Security best practice now should be to take care of his lately used devices. We must make sure, a User does always know, what devices have been logged in lately - this is why the list would show logged in but also lately logged in (and now logged out) devices.
How it should work:
One would get an email for each login on a new device (Template comes)
One can see the list of devices
One can delete an device - then the user would get the email again if this device logs in again
💭 Implementation details
one can get a list of his lately used & logged in devices per API GET /users/me/devices
Date & Time
IP
Browser
Operating System
one can delete an Device - DELETE /users/me/devices/<uuid> (it is removed from list and logged out)
one can delete all Devices - DELETE /users/me/devices/ (all are removed from list and logged out)
it should be possible to get an email for a login, if LOGIN_ON_NEW_DEVICE_EMAIL ENV is set to True.
📋 Todos
[ ] API /users/me/devices
[ ] Deleting one or all devices using DELETE
[ ] Sending an email, if ENV is set
[ ] Good documentation so that it can easily be used by a frontend
It would also be nice, if the code would be in its own folder structure and work pretty independent, maybe we could at one point add it as external django-rest-devices package or so.
☝️What is it? Why do we need it?
Security best practice now should be to take care of his lately used devices. We must make sure, a User does always know, what devices have been logged in lately - this is why the list would show logged in but also lately logged in (and now logged out) devices.
How it should work:
💭 Implementation details
GET /users/me/devices
DELETE /users/me/devices/<uuid>
(it is removed from list and logged out)DELETE /users/me/devices/
(all are removed from list and logged out)LOGIN_ON_NEW_DEVICE_EMAIL
ENV is set to True.📋 Todos
/users/me/devices
DELETE