[MAGNOLIA-8825] After login, application needs to show user date and time of last login Created: 22/Feb/23  Updated: 19/Apr/23  Resolved: 29/Mar/23

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: 6.3.0, 6.2.32

Type: Story Priority: Major
Reporter: Matt Rajkovic Assignee: Nguyen Phung Chi
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: 9.75d Time Spent: 9.75d
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: PDF File App launcher screen – Last login – OPTION 1 (1).pdf     PDF File App launcher screen – Last login – OPTION 2 (1).pdf     PNG File image-2023-02-22-13-45-04-183.png     PNG File image-2023-03-16-13-37-26-060.png    
Issue Links:
Cloners
is cloned by MGNLSSO-250 After login, application needs to sho... Closed
relation
is related to ADMINCTR-380 After login, application needs to sho... Closed
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MAGNOLIA-8827 Implementation Sub-task Completed Nguyen Phung Chi  
MAGNOLIA-8828 Review Sub-task Completed Evzen Fochr  
MAGNOLIA-8829 Pre-Integration QA Sub-task Completed Evzen Fochr  
MAGNOLIA-8830 QA Sub-task Completed Nguyen Phung Chi  
MAGNOLIA-8826 Design where to place this informatio... Design Sub-task Closed Anja von Gunten  
MAGNOLIA-8862 DOC: After login, application needs t... Documentation Task Completed Alex Mansell  
MAGNOLIA-8863 Rw and piQA for master Technical task Closed Evzen Fochr  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Release notes required:
Yes
Date of First Response:
Visible to:
Thomas Duffey
Epic Link: Display last user logged-in date and time after login
Sprint: AdminX 32
Story Points: 5
Team: AdminX
Work Started:

 Description   

Goal

Inform the end-user about the date and time of last login immediately after logging in. 

This requirement comes from a minor nonconformity we have received from both SOC2 and ENS audits. 

This applies to both SaaS and DX core products, although the non-conformity was detected on self-hosted version of Magnolia. Therefore, to keep the audit, this is needed just for self-hosted. So if you need to implement it differently for self-hosted and for SaaS, you can prioritize Self-hosted first.

Further context

From had

From both SOC2 and ENS audits we have a minor nonconformity (ie something we need to fix before next audit) - “Upon login, application needs to show user date and time of last login” … applies to both SaaS and onprem. We are free in terms of how we implement it, whether it’s popup somewhere whether it's permanent or disappear etc as long as user is clearly made aware upon logging in about the date/time of their previous login.
 Just got the official report of this non conformance (https://docs.google.com/document/d/1gobsKF94cH_w4wDbmNE7zM296GALNqOJ/edit?usp=share_link&ouid=118357382569541644910&rtpof=true&sd=true). We have 1 month to fix it ... Please provide me with details on how you plan to address it and in which release of Magnolia (the audited product was self-hosted magnolia) we will deliver it. We have only until end of March to get that released or we loose the audit and as result all spanish govt clients. :disappointed:

The main purpose of this is added security - so that the user can spot if their account has been logged in to by someone else (detecting unexpected logins). It's about giving users ability to easily spot when their account was used by someone else.

 

Design ideas

This could be implemented as simple text somewhere in the interface right after login, i.e. "Your last recorded login: 2023-02-22, 08:43 GMT"

Example from Gmail (similar functionality):

Some UI options have been proposed here: https://magnolia-cms.slack.com/archives/C02R765REB0/p1677174441582829?thread_ts=1677070089.382899&cid=C02R765REB0.  See the discussion in the thread for more information.

Discovery

Proposal solution:

For Mgnl user (JCR - Magnolia Default login)

  • Define new property previousAccess for user node (e.g "superuser" node) to store the timestamp of previous login in "users" repository
    • previousAccess = lastaccess , then update lastaccess to current timestamp when there is a new logic occurred

For External user (SSO)

  • Define and save two new properties last_login and previous_login under user profile node in "profiles" repository which is using to store user preference (e.g Favorites app config) - the user profile node is created for each authenticated user.
    • Set last_login will value from auth_time attribute of Id Token
    • If previous_login is null or not exist, set the value from auth_time attribute of Id Token as well
    • Update the previous_login when there is a new login from another session or even when the auth_time is different with the last_login
      • Basically the same mechanism like Mgnl user above.

For the UI, we have to implement the text label to show the last login time on Admincentral Home.



 Comments   
Comment by Jan Haderka [ 22/Feb/23 ]

mrajkovic are you sure this should be cloud issue? The audit was for self-hosted/on-prem product not for SaaS!

Comment by Matt Rajkovic [ 22/Feb/23 ]

Hey had , I got that info from your Slack message "applies to both SaaS and onprem". 

I've updated the ticket after your clarification that we can only fix self-hosted first.

Comment by Jan Haderka [ 23/Feb/23 ]

I got that info from your Slack message "applies to both SaaS and onprem".

Yeah, that was the message i sent before i saw the other issues we had related to saas. In the end we only certify onprem and paas, because we wouldn't be able to implement all that is necessary on saas in time. Plus we are not offering it to customers yet, so there is still time. Sorry for the confusion nonetheless.

Comment by Nguyen Phung Chi [ 16/Mar/23 ]

For the record as clarifying with had 

Question: What we are trying to achieve is to show the timestamp of “previous login” (may use this term to distinct them), am I correct?

Answer from Yan:

That is correct. Upon login, we are showing user when was it last time they logged into the system. So eg if I login on monday and then again on Wednesday and then again on friday, system needs to show me on wednesday that my last login day was monday, but on friday that my last login was wednesday.

Comment by Nguyen Phung Chi [ 28/Mar/23 ]

Some important notes for this ticket:

  • The scope and solutions applied for this ticket are MgnlUser (Mgnl default login) and SSO (using magnolia-sso module from version 3.1.2 and above) only.
  • Technically, we have 2 concrete types of concrete users in Magnolia Core, which is "MgnlUser" and "ExternalUser" (is extended by SsoUser). So, besides "magnolia-sso" module which is implemented the approach mentioned in the description, there are some other types of authentication which are not supported yet, means it won't display the last login time on Admincentral , which are listed as below:

cc hadmrajkovic, brenuart, efochr 

Please let me know your concern about this. thank you.

Comment by Matt Rajkovic [ 28/Mar/23 ]

Hey nguyen.phung, thanks for clearly stating the limitations! Looks cool to me.

had , would this be sufficient for now? I think we could also consider implementing this for the Sso-connector module, which might be a very common way our clients use to manage their users. However, I would do that in a subsequent ticket and after a discussion with Services about how to best implement it for the connector modules.

What we have implemented in this ticket might however already be enough to pass the audit and already covers Self-hosted and SaaS (through magnolia-sso module).

Generated at Mon Feb 12 04:36:08 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.