Suspicious login detection. Compares login IP against all active session IPs for the user. Triggers on new IP during explicit login only.
Does NOT trigger on:
- Remember-me rehydration (D-45)
- User's first login ever (no prior sessions to compare against)
Configuration
suspicious_login: [
enabled: true, # Enable/disable detection
notify: true # Send email notification on detection
]Telemetry
Emits [:sigra, :security, :suspicious_login] with metadata:
%{user_id, ip, geo_city, geo_country_code} per D-57.
Summary
Functions
Detect if a login is from a suspicious (new) IP.
Functions
@spec detect(Sigra.Config.t(), term(), String.t(), keyword()) :: :ok | {:suspicious, map()}
Detect if a login is from a suspicious (new) IP.
Returns :ok if the login IP is known or detection is disabled.
Returns {:suspicious, details} if the IP is new and user has prior sessions.
Parameters
config-%Sigra.Config{}structuser_id- the user's IDlogin_ip- the IP address of the current login (string)opts- keyword list with:session_store(resolved from config if absent)