Login history seems to have no way of being cleared, which is a privacy concern #176

New issue

Closed

opened 2022-09-27 12:34:11 +00:00 by vib · 5 comments

vib commented

2022-09-27 12:34:11 +00:00

Contributor

All the login attempts since account creation (successful or failed) on one's account can be seen at Settings>Security, which conttain the date and IP of the attempts. (I am not entirely sure if there is no mechanism to empty that list with time, but it seems like there is none.)
I think at least the entries of that list should have an expire date and clean themselves out, since permanently storing those entries is the same as the avoided feature of IP logging from Misskey.
Other way to do it either as an alternative or alongside the entries auto-cleaning would be to let the user clear the list.

All the login attempts since account creation (successful or failed) on one's account can be seen at Settings>Security, which conttain the date and IP of the attempts. (I am not entirely sure if there is no mechanism to empty that list with time, but it seems like there is none.) I think at least the entries of that list should have an expire date and clean themselves out, since permanently storing those entries is the same as the avoided feature of IP logging from Misskey. Other way to do it either as an alternative or alongside the entries auto-cleaning would be to let the user clear the list.

👍 1

Johann150 commented

2022-09-29 13:40:27 +00:00

Owner

I dont' know about letting the user clear it... wouldn't that circumvent the entire point of that feature, i.e. seeing if someone else is logging into your account?

I think the best way would be to delete entries of the signin table after a certain amount of time, maybe one or two month or so?

I dont' know about letting the user clear it... wouldn't that circumvent the entire point of that feature, i.e. seeing if someone else is logging into your account? I think the best way would be to delete entries of the `signin` table after a certain amount of time, maybe one or two month or so?

Johann150 commented

2022-09-29 13:43:59 +00:00

Owner

For the "expire after a month" kind of implementation I think we could just add another query onto packages/backend/src/queue/processors/system/check-expired-mutings.ts or so.

For the "expire after a month" kind of implementation I think we could just add another query onto `packages/backend/src/queue/processors/system/check-expired-mutings.ts` or so.

vib commented

2022-09-29 16:20:44 +00:00

Author

Contributor

hmm, yeah now I think making it expire makes the most sense

Johann150 referenced this issue from a commit

2022-09-30 15:37:40 +00:00

refactor expiring data and expire signins after 60 days

Johann150 referenced this issue

2022-09-30 15:38:17 +00:00

refactor expiring data and expire signins after 60 days #180

Johann150 added a new dependency 2022-10-01 22:16:20 +00:00

#180 refactor expiring data and expire signins after 60 days

Johann150 referenced this issue from a commit

2022-10-01 22:18:29 +00:00

refactor expiring data and expire signins after 60 days

Johann150 commented

2022-10-01 22:22:49 +00:00

Owner

I don't know if we should have a hint below the signin history that older logins get automatically deleted with this implementation?

norm commented

2022-10-01 23:08:58 +00:00

Owner

I don't know if we should have a hint below the signin history that older logins get automatically deleted with this implementation?

Probably a good idea.

> I don't know if we should have a hint below the signin history that older logins get automatically deleted with this implementation? Probably a good idea.