search

gbv / login-server

Login and connect accounts with multiple identity providers
https://coli-conc.gbv.de/login/
MIT License
32 stars 32 forks source link

Add account last usage date to support expiration of accounts #23

Closed nichtich closed 5 years ago

nichtich commented 5 years ago

If we store the day or week, a user was last logged in, we can purge unused accounts after one or two years.

stefandesu commented 5 years ago

I'm somewhat opposed to purging old accounts, but that's a personal opinion. But I guess if we default to using an identity URI for mappings (instead of the login-server URI), the accounts don't really matter that much except for the roles, and we can expect those users who receive additional roles to use their account at least one a year.

The thing is that usually you'd notify a user about the account deletion, but we don't have or want their contact information, so we can't do that. If you don't think that's a problem, then we can do some kind of purging. But we should definitely document that somewhere where the user will see it.

nichtich commented 5 years ago

Yes, the feature is only needed when we expect to have a large number of users that registered years ago and never came back.

stefandesu commented 5 years ago

Okay, so we can add a "last used" date to each account (that gets updated on each request) and decide if we want to use this info later.

stefandesu commented 5 years ago

I decided to save this in a separate "Usage" collection (that uses the same IDs as the users) to have a clean separation with the actual user data.