Password reset email should send IP info

is there a way to make it so that when a user requests a password reset, it sends the ip in the email as well?

1 Like

For what purpose? Can you cite examples? Is this a security concern issue?

for security reasons, users can do it for spammy purpose, so if someone’s doing it to spam person can report it or something or if its an admin account, he and or she can block ip

I’ve seen that sort of thing before. The wiki associated with Nextthing’s CHIP computer did it for me:

Someone, probably you, from IP address 10.0.0.70,
has registered an account "Elijah" with this email address on www.chip-community.org.

To confirm that this account really does belong to you and activate
email features on www.chip-community.org, open this link in your browser:
 ...

Complete with that not-useful IP address.

1 Like

Couple different ways to approach this…

Here are the details of the sign-in attempt:
Thursday, July 07/20/17 at 17:03 MST
Account: name@example.com
Location: US
IP Address: 12.34.56.7
Operating system: Windows 10 64-bit
Browser: Chrome

and

so how do i set that up then?

1 Like

You can not set this up, it would require changes to Discourse. I think we kind of support at least allowing this optionally.

well if you guys could implement this in an update that’d be great, that way users can use it and if their account is breached or something, they can resolve it and its also good for admins/mods

Our plate is very very full :plate_with_cutlery:

1 Like

understandable, but for future updates? like add it to a to-do list? im sure many would enjoy this

Up to @codinghorror if he wants this to be pr-welcome or plugin material. I am kind of on the fence here.

ah ok, well if he wants to do it that’d be great, would be great if it’s built into the software and not plugin

It is not a bad idea @elijah did you want to work on this? V1 can be simple, use any of the existing templates above, or pick your own from (insert how Internet web site does it here).

4 Likes

Sure, I could look at this shortly.

4 Likes

In my test instance, it is working now, sending messages like this (text part, email part is the md-to-html version):

Somebody asked to reset your password on [Discourse](http://my.example.net).

The request came from 142.254.30.0 using "Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0". If it was not you, you can safely ignore this email.

Click the following link to choose a new password:
http://my.example.net/u/password-reset/316696edbc17931b61a7a5edc69be11a

People can leave out the {user-agent} param from the message, if they don’t like it. I’m going to test injecting HTML through the UA before I make a pull request. Does anyone think it is worthwhile trying to parse the UA? I worry that’s an ocean of messy heuristics.

3 Likes

Hell no definitely do NOT parse the UA! :wink:

1 Like

This is a bit harder than I expected. Trying to escape the HTML in a User-Agent at time of save works:

#<EmailToken id: 23, user_id: 2, email: "qaz@qaz.wsx",
token: "520e6d016c2b78630e6eac35d884c22b",
confirmed: false,
expired: false,
created_at: "2017-08-19 06:30:40",
updated_at: "2017-08-19 06:30:40",
remote_ip: #<IPAddr: IPv4:142.254.30.0/255.255.255.255>,
user_agent: "Mozilla/5.0 (&lt;a href=&quot;http://exploitme.inv...">

Then I pull it out and put it in email. In the text part I get a nice straight-forward:

using "Mozilla/5.0 (&lt;a href=&quot;http://exploitme.invalid/&quot;&gt;Phishing&lt;/a&gt;)

And in the HTML part I get:

using “Mozilla/5.0 (<a href="http://exploitme.invalid/" rel="nofollow noopener">Phishing</a>)

Why is it talking my disarmed HTML and rearming it?

1 Like

I went with a belt-and-suspenders fix. Drop any <, >, and ` in the UA, then wrap the UA in backticks so Markdown will treat it as code.

https://github.com/discourse/discourse/pull/5069

1 Like

I was thinking that the country and city should be provided along with the IP address as well. To a non-technical user, showing them a bunch of random digits might not make any sense to them. :thought_balloon:

1 Like

Is Discourse using a geo-ip library already? I didn’t want to add one just for this.

1 Like