Skip to content
This repository has been archived by the owner on Apr 3, 2019. It is now read-only.

Record user-agent and last-access-time on session tokens #983

Closed
rfk opened this issue Jul 15, 2015 · 4 comments · Fixed by #997
Closed

Record user-agent and last-access-time on session tokens #983

rfk opened this issue Jul 15, 2015 · 4 comments · Fixed by #997
Assignees
@philbooth

Comments

@rfk
Copy link
Contributor

rfk commented Jul 15, 2015

We want to be able to surface a "control dashboard" where the user can see what's connected to her account and control/revoke things as necessary. The lowest-hanging fruit for such a dashboard would be to see where all the active session tokens are from, and how recently they were used.

This information would be exposed via oauth-authenticated APIs like #950, but before we even get that far we will have to start recording it.

It will also provide the basic data for many of the connected-experience metrics dashboards in mozilla/fxa#21

Proposal:

  1. add "userAgent" and "lastAccessTime" fields to the sessionTokens table, defaulting to empty and zero respectively
  2. populate them in the obvious way whenever a new sessionToken is created
  3. update them asynchronously whenever a sessionToken is used, by e.g. firing off a background task to do the db write

Doing (3) will create a large increase in the write volumne on the auth db, but I think it's important data to be able to surface to the user. We may be able to mitigate the load with some clever batch background updates if necessary, since we can trade off reliability for performance with this data.

(Also note that this is parallel to any work on a "device list" service. When devices API comes online we can incorporate an additional "device id" field in the sessionToken metadata, but it's impotant to be able to track sessions from the web as well as sessions from devices).
@rfk
Copy link
Contributor Author

rfk commented Jul 15, 2015

We should get approval from legal before we start collecting this data; I think it's fair game because it's nothing we couldn't pull out of the server access logs anyway, but for some things it's better to ask permission than forgiveness...

This was referenced Jul 17, 2015
Closed
Closed
@rfk rfk mentioned this issue Jul 24, 2015
Closed
@rfk rfk modified the milestone: train 43 Jul 24, 2015
@rfk
Copy link
Contributor Author

rfk commented Jul 24, 2015

@philbooth as a first step towards a lot of the work and the metrics we want to do this quarter, do you think you'll have bandwidth to collaborate on this for train-43?

@philbooth
Copy link
Contributor

@rfk, yep. I started to look into this yesterday a bit actually, but didn't want to make any changes until you got the green light for us to collect the data. Are we good on that front now?

@philbooth philbooth self-assigned this Jul 24, 2015
@philbooth philbooth added this to the train 43 milestone Jul 24, 2015
This was referenced Jul 27, 2015
Closed
Merged
Closed
Merged
@philbooth
Copy link
Contributor

I've linked 4 PRs which are almost ready for review, pending some questions that I need answers to.

This was referenced Aug 2, 2015
Closed
Closed
@philbooth philbooth mentioned this issue Aug 5, 2015
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@philbooth philbooth

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(db): store user agent and last-access time in sessionTokens mozilla/fxa-auth-server
3 participants
@rfk @philbooth @ckarlof