clarkwinkelmann
commented
2 years ago This sounds like an excellent candidate for an extension.
Most websites don't ask users to double-authenticate new websites or devices. I understand the need for sensitive or high profile forums, but I don't think this is a feature that will interest most regular communities.
Flarum already associates the IP with access tokens. However there is no constraint, and the IP or user agent is even allowed to change during a single session.
I feel like a proper implementation of this wouldn't even rely on the IP or user agent only, but rather create unique device IDs, and then integrate security checks around the IPs and user agents used on the registered devices. This quickly gets way outside of the scope of Flarum core.
Many websites might also want a less strict option, for example sending an email when a new device is detected. An extension could implement this extremely easily.
tankerkiller125
idk-pixel
Feature Request
IP Security Whenever a user signs up, a access token contains the IP that will be kept on being used and inform this on signup form. Whenver they login without the ip that was gaven during sign-up, They will reset their password (email + ui saying to check email and to resend the emails, and not allow them to access the site until they do reset it) OR they can get an email to authorize the IP and show an error message saying to check the email. (setting chosen in admin dash)
Justifing why this feature belongs in Flarum's core, rather than in a third-party extension This feature should belong to the flarum core because rather an extension handling this security risks, the flarum core can handle it and always be up-to-date, and can prevent users having to wait for 3rd parties to update the security extension.