Password reset email should send IP info


#1

is there a way to make it so that when a user requests a password reset, it sends the ip in the email as well?


(Jeff Atwood) #2

For what purpose? Can you cite examples? Is this a security concern issue?


#3

for security reasons, users can do it for spammy purpose, so if someone’s doing it to spam person can report it or something or if its an admin account, he and or she can block ip


(Eli the Bearded) #4

I’ve seen that sort of thing before. The wiki associated with Nextthing’s CHIP computer did it for me:

Someone, probably you, from IP address 10.0.0.70,
has registered an account "Elijah" with this email address on www.chip-community.org.

To confirm that this account really does belong to you and activate
email features on www.chip-community.org, open this link in your browser:
 ...

Complete with that not-useful IP address.


(Jeff Atwood) #5

Couple different ways to approach this…

Here are the details of the sign-in attempt:
Thursday, July 07/20/17 at 17:03 MST
Account: name@example.com
Location: US
IP Address: 12.34.56.7
Operating system: Windows 10 64-bit
Browser: Chrome

and


#6

so how do i set that up then?


(Sam Saffron) #7

You can not set this up, it would require changes to Discourse. I think we kind of support at least allowing this optionally.


#8

well if you guys could implement this in an update that’d be great, that way users can use it and if their account is breached or something, they can resolve it and its also good for admins/mods


(Sam Saffron) #9

Our plate is very very full :plate_with_cutlery:


#10

understandable, but for future updates? like add it to a to-do list? im sure many would enjoy this


(Sam Saffron) #11

Up to @codinghorror if he wants this to be #pr-welcome or plugin material. I am kind of on the fence here.


#12

ah ok, well if he wants to do it that’d be great, would be great if it’s built into the software and not plugin


(Jeff Atwood) #13

It is not a bad idea @elijah did you want to work on this? V1 can be simple, use any of the existing templates above, or pick your own from (insert how Internet web site does it here).


(Eli the Bearded) #14

Sure, I could look at this shortly.


(Eli the Bearded) #15

In my test instance, it is working now, sending messages like this (text part, email part is the md-to-html version):

Somebody asked to reset your password on [Discourse](http://my.example.net).

The request came from 142.254.30.0 using "Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0". If it was not you, you can safely ignore this email.

Click the following link to choose a new password:
http://my.example.net/u/password-reset/316696edbc17931b61a7a5edc69be11a

People can leave out the {user-agent} param from the message, if they don’t like it. I’m going to test injecting HTML through the UA before I make a pull request. Does anyone think it is worthwhile trying to parse the UA? I worry that’s an ocean of messy heuristics.


(Jeff Atwood) #16

Hell no definitely do NOT parse the UA! :wink:


(Eli the Bearded) #17

This is a bit harder than I expected. Trying to escape the HTML in a User-Agent at time of save works:

#<EmailToken id: 23, user_id: 2, email: "qaz@qaz.wsx",
token: "520e6d016c2b78630e6eac35d884c22b",
confirmed: false,
expired: false,
created_at: "2017-08-19 06:30:40",
updated_at: "2017-08-19 06:30:40",
remote_ip: #<IPAddr: IPv4:142.254.30.0/255.255.255.255>,
user_agent: "Mozilla/5.0 (&lt;a href=&quot;http://exploitme.inv...">

Then I pull it out and put it in email. In the text part I get a nice straight-forward:

using "Mozilla/5.0 (&lt;a href=&quot;http://exploitme.invalid/&quot;&gt;Phishing&lt;/a&gt;)

And in the HTML part I get:

using “Mozilla/5.0 (<a href="http://exploitme.invalid/" rel="nofollow noopener">Phishing</a>)

Why is it talking my disarmed HTML and rearming it?


(Eli the Bearded) #18

I went with a belt-and-suspenders fix. Drop any <, >, and ` in the UA, then wrap the UA in backticks so Markdown will treat it as code.


(Alan Tan) #19

I was thinking that the country and city should be provided along with the IP address as well. To a non-technical user, showing them a bunch of random digits might not make any sense to them. :thought_balloon:


(Eli the Bearded) #20

Is Discourse using a geo-ip library already? I didn’t want to add one just for this.