User account audit log
I put this here for comment, let me know what you think, or if you have additional idea.
Now that we have the per-user encrypted transaction log in iapi, I really want an audit log for user accounts. The audit events can be listed by the user and some of the more important ones should also generate a notification email.
Ideas for entries:
- pw settings change (pw / app pw / 2fa)
- security settings change: recovery email, recovery token displayed or mailed, pgp key changed
- invite code created
- services (resources) created / deleted
- logins (where and how), this one probably with a short ttl, e.g. stored just for 1-2 weeks
maybe longterm (if we can implement it in a reasonable way):
- login with new / unknown device