User:DWalden (WMF)/LoginNotify

Feature documentation
Extension:LoginNotify

Where to test it
It should be enabled on most wikis on beta and production.

How to install locally
First, install Echo, then install LoginNotify.

(Optional, but recommended) Setup email. Also go to Special:Preferences and check that the user you are testing with has an email setup. I normally use.

Capabilities

 * When you login successfully, you may see an email and/or Echo notification.
 * I am not sure exactly the conditions under which the notification will be sent.
 * The IP you used to login will be recorded somewhere:
 * in some cases in a cache (not sure where)
 * in  or   (if  )
 * in  (if  )
 * When an attempt to login as a username is unsuccessful (i.e. incorrect password), the username is notified (via email and/or Echo notification).
 * The wording of the email/notification will depend on whether it is a new IP address or one you have logged in with before (within a particular time span) or if you have a cookie set when you lasted successfully logged in to the account.

Important: LoginNotify looks at the subnet that the IP is a part of. /24 for IPv4 and /64 for IPv6. So IPs 1.2.3.4 and 1.2.3.5 are considered the same but 1.2.3.4 and 2.2.3.4 are considered different. When attempting to test a "new" IP address and you want to make sure LoginNotify will treat it as new, change the first number in the IP.

Techniques
Example scenarios to test.

Setup

Run this query in the database:

Add this to :

Install a browser extension which allows you to change your X-Forward-For header. For example, this one for Firefox or Chrome.

Testing

Login successfully. In the database, run  to see a new row created.

After ~10 seconds (the value of ), another successful login from the same IP address will create a new row in the database.

A successful login from a new IP address should always create a new row, even within 10 seconds.

Check http://localhost:8025/ to see what email notifications have been sent.

Try to login as the same username but with an incorrect password. Check your email http://localhost:8025/.

If it is within 30 seconds (value of ) of your last login and you haven't changed your IP, the email will start:

If it is a new IP, or outside of 30 seconds, the email will start:

If you fail login multiple times the email will show you a count of the number of times login failed.

Logs and debugging
The behaviour of LoginNotify is a bit opaque to me at times. To see what is happening in the backend, search in the logs for.