Add an option to only prevent auth if ip fails whitelist
Opened this issue · 2 comments
ie the use case if that we don't want to actually authenticate via this plugin, but via some other existing plugin like ldap or saml which don't have an internal password. So we'd configure this plugin to be earlier in the plugin priority list, and then have a new config checkbox something like 'Don't authenticate, just prevent login unless in ip whitelist'
- add settings for 'also check IP before logging in', along with a configurable fail message
- If this setting is true then the existing ip logic would be implemented in the pre_loginpage_hook and loginpage_hook, if they fail they get a nice configurable error message.
- have tokens in the error message to clearly help the user see why it failed and what their own ip address is
- MAYBE? If set the user_login() would always return false too. test how this works with the saml2 auth and see how the two pre_auth hooks clash or not
- have a way to logout anyone currently logged in who's ip address doesn't match
Thanks for the feedback!
Nice option to be added and I personally like it.
However, we are in hard work nowadays. If you need that in the short time, please, consider making a PR. Otherwise, we will evaluate this in the middle term.
Thanks a lot!
Jordi
Awesome! Yes we will try and get a PR together, it's a little bit down our list too. We originally tried to get this into core but it was knocked back: