is there a way to make it so that when a user requests a password reset, it sends the ip in the email as well?
1 Like
For what purpose? Can you cite examples? Is this a security concern issue?
for security reasons, users can do it for spammy purpose, so if someone’s doing it to spam person can report it or something or if its an admin account, he and or she can block ip
I’ve seen that sort of thing before. The wiki associated with Nextthing’s CHIP computer did it for me:
Someone, probably you, from IP address 10.0.0.70,
has registered an account "Elijah" with this email address on www.chip-community.org.
To confirm that this account really does belong to you and activate
email features on www.chip-community.org, open this link in your browser:
...
Complete with that not-useful IP address.
1 Like
Couple different ways to approach this…
Here are the details of the sign-in attempt:
Thursday, July 07/20/17 at 17:03 MST
Account: name@example.com
Location: US
IP Address: 12.34.56.7
Operating system: Windows 10 64-bit
Browser: Chrome
and
so how do i set that up then?
1 Like
You can not set this up, it would require changes to Discourse. I think we kind of support at least allowing this optionally.
well if you guys could implement this in an update that’d be great, that way users can use it and if their account is breached or something, they can resolve it and its also good for admins/mods
Our plate is very very full 
1 Like
understandable, but for future updates? like add it to a to-do list? im sure many would enjoy this
Up to @codinghorror if he wants this to be #pr-welcome or plugin material. I am kind of on the fence here.
ah ok, well if he wants to do it that’d be great, would be great if it’s built into the software and not plugin
It is not a bad idea @elijah did you want to work on this? V1 can be simple, use any of the existing templates above, or pick your own from (insert how Internet web site does it here).
4 Likes
Sure, I could look at this shortly.
4 Likes
In my test instance, it is working now, sending messages like this (text part, email part is the md-to-html version):
Somebody asked to reset your password on [Discourse](http://my.example.net).
The request came from 142.254.30.0 using "Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0". If it was not you, you can safely ignore this email.
Click the following link to choose a new password:
http://my.example.net/u/password-reset/316696edbc17931b61a7a5edc69be11a
People can leave out the {user-agent} param from the message, if they don’t like it. I’m going to test injecting HTML through the UA before I make a pull request. Does anyone think it is worthwhile trying to parse the UA? I worry that’s an ocean of messy heuristics.
3 Likes
Hell no definitely do NOT parse the UA! 
1 Like
This is a bit harder than I expected. Trying to escape the HTML in a User-Agent at time of save works:
#<EmailToken id: 23, user_id: 2, email: "qaz@qaz.wsx",
token: "520e6d016c2b78630e6eac35d884c22b",
confirmed: false,
expired: false,
created_at: "2017-08-19 06:30:40",
updated_at: "2017-08-19 06:30:40",
remote_ip: #<IPAddr: IPv4:142.254.30.0/255.255.255.255>,
user_agent: "Mozilla/5.0 (<a href="http://exploitme.inv...">
Then I pull it out and put it in email. In the text part I get a nice straight-forward:
using "Mozilla/5.0 (<a href="http://exploitme.invalid/">Phishing</a>)
And in the HTML part I get:
using “Mozilla/5.0 (<a href="http://exploitme.invalid/" rel="nofollow noopener">Phishing</a>)
Why is it talking my disarmed HTML and rearming it?
1 Like
I went with a belt-and-suspenders fix. Drop any <, >, and ` in the UA, then wrap the UA in backticks so Markdown will treat it as code.
1 Like
I was thinking that the country and city should be provided along with the IP address as well. To a non-technical user, showing them a bunch of random digits might not make any sense to them. 
1 Like
Is Discourse using a geo-ip library already? I didn’t want to add one just for this.
1 Like