Page MenuHomePhabricator

Show useragent data and username on new device login emails
Open, MediumPublic

Description

Right now you get the message:

Someone (probably you) recently logged in to your account from a new device. If this was you, then you can disregard this message. If it wasn't you, then it's recommended that you change your password, and check your account activity.

For me, I have bots that run off of 3 different servers (not including home testing). Because I have administrative tools on my bot, knowing if my bot is being accessed improperly is critical. Beyond this, most companies provide the data for recent logins to their accounts to the user. This should be no different for this email.

Please show:

  • Username (including the bot password username if appropriate)
  • The IP address the login came from See T174562 and T174388
  • The useragent of the login

Event Timeline

Restricted Application added a project: Community-Tech. · View Herald TranscriptApr 4 2020, 11:05 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
stwalkerster added a subscriber: stwalkerster.
Reedy added a project: Privacy Engineering.

Largely duplicates T174562, which was spun off from T174388 (failed attempts). IP addresses appear to have been approved by Legal a few years ago, don't think user agent came up.

Reedy added a subscriber: Reedy.Apr 4 2020, 2:08 PM

Bot username, if applicable (The "@whatever")

^ This one should be a no brainer; people use email addresses for multiple accounts

Largely duplicates T174562, which was spun off from T174388 (failed attempts). IP addresses appear to have been approved by Legal a few years ago, don't think user agent came up.

As per these... Let's update the task to cover the other cases

Reedy renamed this task from Show IP, useragent data, and bot username on new device login emails to Show useragent data, and bot username on new device login emails.Apr 4 2020, 2:08 PM
Reedy updated the task description. (Show Details)
Reedy added a comment.Apr 5 2020, 6:46 PM

Bot username, if applicable (The "@whatever")

This is already in the subject, right? Just not in the body text?

I think the problem is the messages used for Notifications are re-used verbatim for email

	"notification-header-login-success": "Someone (probably {{GENDER:$1|you}}) recently logged in to your account from a new device. If this was you, then you can disregard this message. If it wasn't you, then it's recommended that you change your password, and check your account activity.",
	"notification-new-bundled-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''$1 failed attempts'''}} to log in to your account from a new device since the last time you logged in. If it wasn't you, please make sure your account has a strong password.",
	"notification-known-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''$1 failed attempts'''}} to log in to your account since the last time you logged in. If it wasn't you, please make sure your account has a strong password.",
	"notification-new-unbundled-header-login-fail": "There {{PLURAL:$1|has been '''a failed attempt'''|have been '''multiple failed attempts'''}} to log in to your account from a new device. Please make sure your account has a strong password."

So these work fine from the UI, but miss context from the email standpoint

Restricted Application added a project: Growth-Team. · View Herald TranscriptApr 5 2020, 6:52 PM
Reedy renamed this task from Show useragent data, and bot username on new device login emails to Show useragent data and bot username on new device login emails.Apr 5 2020, 6:53 PM
Reedy renamed this task from Show useragent data and bot username on new device login emails to Show useragent data and username on new device login emails.
Reedy moved this task from Backlog to External on the Notifications board.
Reedy updated the task description. (Show Details)

Change 586127 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/Echo@master] Add getter for EventPresentationModel::$distributionType

https://gerrit.wikimedia.org/r/586127

Bot username, if applicable (The "@whatever")

This is already in the subject, right? Just not in the body text?

It is not if you are using a bot password login. It just lists the original username.

Change 586127 merged by jenkins-bot:
[mediawiki/extensions/Echo@master] Add getter for EventPresentationModel::$distributionType

https://gerrit.wikimedia.org/r/586127

Change 586381 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/Echo@REL1_34] Add getter for EventPresentationModel::$distributionType

https://gerrit.wikimedia.org/r/586381

Change 586382 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/Echo@REL1_33] Add getter for EventPresentationModel::$distributionType

https://gerrit.wikimedia.org/r/586382

Change 586383 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/Echo@REL1_31] Add getter for EventPresentationModel::$distributionType

https://gerrit.wikimedia.org/r/586383

JFishback_WMF triaged this task as Medium priority.Apr 6 2020, 3:52 PM
JFishback_WMF moved this task from Incoming to Backlog on the Privacy Engineering board.
Reedy updated the task description. (Show Details)Apr 6 2020, 3:53 PM

Change 586382 merged by jenkins-bot:
[mediawiki/extensions/Echo@REL1_33] Add getter for EventPresentationModel::$distributionType

https://gerrit.wikimedia.org/r/586382

Change 586381 merged by jenkins-bot:
[mediawiki/extensions/Echo@REL1_34] Add getter for EventPresentationModel::$distributionType

https://gerrit.wikimedia.org/r/586381

Change 586383 merged by jenkins-bot:
[mediawiki/extensions/Echo@REL1_31] Add getter for EventPresentationModel::$distributionType

https://gerrit.wikimedia.org/r/586383

Majavah added a subscriber: Majavah.