devise lockable if password wrong 3 times

corsego · Jun 20, 2021 · e72151d · e72151d
1 parent f5e519e
commit e72151d
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 8 deletions.
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -1,7 +1,7 @@
 class User < ApplicationRecord
   # Include default devise modules. Others available are:
-  # :lockable, :timeoutable and :omniauthable
+  # :timeoutable and :omniauthable
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :validatable, :trackable,
-         :confirmable
+         :confirmable, :lockable
 end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -194,7 +194,7 @@
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.
   # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
+  config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
   # config.unlock_keys = [:email]
@@ -204,17 +204,17 @@
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
+  config.unlock_strategy = :both
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 3
 
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
-  # config.unlock_in = 1.hour
+  config.unlock_in = 1.hour
 
   # Warn on the last attempt before the account is locked.
-  # config.last_attempt_warning = true
+  config.last_attempt_warning = true
 
   # ==> Configuration for :recoverable
   #

diff --git a/db/migrate/20210620151509_add_lockable_to_devise.rb b/db/migrate/20210620151509_add_lockable_to_devise.rb
@@ -0,0 +1,10 @@
+class AddLockableToDevise < ActiveRecord::Migration[6.1]
+  def change
+    add_column :users, :failed_attempts, :integer, default: 0, null: false # Only if lock strategy is :failed_attempts
+    add_column :users, :locked_at, :datetime
+
+    # Add these only if unlock strategy is :email or :both
+    add_column :users, :unlock_token, :string
+    add_index :users, :unlock_token, unique: true
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb