Possible extension to include more generic user activity tracking
s01ipsist opened this issue · comments
A. This is a really awesome concept we are looking to bring to our applications. Account Takeovers (ATO) instrumentation is a great offering to many web apps.
B. This issue is not a problem with the project as is, but us trying to engage with you to see if you are amenable to the extensions we're interested in building.
My wish list, which we would happily do the work on, is to expand the scope of tracking from LoginActivity to what I will call UserAccountActivity.
In particular we want to record a variety of events, initial list includes
- log-in - when a User successfully logs in
- log-in-denied - when someone fails to log in
- log-out - when the User logs out
- password-reset-request - someone asked to reset a User password
- password-reset-request-denied - someone asked to reset their password with invalid details
- password-reset - when a User reset their password
- email-update - when a User email is changed
- page-view - when a page is viewed (probably only for sensitive pages)
Would you accept PRs down this path? Do you have any concerns about backwards compatibility on schema changes? Obviously forking is an option for us but we'd prefer to contribute here.
Hey @s01ipsist, tracking "account activity" instead of just login activity makes sense to me. What schema changes would you make to accommodate this?
The proposed evolution has independent events for success and failure. e.g. log-in and log-in-denied so the success and failure_reason attributes start to make less sense.
success would just go, no longer necessary
failure_reason could become reason or description and become reusable for other events - say the page-view event could put the uri in there.
Not really huge changes, slightly more generic and extensible, and a simple migration path from current schema.
Sounds reasonable. We can do a minor version bump (since it's before 1.0) and include upgrade instructions to roll this out.
Just fyi, I created an account_activity branch for this. Going to try it out for a bit to see how it feels.