Remove sign-in token authentication, instead send e-mail about new sign-in (#17970)
This commit is contained in:
Eugen Rochko
GitHub
parent
abb11778d7
commit
6221b36b27
18 changed files with 137 additions and 362 deletions
42
app/lib/suspicious_sign_in_detector.rb
Normal file
42
app/lib/suspicious_sign_in_detector.rb
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class SuspiciousSignInDetector
|
||||
IPV6_TOLERANCE_MASK = 64
|
||||
IPV4_TOLERANCE_MASK = 16
|
||||
|
||||
def initialize(user)
|
||||
@user = user
|
||||
end
|
||||
|
||||
def suspicious?(request)
|
||||
!sufficient_security_measures? && !freshly_signed_up? && !previously_seen_ip?(request)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def sufficient_security_measures?
|
||||
@user.otp_required_for_login?
|
||||
end
|
||||
|
||||
def previously_seen_ip?(request)
|
||||
@user.ips.where('ip <<= ?', masked_ip(request)).exists?
|
||||
end
|
||||
|
||||
def freshly_signed_up?
|
||||
@user.current_sign_in_at.blank?
|
||||
end
|
||||
|
||||
def masked_ip(request)
|
||||
masked_ip_addr = begin
|
||||
ip_addr = IPAddr.new(request.remote_ip)
|
||||
|
||||
if ip_addr.ipv6?
|
||||
ip_addr.mask(IPV6_TOLERANCE_MASK)
|
||||
else
|
||||
ip_addr.mask(IPV4_TOLERANCE_MASK)
|
||||
end
|
||||
end
|
||||
|
||||
"#{masked_ip_addr}/#{masked_ip_addr.prefix}"
|
||||
end
|
||||
end
|
||||
Loading…
Add table
Add a link
Reference in a new issue