move-elevator/typo3-login-warning

Login Warning - Extends the TYPO3 backend login warning_mode functionality to inform about suspicious logins with several features.

Maintainers

Package info

github.com/move-elevator/typo3-login-warning

Type:typo3-cms-extension

pkg:composer/move-elevator/typo3-login-warning

Transparency log

Statistics

Installs: 3 500

Dependents: 0

Suggesters: 0

Stars: 2

Open Issues: 1

1.0.3 2026-06-05 10:48 UTC

README

Extension icon

TYPO3 extension typo3_login_warning

Latest Stable Version TYPO3 Coverage CGL Tests License

This extension extends the TYPO3 backend login warning_mode functionality to inform about suspicious logins with several features:

  • New IP based warning to detect logins from new IP addresses
  • Long Time No See notification for infrequent users
  • Out Of Office login detection outside defined working hours, holidays, or vacation periods

Note

Since I was annoyed by the constant login emails from the TYPO3 backend, but the issue of login security is still extremely important, I expanded the standard login notification functions of TYPO3 with some more or less well-known additional features.

🔥 Installation

Requirements

  • TYPO3 >= 12.4
  • PHP 8.2+

Composer

Packagist Packagist Downloads

composer require move-elevator/typo3-login-warning

TER

TER version TER downloads

Download the zip file from TYPO3 extension repository (TER).

Setup

Set up the extension after the installation:

vendor/bin/typo3 extension:setup --extension=typo3_login_warning

By default, the New IP and Long Time No See detectors are enabled.

🧰 Configuration

Configure the extension through the TYPO3 backend:

  1. Go to SettingsExtension Configuration
  2. Select typo3_login_warning
  3. Configure your detectors and notification settings

🔎 Detectors

Detectors are used to detect certain login events. If a detector matches, a notification will be sent.

Important

Only the first matching detector will trigger a notification.

The following detectors are available (in order of execution):

NewIpDetector

Detects logins from new IP addresses and triggers a warning email.

The user "admin" logged in from a new IP address 192.168.97.5 at the site "EXT:typo3-login-warning Dev Environment".

Only an HMAC-SHA-256 hash of the user/IP combination is stored — never the raw IP address. You can also define a whitelist of IP addresses that will not trigger a warning. An IP geolocation lookup and a device information check can be enabled to add more information to the notification email.

Important

Keep in mind, that this detector stores hashed IP addresses in the database table tx_typo3loginwarning_iplog to track known IPs.

Configuration Options:

Setting Description Default
Active Enable New IP detector true
Fetch Geolocation Enable IP geolocation lookup (opt-in, see Geolocation) false
Include Device Information Include browser and OS information in notification emails true
IP Whitelist Comma-separated list of whitelisted IPs/networks (supports CIDR notation like 192.168.1.0/24) 127.0.0.1
Affected Users Which users should trigger this detector: All Users, Only Admins, Only System Maintainers All Users
Notification Receiver Who should receive the notification: Email Recipients, Logged-In User, Both Email Recipients

Note

IP address hashing requires an HMAC key. The extension automatically uses TYPO3's $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] as fallback. Setting a dedicated random key is recommended so the stored hashes are not tied to the global encryption key. Note that changing the key invalidates all stored hashes — every known IP will trigger one new-IP notification again.

$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['typo3_login_warning']['hmacKey'] = 'your-secure-random-key';

IP log cleanup

The IP log table grows with every new (user, IP) combination — especially when clients use IPv6 privacy extensions with rotating addresses. To enforce a retention period, delete entries that have not been seen for a given number of days:

vendor/bin/typo3 typo3loginwarning:iplog:cleanup --days 365

Use --dry-run to only report how many entries would be deleted. The command is schedulable, e.g. via the TYPO3 scheduler "Execute console commands" task.

Note

After an entry has been deleted, the next login from that IP address triggers a new-IP notification again — that is the intended effect of a retention period.

Entries created by older extension versions (1.0.3 and below) may lack a last-seen timestamp. The cleanup command initializes such legacy entries with the current time instead of deleting them, so they are granted a full retention period before becoming cleanup candidates — otherwise every already-known IP would be reported as new again after the first cleanup run.

Geolocation

If Fetch Geolocation is enabled, the extension will use the ip-api.com service to fetch geolocation information for the IP address. Only public IP addresses will be looked up to respect privacy.

Warning

Geolocation lookup is disabled by default and is an explicit opt-in: it transfers the login IP address (personal data under GDPR) to the external ip-api.com service, using unencrypted HTTP on the free tier. Before enabling it, check your data protection requirements (third-country transfer, privacy policy, data processing agreement) and note that the free ip-api.com endpoint is limited to non-commercial use. Consider providing your own GeolocationServiceInterface implementation (see below) if you need an EU-hosted or TLS-secured provider.

Tip

You can implement your own geolocation service by implementing the GeolocationServiceInterface and registering it in the DI container.

services:
  MoveElevator\Typo3LoginWarning\Service\GeolocationServiceInterface:
    alias: Vendor\MyExtension\Service\MyCustomGeolocationService

LongTimeNoSeeDetector

Detects logins after a long period of inactivity (default: 365 days).

The user "admin" logged in again after a long time (643 days) at the site "EXT:typo3-login-warning Dev Environment".

Configuration Options:

Setting Description Default
Active Enable Long Time No See detector true
Threshold Days Days of inactivity before triggering 365
Affected Users Which users should trigger this detector: All Users, Only Admins, Only System Maintainers All Users
Notification Receiver Who should receive the notification: Email Recipients, Logged-In User, Both Email Recipients

OutOfOfficeDetector

Detects logins outside defined working hours, holidays, or vacation periods. Supports flexible working hours with multiple time ranges per day (e.g., lunch breaks), timezone handling, and comprehensive blocked periods configuration with both full dates and recurring patterns.

The user "admin" logged in outside office hours at the site "EXT:typo3-login-warning Dev Environment".

Configuration Options:

Setting Description Default
Active Enable Out Of Office detector false
Working Hours JSON configuration for working hours. Supports shortcuts: workday (Mon-Fri), weekend (Sat-Sun). Also supports multiple time ranges per day for lunch breaks. Examples: {"workday":["09:00","17:00"]}, {"workday":["09:00","17:00"],"weekend":["10:00","14:00"]}, {"workday":["09:00","17:00"],"friday":["09:00","15:00"]}, {"monday":[["09:00","12:00"],["13:00","17:00"]]} Business hours (06-20) Mon-Fri
Timezone Timezone for working hours UTC
Blocked Periods Comma-separated list of blocked days or periods. Formats: Full date (2025-12-25), recurring date (12-25), date range (2025-07-15:2025-07-30), recurring range (12-20:01-05). Example: 12-25,01-01,2025-07-15:2025-07-30 Empty
Affected Users Which users should trigger this detector: All Users, Only Admins, Only System Maintainers All Users
Notification Receiver Who should receive the notification: Email Recipients, Logged-In User, Both Email Recipients

Custom Detectors

Tip

You can implement your own detector by implementing the DetectorInterface, extending the AbstractDetector and registering it in the DI container.

services:
  Vendor\MyExtension\Detector\CustomDetector:
    tags:
      - { name: typo3_login_warning.detector, priority: 200 }

📢 Notification

Notification methods are used to notify about detected login events.

The following notification methods are available:

EmailNotification

Sends a warning email to defined recipients. If no recipient is defined, the email will be sent to the address defined in $GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr'].

Global Configuration Options:

  • Email Recipients: Email address(es) of the notification recipients (comma-separated)

Per-Detector Configuration:

Each detector has its own Notification Receiver setting that controls who receives notifications:

  • Email Recipients (default): Send notification only to configured email recipients
  • Logged-In User: Send notification only to the logged-in user (requires valid email address)
  • Both: Send notification to both email recipients and logged-in user

email.jpg

Templates

You can override the email templates located in Resources/Private/Templates/Email/Default/LoginNotification/.

$GLOBALS['TYPO3_CONF_VARS']['MAIL']['templateRootPaths'][1000] = 'EXT:my_sitepackage/Resources/Private/Templates/Email/';

Custom Notifiers

Tip

You can implement your own notification method by implementing the NotifierInterface and registering it in the DI container.

services:
  Vendor\MyExtension\Notification\SlackNotification:
    tags:
      - { name: typo3_login_warning.notifier }

Event

You can modify the notification by listening to the ModifyLoginNotificationEvent.

use MoveElevator\Typo3LoginWarning\Event\ModifyLoginNotificationEvent;
use TYPO3\CMS\Core\Attribute\AsEventListener;

#[AsEventListener]
final class CustomNotificationListener
{
     public function __invoke(ModifyLoginNotificationEvent $event): void
     {
         // Example: Prevent notifications for test users
          $user = $event->getUser();
          if (str_starts_with($user->user['username'] ?? '', 'test_')) {
              $event->preventNotification();
              return;
          }
    }
}

Note

Register your event listener via the AsEventListener attribute (TYPO3 >= 13) or in your service configuration (see docs).

🧑‍💻 Contributing

Please have a look at CONTRIBUTING.md.

⭐ License

This project is licensed under GNU General Public License 2.0 (or later).