)
+
+    email = user.email
+    try:
+        send_mail(
+            subject,
+            message=email_body_txt,
+            from_email=None,  # just use the configured default From-address.
+            recipient_list=[email],
+            fail_silently=False,
+        )
+    except (smtplib.SMTPException, OSError):
+        log.exception("failed to send a new user session email for account %s", user.pk)
+        return False
+    log.info("sent a new user session email for account %s", user.pk)
+    return True
+
+
+def construct_new_user_session(session):
+    context = {
+        "session": session,
+        "user": session.user,
+        "subject": "Blender ID new sign-in",
+    }
+
+    email_body_txt = loader.render_to_string(
+        "bid_main/emails/new_user_session.txt", context
+    )
+
+    return email_body_txt, context["subject"]

bid_main/models.py

@@ -19,6 +19,7 @@ from django.utils import timezone
 from django.utils.deconstruct import deconstructible
 from django.utils.translation import gettext_lazy as _
 import oauth2_provider.models as oa2_models
+import user_agents
 
 from . import fields
 from . import hashers
@@ -682,3 +683,10 @@ class UserSession(models.Model):
 
     def __str__(self):
         return f'UserSession pk={self.pk} for {self.user}'
+
+    @property
+    def device(self):
+        if self.user_agent:
+            return user_agents.parse(self.user_agent)
+        else:
+            return None

bid_main/signals.py

@@ -6,7 +6,7 @@ from django.db.models import F
 from django.db.models.signals import m2m_changed, post_delete
 from django.dispatch import receiver
 
-from . import models
+from . import email, models
 import bid_main.utils as utils
 import bid_main.file_utils
 
@@ -20,7 +20,7 @@ def log_exception(sender, **kwargs):
 
 @receiver(user_logged_in)
 def process_new_login(sender, request, user, **kwargs):
-    """Updates user fields upon login.
+    """Updates user fields and creates a UserSession upon login. Sends and email if IP is new.
 
     Only saves specific fields, so that the webhook trigger knows what changed.
     """
@@ -33,8 +33,11 @@ def process_new_login(sender, request, user, **kwargs):
     if request_ip and user.current_login_ip != request_ip:
         user.last_login_ip = F("current_login_ip")
         user.current_login_ip = request_ip
-
         fields.update({"last_login_ip", "current_login_ip"})
+        try:
+            email.send_new_user_session(request.session.create_model_instance({}))
+        except Exception:
+            log.exception('failed to send a new user session email')
 
     user.save(update_fields=fields)
     models.UserSession.update_or_create_from_request(request, user)

bid_main/templates/bid_main/emails/new_user_session.txt

@@ -0,0 +1,15 @@
+{% autoescape off %}
+Dear {{ user.full_name|default:user.email }}!
+
+A new sign-in for your Blender ID account {{ user.email }}
+
+IP address: {{ session.ip }}
+Device: {{ session.device }}
+
+If this was you, you can ignore this message.
+If this wasn't you, please change or reset your password.
+
+--
+Kind regards,
+The Blender Web Team
+{% endautoescape %}

requirements.txt

@@ -51,6 +51,7 @@ sorl-thumbnail==12.7.0 ; python_version >= "3.8" and python_version < "4"
 sqlparse==0.5.0 ; python_version >= "3.8" and python_version < "4"
 tornado==6.0.3 ; python_version >= "3.8" and python_version < "4"
 urllib3==1.25.11 ; python_version >= "3.8" and python_version < "4"
+user-agents==2.2.0
 uwsgi==2.0.23
 wrapt==1.15.0 ; python_version >= "3.8" and python_version < "4"
 zipp==0.6.0 ; python_version >= "3.8" and python_version < "4"