Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store IP during signups, restrict tokens to IPs #1613

Open
hkirat opened this issue Dec 6, 2024 · 4 comments · May be fixed by #1623 or #1642
Open

Store IP during signups, restrict tokens to IPs #1613

hkirat opened this issue Dec 6, 2024 · 4 comments · May be fixed by #1623 or #1642
Labels
bug Something isn't working

Comments

@hkirat
Copy link
Contributor

hkirat commented Dec 6, 2024

right now tokens can be shared and multiple people can login
Restricting by IP should help in protecting that
@hkirat hkirat added the bug Something isn't working label Dec 6, 2024
@EswarPranavNadhHari
Copy link

what if users switch between Wi-Fi and mobile data? won't it be a problem

@randomboy24
Copy link

We can add the user's IP to the JWT payload when the user logs in and implement middleware to match the IP from the incoming request with the IP in the JWT payload. If they don't match, the user will be logged out

@IkramBagban
Copy link
Contributor

right now tokens can be shared and multiple people can login Restricting by IP should help in protecting that

Hey Harkirat, I was thinking to open this issue, but I noticed that you have already opened it. I also thought about the solution of restricting IPs to prevent multi-login. However, there is a problem: IPs often change. This means users would have to log in repeatedly whenever they switch networks, which might not be an ideal solution.

I was researching on this some days ago and I have found a solution. We can use device and browser fingerprints to ensure that a device can only be logged in at a time by storing the device and browser's details. Such as resolution, user agent etc. this way we can make sure one user login at a time.

I would love to work on it if you could assign this task to me.

@Smnthjm08 Smnthjm08 linked a pull request Dec 7, 2024 that will close this issue
Open
@IkramBagban IkramBagban linked a pull request Dec 9, 2024 that will close this issue
Open
@IkramBagban
Copy link
Contributor

IkramBagban commented Dec 9, 2024
edited
Loading

right now tokens can be shared and multiple people can login Restricting by IP should help in protecting that

Hey Harkirat, I was thinking to open this issue, but I noticed that you have already opened it. I also thought about the solution of restricting IPs to prevent multi-login. However, there is a problem: IPs often change. This means users would have to log in repeatedly whenever they switch networks, which might not be an ideal solution.

I was researching on this some days ago and I have found a solution. We can use device and browser fingerprints to ensure that a device can only be logged in at a time by storing the device and browser's details. Such as resolution, user agent etc. this way we can make sure one user login at a time.

I would love to work on it if you could assign this task to me.

@hkirat @devsargam

please check the pull request[ #1642 ]. I've added detailed explanation of what I am doing to resolve this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
4 participants
@hkirat @EswarPranavNadhHari @IkramBagban @randomboy24