RFC: Limit logins (by concurrency, location)

[balazsorban44]

Summary of proposed feature

Concurrent login: When a single user/account has multiple active/valid sessions throughout multiple devices/windows.

When a user tries to log in with their correct credentials, there are still multiple reasons for why it can be useful to reject/cancel the login process:

Purpose of proposed feature

• If the content is only meant to be reached from a certain location (eg.: only on a certain IP range, country, etc.). This can protect from outside attacks.
• Prevent misuse of subscriptions: In a subscription-based service, when concurrent logins are unlimited, users might share their subscription with others, which can lead to decreased profit for the company.
• In some way, unlimited logins can also lead to security issues, if the user simply forgets they were logged in on some machine that are accessible by others.

Detail about proposed feature

To begin with, I propose a simple configuration API with a database, which holds the session information.

Example:

loginRestrictions: {
  location: {
    country: "Norway", // can use something like the Geolocation API https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API
    ip: ["192.168.*.*"] // Not an expert, maybe https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For could help?
  },
  concurrency: {
    limit: 5,
    // by default, the oldest session could be invalidated,
    // but it could be possible to do other stuff here,
    // like showing a notification to the user, etc.
    // This must be further discussed
    handleLimitReached() {} 
  }
}

Potential problems
We should decide if the database needs to implement everything defined in the Models, or Session is enough, to keep it simple. It is interesting if one wishes to keep the JWT flow for everything else than session management.

Describe any alternatives you've considered
I started a discussion here with @iaincollins, and he agreed that a first-class solution would be interesting to others as well.
https://twitter.com/balazsorban44/status/1275757217103384576

Please indicate if you are willing and able to help implement the proposed feature.

I am willing to help with the implementation if we come to an agreement on the details.

[nyedidikeke]

Nice idea @balazsorban44. Suggesting a list of values defined from the UTC offset of the time zone of the user or time zone code; either or both options will be great alternative to geolocation as the later requires an explicit consent of the user.

We can also have concurrency, a permissible number of attempts, with a temporary account lock as throttling options.

Below, the modulated snippet;

allow: {
  ip: [],
  timezone: [0, 480], // or define same using timezoneCode: ['Africa/Accra', 'America/Los_Angeles'],
},
deny: {
  ip: [],
  timezone: [],
},
throttle: {
  concurrent: 5, // maximum number of active login sessions allowed.
  limit: 3, // total number of permissible attempts prior to temporary lock of account.
  temporaryLock: 300, // a defined period in seconds to effect the temporary lock of account;
  // here, disable login for the next 5 minutes after 3 consecutive failed authentication attempts.
},

[stale]

Hi there! It looks like this issue hasn't had any activity for a while. It will be closed if no further activity occurs. If you think your issue is still relevant, feel free to comment on it to keep ot open. Thanks!

[stale]

Hi there! It looks like this issue hasn't had any activity for a while. To keep things tidy, I am going to close this issue for now. If you think your issue is still relevant, just leave a comment and I will reopen it. (Read more at #912) Thanks!

[rnbokade]

Came here looking for exact same thing since my current project requires me to logout all other sessions but current. As in only allow single session.
For now I am thinking if there is anyway I could call session invalidation from signin callback or session callback which could invalidate all other sessions for current user on new logins.

[rnbokade]

I propose to implement this using custom DB adapter. Basically in CreateSession method one can extend the functionality to find oldest session of given data.userid and set the expires to now(). This will result in the user's oldest session being smoothly logged out whenever they actually use the getsession method

[Tittoh]

I'm here looking for the implementation that allows a single session.

[geekyayush]

It would be great if we are able to pass the request information such as IP address to all the adapter methods.
For instance, we can limit the number of magic link sends for individual IP.

[DarkNeedle]

Any progress on this?