coder / code-server

VS Code in the browser
https://coder.com
MIT License
68.54k stars 5.62k forks source link

[Feat]: Tracking of User Logins #6672

Closed basrihsn closed 4 months ago

basrihsn commented 9 months ago

What is your suggestion?

I suggest adding a feature to track user login activities within code-server. This would involve creating a mechanism to log details of user logins, such as timestamps and user identifiers, and possibly track the duration of active sessions. This functionality could be presented through a log file accessible to the user or via an interface within code-server that displays this information.

Why do you want this feature?

As a user managing my code-server instance, I find it essential to have visibility into my login history for security and auditing purposes. Being able to review login activities would help me ensure that there is no unauthorized access to my development environment. Additionally, it would allow me to monitor my usage patterns, which could be beneficial for optimizing my workflow and managing resources more effectively. Also, I can see more clearly who is actively using it and who is not.

Are there any workarounds to get this functionality today?

At present, the only workaround seems to be manually reviewing server access logs if available, or utilizing external monitoring tools to track access patterns indirectly. These methods are not ideal as they may not provide a straightforward or accurate view of login activities specifically related to code-server. They also add extra steps and complexity to the user's workflow, which could be streamlined with a dedicated feature within code-server itself.

Are you interested in submitting a PR for this?

Although I am very interested in having this feature available, I may not have the necessary skills or resources to implement it myself via a pull request at the moment. I am hopeful that the code-server development team or the community might consider adding this functionality, and I would be eager to assist in testing or providing further input on the feature requirements.

code-asher commented 9 months ago

Thank you for the suggestion!

A couple other workarounds I would add is to use an authentication proxy like oauth2-proxy or some such, as they probably already have audit logging capabilities built in, or coder/coder which does a lot more but in particular has audit logging around user actions, including logging in and out.

Would it be sufficient to have a well-known log line for this? We do something similar for failed logins where we output Failed login attempt with some JSON-encoded details (user agent, remote IP, etc) and users can pick up on that with fail2ban or similar. So we could add Logged in and Logged out (feel free to suggest different verbiage) and tools can pick up on those with the timestamp.

basrihsn commented 8 months ago

Hello @code-asher,

Thank you for your suggestions regarding authentication proxies and coder/coder for audit logging. The workarounds you're mentioning, unfortunately it doesn't work for us. We're presenting docker container based VS Code servers to users but also we want to track whether the related resource is actively used or not. Therefore, we need to track when the user lastly logged in and analyze how many times logged in past 6 months to detect the inactivity.

We're running up the container with using below command.

docker run --restart=always --name=${userpath} -it --init -td -p ${port}:<next available port (starts from 8443)> -v "/home/${userpath}:/home/${userpath}" -e PASSWORD=${password} -e PUID=$(id -u ${userpath}) -e PGID=$(id -g ${userpath}) -e TZ=Europe/Frankfurt -e SUDO_PASSWORD=${password} linuxserver/code-server:3.12.0

Could the logging feature be adapted to include these details, or might there be a way to configure logging to capture this specific information? This would enable us to aggregate and analyze logs more effectively, perhaps even allowing us to centralize log collection for easier monitoring of user activity and resource usage.

Thanks in advance

code-asher commented 8 months ago

Is there a way to get the container name from inside the container? Maybe we could use the host name? Or we could add some new environment variable like CODE_SERVER_USER. Or if you set USER we could use that.

It could also be done externally by prefixing the log line using whatever mechanism you are using to do the log collection. A very hacked-together (and untested) example:

# Of course, will not actually work until we add the "Logged in" log.
docker run code-server | grep "Logged in" | sed "s/^/$userpath /" > logins

I should mention though, you only have to log in once and I believe the cookie has no expiration, so it might not give you the activity tracking you want. For activity tracking I think folks usually use the heartbeat file ~/.local/share/code-server/heartbeat which gets updated every minute as long as there is an active connection.

code-asher commented 4 months ago

Closing as out of scope for now, I think this would be best built external to the IDE.