Displaying IP Addresses on Demo Site

[yodaphone]

I have been using the demo site and when I logged in as "admin", it show a list of all IP addresses that have used the system, under "Active Sessions". It would be great if you can obfuscate the IP addresses in the demo site as it might act as a easy list for hackers to target specific IPs as they can easily related this to people interested in your software.

admin->Settings-> Account

Just my $0.02

[matmair]

If you are exposing your inventree instance under your residential IP I have the feeling nothing can save your from hackers

[yodaphone]

If you are exposing your inventree instance under your residential IP I have the feeling nothing can save your from hackers

this is not my private instance, but your demo.inventree.org website

[matmair]

I think you are misunderstanding what I am writing if you (the user browsing the demo) are deploying your instance under your (the user browsing the demo) instance under your (the user browsing the demo) residential IP, I have the feeling nothing can save you (the user browsing the demo) form "hackers"

[wolflu05]

My goal would be to add an env config to disable tracking for normal users, and I would highly recommend to disable that for the demo server due to GDPR reasons. That could be done at the same time we expose those session ips to the API for PUI.

[matmair]

Can you cite those reasons? As far as I asses it it is technical needed to show that the sessions framework actually works

[yodaphone]

my $0.02 is this. its ok to show my own IP in my session, but i dont see the need to show which other IP used this login earlier. Please see how gmail does it.

one security scenario is that, DoS attackers can target these IP addresses. Many users who come to test and use the admin login, who might not have the infrastructure in place to even know that their external IP is being targeted.

Moreover the demo site does not have any GDPR policies & you must disclose what you are collecting and storing and in this case the IP address. Maybe you dont have to when this is self-hosted which is the default, but my gripe is with the public demo site

Personally, I dont this its good coding practice to expose this as it is here.

[wolflu05]

Ok, sorry I have wrote this wrong, that's not actually what I meant. Here is what I was trying to say:

• storing the ip associated with the session is not an issue, and also technically necessary
• listing all those ips for active sessions of the current user (used by a single person) is also a good security analysis measure

But showing all ips for active sessions of the current user, used by different people around the world (e.g. InvenTree demo instance) is not good data protection. I personally do not want that anyone can see my public ip just by logging in too, with the user I was using on the demo instance (user credentials are open).

There is even no data protection policy linked when accessing demo.inventree.org. So people don't know that their ip will be visible to the public when logging in with a provided demo user. There is also no imprint. But not sure about the regulations in the US/Australia.

So my suggestion would be to somehow disable the session list (and later also the api endpoint) just for the demo server (and probably deployments of other users) by an env variable, so that people are not able to request their own sessions and the associated IPs. I do not want to say that we should not store them.

Hopefully this makes it clear.

[matmair]

You are both very welcome to either provide a PR that hides but not disables IP tracking or discontinue usage. Be aware that the whole session framework is not a part of the InvenTree code base but a library. We can not provide IP-based throttling and session identification without storing and showing the IP addresses to the respective users.

[matmair]

I am tired of this discussion and frankly of this user base

[SchrodingersGat]

See #7366