Add admin-controlled geolocation metadata collection (device and IP-based)

[vitormattos]

Context

LibreSign currently stores audit metadata such as IP address and User-Agent at signing time. Some organizations require additional audit trail information, including the signer's geolocation, for compliance, legal traceability, or internal control purposes.

However, geolocation is sensitive data and must be explicitly configurable and transparent.

Proposal

Introduce an optional, admin-controlled feature to collect geolocation metadata during the signing process.

The feature should support two independent methods:

1. Device-based geolocation (precise)

   • Uses the browser Geolocation API (GPS / Wi-Fi / mobile network).

   • Requires explicit user permission.

   • Can be configured as:

     • Optional (default)
     • Required if available
     • Strictly required (block signing if not obtained)

2. IP-based geolocation (approximate)

   • Performed server-side using a GeoIP database.
   • Does not require browser permission.
   • Provides country/region/city-level precision (depending on database).

Admin Configuration

Add new options in Admin settings (Metadata / Audit section):

• Enable device geolocation collection
• Enable IP geolocation collection
• Define requirement level (only applicable to device-based geolocation)

Both methods should be independently configurable.

Signing Flow

If device geolocation is enabled:

• The user should be clearly informed that location will be collected for audit purposes.

• If permission is denied or unavailable:

  • Behavior must follow the configured requirement level.
  • The system should record a structured status (e.g., collected, denied, unavailable, error).

If IP geolocation is enabled:

• Location is resolved server-side based on the request IP.

Stored Metadata

The audit trail should include:

• geo_source (device | ip | none)

• geo_status (collected | denied | unavailable | error)

• For device:

  • latitude
  • longitude
  • accuracy (meters)
  • timestamp

• For IP:

  • country
  • region
  • city
  • optional approximate coordinates
  • precision level

Important Considerations

• Feature must be disabled by default.
• Clear user transparency is required.
• The system must not break in environments without geolocation support.
• Blocking behavior should only occur if explicitly configured by the administrator.

This feature enhances audit capabilities while maintaining flexibility and privacy controls.