Open danschultzer opened 5 years ago
humancopy
commented
5 years ago I really like the Telemetry idea, I think it's a great solution to replace the controller callbacks... Maybe first step would be to convert callbacks to events and then create this extension?
danschultzer
commented
5 years ago Controller callbacks are different, since they interject the request and may change the results. I've been working on making them more pluggable in #82. Having it work very similar to plug is the cleanest way I can think of handling controller callbacks.
For log recording telemetry is perfect. We should add events for all the user actions in Pow, and have an extension to catch those telemetry events and record activity log.
humancopy
commented
5 years ago Controller callbacks are different, since they interject the request and may change the results.
Ah yes of course 😄
So I released the extension as a separate package so it might give some answer to anyone needing a simple solution until a more robust one is available: https://github.com/humancopy/pow_last_login
danschultzer
commented
5 years ago Great!
I just pushed an experimental branch telemetry that executes a telemetry event on Plug.Session.create/3 calls. It can be used to catch and update db/cache with additional session info.
The docs describe how it works: https://github.com/danschultzer/pow/blob/4d6e4efba108872d5466b90d01a645c15c0bcd82/lib/pow.ex#L22-L42
This will work well for the activity log since the event metadata includes :user, :conn and session key(s). Both ip and user agent can be pulled, and we can track the individual sessions even as they constantly change the id's.
For the session management we only need to track when the session was first created, last session update, and current user agent/ip. Probably makes sense for the end user if we also keep some kind of persistent fingerprint from when the session is created.
danschultzer
commented
5 years ago OWASP has some considerations for logging of session lifecycle here: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#logging-sessions-life-cycle-monitoring-creation-usage-and-destruction-of-session-ids
Based on https://github.com/danschultzer/pow/issues/30#issuecomment-422832256.
An extension that persistently stores login history with additional information (like user agent and IP), and allows users to view and disable their current active sessions. Maybe this could be worked in with Telemetry.