"Last seen" time bumped when suspended user attempts login via social logins

A suspended user cannot login to the Discourse site. If a user attempts to login to a site with their username and password, they’re denied access. The user’s “last seen” time is not modified.

However, if a suspended user attempts to log in with a social login (Google, Facebook, etc.), the “last seen” time is bumped to the current time, despite the user being denied access. This is inconsistent and would be nice to fix.

4 Likes

I believe this happens with SSO too. @TechnoBear and @Mittineague can you confirm this is what you were looking into?

2 Likes

That’s what I had noticed. IIRC, we concluded that it was most likely peculiar to SitePoint Premium handling the login process and not a core Discourse issue.

That is, if a member had been suspended in the forum, they should still be able to access their Premium account, and when they logged in to Premium the event was sent to the forum anyway.

My guess is that the login modal (screen in SitePoints case) was updating the last seen at the beginning of the log in process instead of on its success. But I haven’t looked at the code involved yet so I don’t really know.

3 Likes

That’s not quite what was happening. Any member - suspended or otherwise - can log into their Premium account, and it doesn’t register on the forum “last seen” time; only an actual log-in or attempted log-in at the forums does that.

A suspended account making a log-in attempt at the forums will register an updated “last seen” time and a new “Last IP address” (if different), even though they never reached the forums.

We also established that suspended members were unable to log in, but were not shown any message stating their account was suspended. We have no way of testing whether this is simply a problem with our own set-up, or a wider issue with SSO.

1 Like

I’m fairly certain this was fixed for SSO. Perhaps @eviltrout can clarify?

3 Likes

Thank you.

We’re still on an older version of Discourse, so perhaps an upgrade will fix that particular issue.

I did not change it for SSO, although it’s possible another change did fix it? Someone would have to confirm it is working.

Is this still a problem or can this be closed?

I can no longer reproduce this with Google login, but Facebook login when suspended does still bump the “last seen” time.

2 Likes

Oh, @david since you are all over this login flow can you review this use case and correct it?

4 Likes

Added test case and fixed:

https://github.com/discourse/discourse/commit/2dc3a50dacb2aa699b0c68c9abf8fcc5436dc81b

3 Likes

This topic was automatically closed after 25 hours. New replies are no longer allowed.