Goal

Inform the end-user about the date and time of last login immediately after logging in. 

This requirement comes from a minor nonconformity we have received from both SOC2 and ENS audits. 

This applies to both SaaS and DX core products, although the non-conformity was detected on self-hosted version of Magnolia. Therefore, to keep the audit, this is needed just for self-hosted. So if you need to implement it differently for self-hosted and for SaaS, you can prioritize Self-hosted first.

Further context

From had : 

From both SOC2 and ENS audits we have a minor nonconformity (ie something we need to fix before next audit) - “Upon login, application needs to show user date and time of last login” … applies to both SaaS and onprem. We are free in terms of how we implement it, whether it’s popup somewhere whether it's permanent or disappear etc as long as user is clearly made aware upon logging in about the date/time of their previous login.
 Just got the official report of this non conformance (https://docs.google.com/document/d/1gobsKF94cH_w4wDbmNE7zM296GALNqOJ/edit?usp=share_link&ouid=118357382569541644910&rtpof=true&sd=true). We have 1 month to fix it ... Please provide me with details on how you plan to address it and in which release of Magnolia (the audited product was self-hosted magnolia) we will deliver it. We have only until end of March to get that released or we loose the audit and as result all spanish govt clients. :disappointed:

The main purpose of this is added security - so that the user can spot if their account has been logged in to by someone else (detecting unexpected logins). It's about giving users ability to easily spot when their account was used by someone else.

 

Design ideas

This could be implemented as simple text somewhere in the interface right after login, i.e. "Your last recorded login: 2023-02-22, 08:43 GMT"

Example from Gmail (similar functionality):

Some UI options have been proposed here: https://magnolia-cms.slack.com/archives/C02R765REB0/p1677174441582829?thread_ts=1677070089.382899&cid=C02R765REB0.  See the discussion in the thread for more information.

Discovery

Proposal solution:

For Mgnl user (JCR - Magnolia Default login)

• Define new property previousAccess for user node (e.g "superuser" node) to store the timestamp of previous login in "users" repository
  • previousAccess = lastaccess , then update lastaccess to current timestamp when there is a new logic occurred

For External user (SSO)

• We can use the auth_time attribute from Oidc Id Token - Oidc spec https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
  • “if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication - not the time that the new ID token is issued”

• Define and save two new properties last_login and previous_login under user profile node in "profiles" repository which is using to store user preference (e.g Favorites app config) - the user profile node is created for each authenticated user.
  • Set last_login will value from auth_time attribute of Id Token
  • If previous_login is null or not exist, set the value from auth_time attribute of Id Token as well
  • Update the previous_login when there is a new login from another session or even when the auth_time is different with the last_login
    • Basically the same mechanism like Mgnl user above.

For the UI, we have to implement the text label to show the last login time on Admincentral Home.