Enable devise lockable.

Gemfile

@@ -34,7 +34,7 @@ gem 'fontello_rails_converter'
 gem 'bootstrap-datepicker-rails'
 gem 'public_suffix'
 gem 'devise-security'
-gem 'rails_email_validator'
+gem 'email_validator', require: 'email_validator/strict'
 
 gem 'doorkeeper-jwt', git: 'https://github.com/rubykube/doorkeeper-jwt.git'
 gem 'memoist', '~> 0.16'

Gemfile.lock

@@ -120,6 +120,8 @@ GEM
       unf (>= 0.0.5, < 1.0.0)
     doorkeeper (4.2.6)
       railties (>= 4.2)
+    email_validator (1.6.0)
+      activemodel
     equalizer (0.0.11)
     erubi (1.7.0)
     excon (0.60.0)
@@ -281,8 +283,6 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.0.4)
       loofah (~> 2.2, >= 2.2.2)
-    rails_email_validator (0.1.4)
-      activemodel (>= 3.0.0)
     railties (5.1.4)
       actionpack (= 5.1.4)
       activesupport (= 5.1.4)
@@ -410,6 +410,7 @@ DEPENDENCIES
   discard (~> 1.0)
   doorkeeper (~> 4.2.6)
   doorkeeper-jwt!
+  email_validator
   factory_bot_rails (~> 4.8)
   faker (~> 1.8)
   figaro
@@ -436,7 +437,6 @@ DEPENDENCIES
   rack-cors (~> 1.0.2)
   rails (~> 5.1.4)
   rails-controller-testing
-  rails_email_validator
   rspec-rails (~> 3.7.1)
   sassc-rails (~> 1.3)
   selenium-webdriver (~> 3.8)

app/models/account.rb

@@ -85,6 +85,9 @@ def as_json_for_event_api
       reset_password_token: reset_password_token,
       reset_password_sent_at: format_iso8601_time(reset_password_sent_at),
       state: state,
+      failed_attempts: failed_attempts,
+      unlock_token: unlock_token,
+      locked_at: locked_at,
       created_at: format_iso8601_time(created_at),
       updated_at: format_iso8601_time(updated_at)
     }

config/initializers/devise.rb

@@ -177,27 +177,27 @@
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.
   # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
+  config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [:email]
+  config.unlock_keys = [:email]
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
+  config.unlock_strategy = :both
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 5
 
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
-  # config.unlock_in = 1.hour
+  config.unlock_in = 1.hour
 
   # Warn on the last attempt before the account is locked.
-  # config.last_attempt_warning = true
+  config.last_attempt_warning = false
 
   # ==> Configuration for :recoverable
   #

db/seeds.rb

@@ -23,7 +23,7 @@
   end
 
   admin = Account.new(seed['account'])
-  admin.password ||= SecureRandom.hex(20)
+  admin.password ||= SecureRandom.base64(30)
 
   if admin.save
     logger.info "Created account for '#{admin.email}'"