Make configurable the number of minutes after which the user is no longer considered a new user. #85
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nger considered a new user.
Small optimisation.
Collaborator
|
Not sure on this one! Will have to take a closer look, I get the point though |
rappasoft
added a commit
that referenced
this pull request
Dec 5, 2025
# Laravel Authentication Log v4.0.0 Release Notes ## 🎉 Major Release - Laravel 11 & 12 Support This is a major release that modernizes the package for Laravel 11.x and 12.x, adds numerous new features, and fixes several long-standing issues. ##⚠️ Breaking Changes - **Laravel 10.x support dropped**: This package now only supports Laravel 11.x and 12.x - **PHP 8.1+ required**: Minimum PHP version is now 8.1 - **Database migration required**: Existing installations must run the upgrade migration to add new columns ## 🚀 New Features ### 1. Suspicious Activity Detection Automatically detect and flag suspicious login patterns including: - Multiple failed login attempts - Rapid location changes - Unusual login times (configurable) **Configuration:** ```php 'suspicious' => [ 'failed_login_threshold' => 5, 'check_unusual_times' => false, 'usual_hours' => [9, 10, 11, 12, 13, 14, 15, 16, 17], ], ``` ### 2. Session Management Comprehensive session management capabilities: - View active sessions - Revoke specific sessions - Revoke all other sessions (keep current device) - Revoke all sessions - Track last activity timestamp **Usage:** ```php $user->getActiveSessions(); $user->revokeSession($sessionId); $user->revokeAllOtherSessions($currentDeviceId); $user->revokeAllSessions(); ``` ### 3. Device Fingerprinting & Management - Unique device identification (normalized user agent to prevent false positives) - Device trust management - Device naming - Browser version normalization (prevents false "new device" notifications) **Usage:** ```php $user->getDevices(); $user->trustDevice($deviceId); $user->untrustDevice($deviceId); $user->isDeviceTrusted($deviceId); ``` ### 4. Query Scopes Powerful query scopes for filtering authentication logs: - `successful()` - Only successful logins - `failed()` - Only failed attempts - `fromIp($ip)` - Filter by IP address - `recent($hours)` - Recent logs - `suspicious()` - Suspicious activities - `trusted()` - Trusted devices only - `fromDevice($deviceId)` - Specific device - `forUser($user)` - Specific user - `active()` - Active sessions **Usage:** ```php AuthenticationLog::suspicious()->recent(24)->get(); $user->authentications()->failed()->recent(1)->count(); ``` ### 5. Statistics & Insights Get authentication statistics for users: - Total logins count - Failed attempts count - Unique devices count - Suspicious activities count - Comprehensive login stats array **Usage:** ```php $stats = $user->getLoginStats(); $totalLogins = $user->getTotalLogins(); $failedAttempts = $user->getFailedAttempts(); $uniqueDevices = $user->getUniqueDevicesCount(); ``` ### 6. Rate Limiting for Notifications Prevent notification spam with configurable rate limiting: - Configurable max attempts per time period - Separate limits for new device and failed login notifications - Automatic rate limit decay **Configuration:** ```php 'new-device' => [ 'rate_limit' => 3, 'rate_limit_decay' => 60, // minutes ], ``` ### 7. Middleware for Device Trust Restrict access to trusted devices only: **Usage:** ```php Route::middleware(['auth', \Rappasoft\LaravelAuthenticationLog\Middleware\RequireTrustedDevice::class]) ->group(function () { // Protected routes }); ``` ### 8. Export Functionality Export authentication logs to CSV or JSON: **Usage:** ```bash php artisan authentication-log:export --format=csv --path=storage/app/logs.csv php artisan authentication-log:export --format=json ``` ### 9. Webhook Support Send webhooks for authentication events: - Login events - Failed login events - New device events - Suspicious activity events **Configuration:** ```php 'webhooks' => [ [ 'url' => 'https://example.com/webhook', 'events' => ['login', 'failed', 'new_device', 'suspicious'], 'headers' => [ 'Authorization' => 'Bearer your-token', ], ], ], ``` ### 10. Enhanced Notifications - Support for Vonage (formerly Nexmo) SMS notifications - Custom notification templates - Improved email templates with better error handling ### 11. Configurable New User Threshold Prevent false positives for new users connecting from multiple devices/locations: **Configuration:** ```php 'new-device' => [ 'new_user_threshold_minutes' => 1, // Default: 1 minute ], ``` ### 12. Session Restoration Prevention **Fixes [#13](#13 Automatically prevents session restorations (page refreshes, remember me cookies) from creating duplicate log entries. Updates `last_activity_at` instead of creating new entries. **Configuration:** ```php 'prevent_session_restoration_logging' => true, 'session_restoration_window_minutes' => 5, ``` ## 🐛 Bug Fixes ### Fixed Issue #40 - Browser Version Updates Triggering False Notifications **Fixes [#40](#40 Browser version updates (e.g., Safari 14.1.2 → 15.1) no longer trigger false "new device" notifications. Device fingerprinting now normalizes user agent strings by removing version numbers. ### Fixed Issue #13 - Session Restoration Logging **Fixes [#13](#13 Session restorations (page refreshes, remember me cookies) no longer create duplicate log entries. The package now detects and handles session restorations automatically. ## ✅ Pull Requests Implemented ### PR #15 - Notification After Failed Login on New Device **Closes [#15](#15 The package now sends new device notifications when a successful login occurs after a failed login attempt on an unknown device. ### PR #52 - Optimize Other Devices Logout Listener **Closes [#52](#52 Already implemented. The listener filters to only active sessions using `whereNull('logout_at')`. ### PR #57 - Use Null Safe/Chaining Operator **Closes [#57](#57 Already implemented. The codebase uses null-safe operators (`?->`) instead of `optional()`. ### PR #80 - Added PHPDocs for IDE Autocompletion **Closes [#80](#80 Already implemented. The `AuthenticationLog` model includes PHPDoc comments for all properties including new fields. ### PR #85 - Configurable New User Threshold **Closes [#85](#85 Added `new_user_threshold_minutes` configuration option to reduce false positives for users connecting from multiple devices/locations shortly after registration. ### PR #92 - Configurable Listeners **Closes [#92](#92 Already implemented. The config file includes configurable listeners for all authentication events. ### PR #94 - Check Trait Implementation **Closes [#94](#94 Already implemented. All listeners check if the user model implements the `AuthenticationLoggable` trait before processing. ### PR #100 - Laravel 11 Support **Closes [#100](#100 Package now supports Laravel 11.x and 12.x. ### PR #115 - Check if GeoIP is Installed **Closes [#115](#115 Config defaults now check if geoip function exists before enabling location tracking, preventing errors when the geoip package is not installed. ### PR #120 - Laravel 12 Support & Arabic Translation **Closes [#120](#120 Laravel 12 support added and Arabic translation (`ar.json`) included. ### PR #125 - Test Configuration Updates **Closes [#125](#125 Test configuration updated for Laravel 11+ support. ### PR #127 - Spanish Translation & Blade Fixes **Closes [#127](#127 Spanish translation (`es_ES.json`) exists and blade templates use the null coalescing operator (`??`) for state/country fields. ## 📝 Pull Requests No Longer Applicable ### PR #70 - Laravel 10 Support **Closes [#70](#70 No longer applicable. Package v4.0.0 dropped Laravel 10 support and now only supports Laravel 11.x and 12.x. ## 📚 Documentation - Comprehensive upgrade guide added - All new features documented - Configuration examples updated - Usage examples for all new features ## 🧪 Testing - **76 tests passing** (146 assertions) - Comprehensive test coverage for all new features - Tests for session restoration prevention - Tests for device fingerprinting normalization - Tests for suspicious activity detection - Tests for all query scopes and statistics ## 📦 Installation & Upgrade ### New Installation ```bash composer require rappasoft/laravel-authentication-log php artisan vendor:publish --provider="Rappasoft\LaravelAuthenticationLog\LaravelAuthenticationLogServiceProvider" php artisan migrate ``` ### Upgrading from v3.x ```bash composer update rappasoft/laravel-authentication-log php artisan vendor:publish --provider="Rappasoft\LaravelAuthenticationLog\LaravelAuthenticationLogServiceProvider" --tag="authentication-log-migrations" php artisan migrate ``` The upgrade migration will safely add new columns to your existing `authentication_log` table without data loss. ## 🙏 Credits Thank you to all contributors who submitted issues, pull requests, and feedback that made this release possible! ## 📖 Full Documentation See the [documentation](https://rappasoft.com/docs/laravel-authentication-log) for complete usage instructions and examples. --- **Note:** This release includes breaking changes. Please review the upgrade guide before upgrading from v3.x.
Owner
|
Added or Fixed in v6.0.0, thank you for your contribution. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Users often connect from different devices (desktop, mobile, tablet, etc.) and from different locations (home, work, etc.). If we send notifications to users more than a minute old, we will generate a lot of false positives.
A simple solution would be to make the number of minutes after which a user is no longer considered a new user configurable in order to increase that time.
In my case, increasing that amount to a week (60 * 24 * 7) or a month (60 * 24 * 30) would greatly reduce false positives.
Thank you very much.