User:DWalden (WMF)/LoginNotify
Feature documentation[edit]
Test documentation[edit]
Where to test it[edit]
It should be enabled on most wikis on beta and production.
How to install locally[edit]
First, install Echo, then install LoginNotify.
(Optional, but recommended) Setup email. Also go to Special:Preferences and check that the user you are testing with has an email setup. I normally use <username>@localhost.
Capabilities[edit]
- When you login successfully, you may see an email and/or Echo notification.
- I am not sure exactly the conditions under which the notification will be sent.
- The IP you used to login will be recorded somewhere:
- in some cases in a cache (not sure where)
- in
cu_changesorcu_private_events(if$wgLoginNotifyUseCheckUser = true;) - in
loginnotify_seen_net(if$wgLoginNotifyUseSeenTable = true;)
- When an attempt to login as a username is unsuccessful (i.e. incorrect password), the username is notified (via email and/or Echo notification).
- The wording of the email/notification will depend on whether it is a new IP address or one you have logged in with before (within a particular time span) or if you have a cookie set when you lasted successfully logged in to the account.
Important: LoginNotify looks at the subnet that the IP is a part of. /24 for IPv4 and /64 for IPv6. So IPs 1.2.3.4 and 1.2.3.5 are considered the same but 1.2.3.4 and 2.2.3.4 are considered different. When attempting to test a "new" IP address and you want to make sure LoginNotify will treat it as new, change the first number in the IP.
Techniques[edit]
Example scenarios to test.
Setup
Run this query in the database: ALTER TABLE loginnotify_seen_net MODIFY COLUMN lsn_time_bucket BIGINT NOT NULL;
Add this to LocalSettings.php:
$wgCdnServersNoPurge = [ '172.0.0.1/8' ];
$wgUsePrivateIPs = true;
$wgLoginNotifyAttemptsKnownIP = 1;
$wgLoginNotifyAttemptsNewIP = 1;
$wgLoginNotifyUseCheckUser = false;
$wgLoginNotifyUseSeenTable = true;
$wgLoginNotifyCookieExpire = 0;
$wgLoginNotifySeenExpiry = 30;
$wgLoginNotifySeenBucketSize = 10;
Install a browser extension which allows you to change your X-Forward-For header. For example, this one for Firefox or Chrome.
Testing
Login successfully. In the database, run SELECT * FROM loginnotify_seen_net; to see a new row created.
After ~10 seconds (the value of $wgLoginNotifySeenBucketSize), another successful login from the same IP address will create a new row in the database.
A successful login from a new IP address should always create a new row, even within 10 seconds.
Check http://localhost:8025/ to see what email notifications have been sent.
Try to login as the same username but with an incorrect password. Check your email http://localhost:8025/.
If it is within 30 seconds (value of $wgLoginNotifySeenExpiry) of your last login and you haven't changed your IP, the email will start: There has been a failed attempt to log in to your account since the last time you logged in.
If it is a new IP, or outside of 30 seconds, the email will start: There has been a failed attempt to log in to your account from a new device.
If you fail login multiple times the email will show you a count of the number of times login failed.
Logs and debugging[edit]
The behaviour of LoginNotify is a bit opaque to me at times. To see what is happening in the backend, search in the logs for [LoginNotify].