Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store IP during signups, restrict tokens to IPs #1613

Open
hkirat opened this issue Dec 6, 2024 · 4 comments · May be fixed by #1623 or #1642
Open

Store IP during signups, restrict tokens to IPs #1613

hkirat opened this issue Dec 6, 2024 · 4 comments · May be fixed by #1623 or #1642
Labels
bug Something isn't working

Comments

@hkirat
Copy link
Contributor

hkirat commented Dec 6, 2024

right now tokens can be shared and multiple people can login
Restricting by IP should help in protecting that
@hkirat hkirat added the bug Something isn't working label Dec 6, 2024
@EswarPranavNadhHari
Copy link

what if users switch between Wi-Fi and mobile data? won't it be a problem

@randomboy24
Copy link

We can add the user's IP to the JWT payload when the user logs in and implement middleware to match the IP from the incoming request with the IP in the JWT payload. If they don't match, the user will be logged out

@IkramBagban
Copy link
Contributor

right now tokens can be shared and multiple people can login Restricting by IP should help in protecting that

Hey Harkirat, I was thinking to open this issue, but I noticed that you have already opened it. I also thought about the solution of restricting IPs to prevent multi-login. However, there is a problem: IPs often change. This means users would have to log in repeatedly whenever they switch networks, which might not be an ideal solution.

I was researching on this some days ago and I have found a solution. We can use device and browser fingerprints to ensure that a device can only be logged in at a time by storing the device and browser's details. Such as resolution, user agent etc. this way we can make sure one user login at a time.

I would love to work on it if you could assign this task to me.

@Smnthjm08 Smnthjm08 linked a pull request Dec 7, 2024 that will close this issue
Open
@IkramBagban IkramBagban linked a pull request Dec 9, 2024 that will close this issue
Open
@IkramBagban
Copy link
Contributor

IkramBagban commented Dec 9, 2024
edited
Loading

right now tokens can be shared and multiple people can login Restricting by IP should help in protecting that

Hey Harkirat, I was thinking to open this issue, but I noticed that you have already opened it. I also thought about the solution of restricting IPs to prevent multi-login. However, there is a problem: IPs often change. This means users would have to log in repeatedly whenever they switch networks, which might not be an ideal solution.

I was researching on this some days ago and I have found a solution. We can use device and browser fingerprints to ensure that a device can only be logged in at a time by storing the device and browser's details. Such as resolution, user agent etc. this way we can make sure one user login at a time.

I would love to work on it if you could assign this task to me.

@hkirat @devsargam

please check the pull request[ #1642 ]. I've added detailed explanation of what I am doing to resolve this issue.

AritraDey-Dev added a commit to AritraDey-Dev/cms that referenced this issue Jan 6, 2025
@AritraDey-Dev
Feat: Store IP during signups, restrict tokens to IPs
3c15df7 
Fixes code100x#1613

Add IP address to JWT payload and session user during signups and logins.

* **src/lib/auth.ts**
  - Add IP address to session user, token, and user interfaces.
  - Include IP address in JWT payload during signups and logins.
  - Retrieve user's IP address from request headers during authorization.
  - Store IP address in user object during login.

* **src/middleware.ts**
  - Add IP address to user interface.
  - Check if the IP address matches the one in the JWT payload.
  - Redirect to invalid session page if IP address doesn't match.

* **src/actions/user/index.ts**
  - Import FingerprintJS package.
  - Add function to store device and browser details during login.
  - Generate unique device ID using FingerprintJS.
  - Store device details in the user table.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/code100x/cms/issues/1613?shareId=XXXX-XXXX-XXXX-XXXX).
@AritraDey-Dev AritraDey-Dev mentioned this issue Jan 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
4 participants
@hkirat @EswarPranavNadhHari @IkramBagban @randomboy24