Send email notifications about new logins

[Shnatsel]

Is your feature request related to a problem? Please describe.

Supply chain attacks via password reuse or cookie theft are becoming increasingly commonplace. Currently crates.io lacks some basic mitigations that the other package registries have already rolled out.

Describe the solution you'd like

An email notification should be sent to the address registered on crates.io on every login. This informs the user in case of account compromise and gives them an opportunity to react. At present an account compromise would go completely undetected.

Email notifications for new logins is already standard practice - for example, Google does that.

Describe alternatives you've considered

Github currently does not send email notifications about new logins; it might be possible to ask Github to implement this feature instead. However, doing this on crates.io level is still worthwhile even if Github implemented it, because doing this on crates.io level would also protect from Github cookie theft.

Additional context

Supply chain attacks are becoming increasingly commonplace. Just last month four high-profile NPM packages have been compromised, with the ua-parser-js being the most widely used.

The attackers have flooded the maintainers' inboxes with spam to distract them from NPM email notifications, but it has merely delayed the discovery of the compromise. As of right now a similar compromise on crates.io would go completely undetected.

See also: #4195, #4197 for other basic mitigations. No single one is sufficient on its own; they have to be used in tandem.

[Shnatsel]

I have filed this using the "feature request" process. Any reason why this was converted to a discussion? Should I open discussions instead of "feature request" issues in the future?

[Turbo87]

we're trying this out to not pollute our issue tracker with feature requests that won't be implemented in the near future :)