limit user to 20 login attempts before 2hr timeout

EFForg · Oct 31, 2015 · 9e9c784 · 9e9c784
1 parent 828c004
commit 9e9c784
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 11 deletions.
diff --git a/app/helpers/devise_helper.rb b/app/helpers/devise_helper.rb
@@ -5,24 +5,25 @@ def devise_error_messages!
     flash_alerts = []
     error_key = 'errors.messages.not_saved'
 
+    flash_alerts.push("This account was locked due to too many failed login attempts.  Check your email for a link to unlock.") if locked_account?
+
     if !flash.empty?
       flash_alerts.push(flash[:error]) if flash[:error]
       flash_alerts.push(flash[:alert]) if flash[:alert]
       flash_alerts.push(flash[:notice]) if flash[:notice]
       error_key = 'devise.failure.invalid'
     end
 
-
     return "" if resource.errors.empty? && flash_alerts.empty?
     @hasErrorMessages = true
     errors = resource.errors.empty? ? flash_alerts : resource.errors.full_messages
 
     messages = errors.map { |msg| content_tag(:p, msg) }.join
     sentence = I18n.t(error_key, :count    => errors.count,
                                  :resource => resource.class.model_name.human.downcase)
-    
+
     if !flash[:notice] | flash[:alert]
-      panel_title = "<div class='panel-heading'><h3 class='panel-title'>Error</h3></div>" 
+      panel_title = "<div class='panel-heading'><h3 class='panel-title'>Error</h3></div>"
     end
 
     html = <<-HTML
@@ -36,7 +37,13 @@ def devise_error_messages!
 
     html.html_safe
   end
+
   def devise_error_messages?
     @hasErrorMessages ? true: false
   end
+
+  def locked_account?
+    u = User.find_by_email(@user.email)
+    u && u.access_locked?
+  end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -4,7 +4,7 @@ class User < ActiveRecord::Base
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :confirmable, :registerable,
-         :recoverable, :rememberable, :validatable,
+         :recoverable, :rememberable, :validatable, :lockable,
          remember_for: 90.days
   has_many :signatures
   has_many :user_preferences

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -154,27 +154,27 @@
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.
   # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
+  config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [ :email ]
+  config.unlock_keys = [ :email ]
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
+  config.unlock_strategy = :both
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 20
 
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
-  # config.unlock_in = 1.hour
+  config.unlock_in = 2.hour
 
   # Warn on the last attempt before the account is locked.
-  # config.last_attempt_warning = false
+  config.last_attempt_warning = true
 
   # ==> Configuration for :recoverable
   #

diff --git a/db/migrate/20151026192811_add_lockable_to_users.rb b/db/migrate/20151026192811_add_lockable_to_users.rb
@@ -0,0 +1,9 @@
+class AddLockableToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :failed_attempts, :integer, default: 0
+    add_column :users, :unlock_token, :string
+    add_column :users, :locked_at, :datetime
+
+    add_index :users, :unlock_token,         :unique => true
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20150917204929) do
+ActiveRecord::Schema.define(version: 20151026192811) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -314,11 +314,15 @@
     t.boolean  "subscribe",              default: true
     t.integer  "partner_id"
     t.string   "unconfirmed_email"
+    t.integer  "failed_attempts",        default: 0
+    t.string   "unlock_token"
+    t.datetime "locked_at"
   end
 
   add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true, using: :btree
   add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree
   add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true, using: :btree
+  add_index "users", ["unlock_token"], name: "index_users_on_unlock_token", unique: true, using: :btree
 
   create_table "visits", id: :uuid, default: "uuid_generate_v4()", force: true do |t|
     t.uuid     "visitor_id"