mirror of
https://git.kescher.at/CatCatNya/catstodon.git
synced 2024-11-25 07:28:07 +01:00
21a0804210
The CatCatNya~ production config has an IP retention period of one day. That will cause suspicious login emails to be sent out simply because we don't have any known IP data. Therefore, add an option disabling it.
43 lines
942 B
Ruby
43 lines
942 B
Ruby
# frozen_string_literal: true
|
|
|
|
class SuspiciousSignInDetector
|
|
IPV6_TOLERANCE_MASK = 64
|
|
IPV4_TOLERANCE_MASK = 16
|
|
ENABLE_SUSPICIOUS_SIGN_IN = ENV['ENABLE_SUSPICIOUS_SIGN_IN'] != 'false'
|
|
|
|
def initialize(user)
|
|
@user = user
|
|
end
|
|
|
|
def suspicious?(request)
|
|
!sufficient_security_measures? && !freshly_signed_up? && !previously_seen_ip?(request) if DISABLE_SUSPICIOUS_SIGN_IN
|
|
end
|
|
|
|
private
|
|
|
|
def sufficient_security_measures?
|
|
@user.otp_required_for_login?
|
|
end
|
|
|
|
def previously_seen_ip?(request)
|
|
@user.ips.exists?(['ip <<= ?', masked_ip(request)])
|
|
end
|
|
|
|
def freshly_signed_up?
|
|
@user.current_sign_in_at.blank?
|
|
end
|
|
|
|
def masked_ip(request)
|
|
masked_ip_addr = begin
|
|
ip_addr = IPAddr.new(request.remote_ip)
|
|
|
|
if ip_addr.ipv6?
|
|
ip_addr.mask(IPV6_TOLERANCE_MASK)
|
|
else
|
|
ip_addr.mask(IPV4_TOLERANCE_MASK)
|
|
end
|
|
end
|
|
|
|
"#{masked_ip_addr}/#{masked_ip_addr.prefix}"
|
|
end
|
|
end
|