Password reset email should send IP info

Yes in admin, ip there is a button next to the ip. It is actually broken at the moment and @tgxworld was looking at it.

Okay, Iā€™ll figure out how to integrate that, too, then.

2 Likes

And on password request emails if I implement that with the suggestions from yesterday.

Would it be better to not do so and leave that as a template action?

The request came from %{remote_ip} ([lookup %{remote_ip}](https://geoipsite.example/ip=%{remote_ip})).

If nothing else, it would allow picking a lookup tool thatā€™s localized.

I would just use whatever default service. Nobody complains when the default search is Google, for example. If someone wants to change it they can edit the text like anywhere else.

I think my question was not clear enough.

  1. Should I use the possibly a security concern API (per Sam in linked topic) thatā€™s on the admin interface
  2. Or should I just include a link to an online service that people can edit if they like, just like text anywhere else.

Iā€™m leaning towards 2 myself now.

I am not following this at all, you are putting a link in an email, people can see where the link goes and click or not click. What is the problem here?

Yesterday the request was to use the geo-ip library used elsewhere in Discourse already, which I read as ā€œdo the lookup before composing email messageā€:

2 Likes

Oh I understand now, apologies. Letā€™s belay that order, server side geolocation of the IP would make things hairier and further cement this dependency plus a whole lot more ā€œIP leakageā€ to some random IP lookup service. Your concern is 100% warranted.

A simple link in email is best versus server side geolocation.

4 Likes

i see its on the discourse github, i tested it and it well didnt work, even though i had updated it

My changes have not been folded in yet. I have some additional modifications to do and then to resubmit. Soon.

3 Likes

New commit, now with passing tests!

And the suggested I18n plus a link to an IP lookup in the message.

Somebody asked to reset your password on [Discourse](https://example.com).

The request came from [142.100.20.200](https://ipinfo.io/142.100.20.200) using
"`Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0`".
If it was not you, you can safely ignore this email.

Click the following link to choose a new password:
https://example.com/u/password-reset/8d9b1570c28f1c8ac1c16d008923e337
4 Likes

Might want to make the following text more explicit, as shown:

(I work Customer Service, and deal with non-technical people all the time.) Your original copy would cause many to wonder if they should click the link Even If they had not tried to access the account. Yes, the original message is completely unambiguous. Yes, native English speakers will still misunderstand it.

2 Likes

I can edit the copy later, thanks for the suggestion.

you said it has passing tests, iā€™ve updated multiple times for the past few days and havent seen changes

@pain, it hasnā€™t been merged yet. You can track it at https://github.com/discourse/discourse/pull/5069

4 Likes

ah i didnt check it on github, had just thought since he said it has passing tests it had just been added

can i just put this on my email templates directly?

How ever when i copied this code its popup an error as well.

Body: The following interpolation key(s) are invalid: ā€œremote_ipā€

Im very novice on how to pull from the github. please guide me through

If you examine the pull request at issue, it was closed without being merged. Therefore the example template is not expected to work.

so i guess it was just forgotten about and canceled?
even forgot i requested this -.-

Yes, it looks like the PR submitter either forgot about it or lost interest, so it was closed because leaving every incomplete PR open would quickly turn into a logistical nightmare.

3 Likes