catstodon/app/lib/suspicious_sign_in_detector.rb

44 lines
941 B
Ruby
Raw Normal View History

# frozen_string_literal: true
class SuspiciousSignInDetector
IPV6_TOLERANCE_MASK = 64
IPV4_TOLERANCE_MASK = 16
ENABLE_SUSPICIOUS_SIGN_IN = ENV['ENABLE_SUSPICIOUS_SIGN_IN'] != 'false'
def initialize(user)
@user = user
end
def suspicious?(request)
!sufficient_security_measures? && !freshly_signed_up? && !previously_seen_ip?(request) if ENABLE_SUSPICIOUS_SIGN_IN
end
private
def sufficient_security_measures?
@user.otp_required_for_login?
end
def previously_seen_ip?(request)
@user.ips.exists?(['ip <<= ?', masked_ip(request)])
end
def freshly_signed_up?
@user.current_sign_in_at.blank?
end
def masked_ip(request)
masked_ip_addr = begin
ip_addr = IPAddr.new(request.remote_ip)
if ip_addr.ipv6?
ip_addr.mask(IPV6_TOLERANCE_MASK)
else
ip_addr.mask(IPV4_TOLERANCE_MASK)
end
end
"#{masked_ip_addr}/#{masked_ip_addr.prefix}"
end
end