Improving Access Tokens

[idk-pixel]

Feature Request

IP Security
Whenever a user signs up, a access token contains the IP that will be kept on being used and inform this on signup form.
Whenver they login without the ip that was gaven during sign-up, They will reset their password (email + ui saying to check email and to resend the emails, and not allow them to access the site until they do reset it) OR they can get an email to authorize the IP and show an error message saying to check the email. (setting chosen in admin dash)

Justifing why this feature belongs in Flarum's core, rather than in a third-party extension
This feature should belong to the flarum core because rather an extension handling this security risks, the flarum core can handle it and always be up-to-date, and can prevent users having to wait for 3rd parties to update the security extension.

[clarkwinkelmann]

This sounds like an excellent candidate for an extension.

Most websites don't ask users to double-authenticate new websites or devices. I understand the need for sensitive or high profile forums, but I don't think this is a feature that will interest most regular communities.

Flarum already associates the IP with access tokens. However there is no constraint, and the IP or user agent is even allowed to change during a single session.

I feel like a proper implementation of this wouldn't even rely on the IP or user agent only, but rather create unique device IDs, and then integrate security checks around the IPs and user agents used on the registered devices. This quickly gets way outside of the scope of Flarum core.

Many websites might also want a less strict option, for example sending an email when a new device is detected. An extension could implement this extremely easily.

[tankerkiller125]

I agree with Clark here that this would be better as an extension, however I will say that when I previously tried to use a 3rd party auth check tool (Castle) I found that our login is missing important events required to use it properly (though I can't remember which ones), however that was also in beta.11 so things may have changed since then.

[idk-pixel]

I agree with Clark here that this would be better as an extension, however I will say that when I previously tried to use a 3rd party auth check tool (Castle) I found that our login is missing important events required to use it properly (though I can't remember which ones), however that was also in beta.11 so things may have changed since then.

Thanks for replying to me. I had beforehand requested this in beta 11. It was going to be done, but someones PR got closed for it. I think this should be built-in as it can put a better look on flarum, so it just dosent look like a forum that only can be good with extensions.

[tankerkiller125]

The idea behind Flarum is that it's a Forum Framework, the entire point is that while Flarum holds the core basics everything else is an extension/can be an extension.

It's the reason that things like file uploads, OAuth2 with Google, Github, etc., Spammer Management, etc. are all extensions and not built in. And to be honest even most of the core features are in fact extensions themselves (tags, follows, likes, etc.)