Jump to content

User:DWalden (WMF)/LoginNotify

From mediawiki.org

Feature documentation

[edit]

Extension:LoginNotify

Test documentation

[edit]

Where to test it

[edit]

It should be enabled on most wikis on beta and production.

How to install locally

[edit]

First, install Echo, then install LoginNotify.

(Optional, but recommended) Setup email. Also go to Special:Preferences and check that the user you are testing with has an email setup. I normally use <username>@localhost.

Capabilities

[edit]
  • When you login successfully, you may see an email and/or Echo notification.
    • I am not sure exactly the conditions under which the notification will be sent.
    • The IP you used to login will be recorded somewhere:
      • in some cases in a cache (not sure where)
      • in cu_changes or cu_private_events (if $wgLoginNotifyUseCheckUser = true;)
      • in loginnotify_seen_net (if $wgLoginNotifyUseSeenTable = true;)
  • When an attempt to login as a username is unsuccessful (i.e. incorrect password), the username is notified (via email and/or Echo notification).
    • The wording of the email/notification will depend on whether it is a new IP address or one you have logged in with before (within a particular time span) or if you have a cookie set when you lasted successfully logged in to the account.

Important: LoginNotify looks at the subnet that the IP is a part of. /24 for IPv4 and /64 for IPv6. So IPs 1.2.3.4 and 1.2.3.5 are considered the same but 1.2.3.4 and 2.2.3.4 are considered different. When attempting to test a "new" IP address and you want to make sure LoginNotify will treat it as new, change the first number in the IP.

Techniques

[edit]

Example scenarios to test.

Setup

Run this query in the database: ALTER TABLE loginnotify_seen_net MODIFY COLUMN lsn_time_bucket BIGINT NOT NULL;

Add this to LocalSettings.php:

$wgCdnServersNoPurge = [ '172.0.0.1/8' ];
$wgUsePrivateIPs = true;

$wgLoginNotifyAttemptsKnownIP = 1;
$wgLoginNotifyAttemptsNewIP = 1;
$wgLoginNotifyUseCheckUser = false;
$wgLoginNotifyUseSeenTable = true;
$wgLoginNotifyCookieExpire = 0;
$wgLoginNotifySeenExpiry = 30;
$wgLoginNotifySeenBucketSize = 10;

Install a browser extension which allows you to change your X-Forward-For header. For example, this one for Firefox or Chrome.

Testing

Login successfully. In the database, run SELECT * FROM loginnotify_seen_net; to see a new row created.

After ~10 seconds (the value of $wgLoginNotifySeenBucketSize), another successful login from the same IP address will create a new row in the database.

A successful login from a new IP address should always create a new row, even within 10 seconds.

Check http://localhost:8025/ to see what email notifications have been sent.

Try to login as the same username but with an incorrect password. Check your email http://localhost:8025/.

If it is within 30 seconds (value of $wgLoginNotifySeenExpiry) of your last login and you haven't changed your IP, the email will start: There has been a failed attempt to log in to your account since the last time you logged in.

If it is a new IP, or outside of 30 seconds, the email will start: There has been a failed attempt to log in to your account from a new device.

If you fail login multiple times the email will show you a count of the number of times login failed.

Logs and debugging

[edit]

The behaviour of LoginNotify is a bit opaque to me at times. To see what is happening in the backend, search in the logs for [LoginNotify].