Task #86354

Redevelop/improve function: notification on BE user login

Added by Michael Schams 10 months ago. Updated 10 months ago.

Status:
New
Priority:
Could have
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
2018-09-22
Due date:
% Done:

0%

TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Summary
The function "Notify me by email when somebody logs in from my account" comes with a number of downsides. Therefore, I suggest to replace it with an improved variation in TYPO3 v10. This requires to deprecate the existing function.

Background
If you set this option you will receive an email from TYPO3 each time you (or "someone") logs in using your username. You might like to receive such a "warning" as a security measure so you will know if someone else picks up your password and uses your account. (quote from the CSH of this function).

Current State
When a user successfully logs in to the backend of TYPO3, and the feature has been activated and an email address provided by this user before, an email is generated and sent to this user.
This is triggered in TYPO3\CMS\Core\Authentication\BackendUserAuthentication::backendCheckLogin(), and implemented in method emailAtLogin():

// Trigger an email to the current BE user, if this has been enabled in the user configuration
if ($this->uc['emailMeAtLogin'] && strstr($this->user['email'], '@')) {
    /** @var $mail \TYPO3\CMS\Core\Mail\MailMessage */
    $mail = GeneralUtility::makeInstance(\TYPO3\CMS\Core\Mail\MailMessage::class);
    $mail->setTo($this->user['email'])->setSubject($subject)->setBody($msg);
    $mail->send();
}

The email sent is a simple text-based email with some very basic information only.

Subject: At "<sitename>" from <remote address>

User "<username>" logged in from <remote address> at "<sitename>" (<http host>)

Issues

  • The email is not customizable by the site administrator.
  • The email can not be styled (not an HTML email), e.g. TYPO3 or company logo added.
  • The email body is in English only (not the language of the user's BE settings for example).
  • The information <remote address> does not take proxy server into account (e.g. the HTTP X-FORWARDED-FOR header, if present).
  • The information <http host> is sometimes empty (depending on the server setup), which results in "()" in the subject.
  • maybe more...

Possible Approach
A hook has been introduced in feature #83529, that is triggered at the same event (successful BE user login). This allows us to get rid of the existing functionality in class TYPO3\CMS\Core\Authentication\BackendUserAuthentication and redevelop an improved feature to notify users via email as an third-party extension or system extension.

Target Version

  • TYPO3 version 10

History

#1 Updated by Michael Schams 10 months ago

Notes from a conversation in Slack channel #typo3-cms-coredev.

  • consider equip the current solution with a feature toggle so one can switch it off and use an alternative solution.
  • consider to improve the core solution.
  • do not "remove the existing solution without replacement".
  • consider being conservative: improve what we have, without being overly much intrusive.

And:

  • consider extracting this functionality into a custom extension and ship an upgrade wizard.

Also available in: Atom PDF