Merge pull request #1012 from NARKOZ/devise

Add 10 minutes lock after 10 failed login attempts (Devise :lockable)

Merge pull request #1012 from NARKOZ/devise
Add 10 minutes lock after 10 failed login attempts (Devise :lockable)
Dmitriy Zaporozhets
2 parents 9497b1a7 65337118
Showing 11 changed files with 72 additions and 41 deletions Show diff stats
Gemfile
Gemfile.lock
app/controllers/application_controller.rb
app/models/user.rb
app/views/layouts/devise.html.haml
app/views/layouts/devise_layout.html.haml
config/initializers/devise.rb
config/locales/devise.en.yml
db/migrate/20110913200833_devise_create_users.rb
db/migrate/20120706065612_add_lockable_to_users.rb
db/schema.rb
@@ -7,7 +7,7 @@ gem &quot;sqlite3&quot;
 gem "mysql2"
  
 # Auth
-gem "devise", "~> 1.5"
+gem "devise", "~> 2.1.0"
  
 # GITLAB patched libs
 gem "grit",          :git => "https://github.com/gitlabhq/grit.git",            :ref => "7f35cb98ff17d534a07e3ce6ec3d580f67402837"
@@ -148,10 +148,11 @@ GEM
       nokogiri (>= 1.5.0)
     daemons (1.1.8)
     database_cleaner (0.8.0)
-    devise (1.5.3)
+    devise (2.1.2)
       bcrypt-ruby (~> 3.0)
-      orm_adapter (~> 0.0.3)
-      warden (~> 1.1)
+      orm_adapter (~> 0.1)
+      railties (~> 3.1)
+      warden (~> 1.2.1)
     diff-lcs (1.1.3)
     drapper (0.8.4)
     email_spec (1.2.1)
@@ -225,7 +226,7 @@ GEM
     omniauth (1.1.0)
       hashie (~> 1.2)
       rack
-    orm_adapter (0.0.7)
+    orm_adapter (0.3.0)
     polyglot (0.3.3)
     posix-spawn (0.3.6)
     pry (0.9.9.6)
@@ -356,7 +357,7 @@ GEM
       raindrops (~> 0.7)
     vegas (0.1.11)
       rack (>= 1.0.0)
-    warden (1.2.0)
+    warden (1.2.1)
       rack (>= 1.0)
     webmock (1.8.7)
       addressable (>= 2.2.7)
@@ -383,7 +384,7 @@ DEPENDENCIES
   colored
   cucumber-rails
   database_cleaner
-  devise (~> 1.5)
+  devise (~> 2.1.0)
   drapper
   email_spec
   ffaker
@@ -52,7 +52,7 @@ class ApplicationController &lt; ActionController::Base
  
   def layout_by_resource
     if devise_controller?
-      "devise"
+      "devise_layout"
     else
       "application"
     end
 class User < ActiveRecord::Base
   include Account
  
-  devise :database_authenticatable, :token_authenticatable,
+  devise :database_authenticatable, :token_authenticatable, :lockable,
          :recoverable, :rememberable, :trackable, :validatable, :omniauthable
  
   attr_accessible :email, :password, :password_confirmation, :remember_me, :bio,
-                  :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme, 
+                  :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme,
                   :theme_id, :force_random_password
  
   attr_accessor :force_random_password
@@ -1,6 +0,0 @@
-!!! 5
-%html{ :lang => "en"}
-  = render "layouts/head"
-  %body.ui_basic.login-page
-    = render :partial => "layouts/flash"
-    .container= yield
@@ -0,0 +1,6 @@
+!!! 5
+%html{ :lang => "en"}
+  = render "layouts/head"
+  %body.ui_basic.login-page
+    = render :partial => "layouts/flash"
+    .container= yield
@@ -93,10 +93,6 @@ Devise.setup do |config|
   # If true, extends the user's remember period when remembered via cookie.
   # config.extend_remember_period = false
  
-  # If true, uses the password salt as remember token. This should be turned
-  # to false if you are not using database authenticatable.
-  config.use_salt_as_remember_token = true
-
   # Options to be passed to the created cookie. For instance, you can set
   # :secure => true in order to force SSL only cookies.
   # config.cookie_options = {}
@@ -119,7 +115,7 @@ Devise.setup do |config|
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.
   # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
+  config.lock_strategy = :failed_attempts
  
   # Defines which key will be used when locking and unlocking an account
   # config.unlock_keys = [ :email ]
@@ -129,14 +125,14 @@ Devise.setup do |config|
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
+  config.unlock_strategy = :time
  
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 10
  
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
-  # config.unlock_in = 1.hour
+  config.unlock_in = 10.minutes
  
   # ==> Configuration for :recoverable
   #
@@ -160,9 +156,9 @@ Devise.setup do |config|
   # Defines name of the authentication token params key
   config.token_authentication_key = :private_token
  
-  # If true, authentication through token does not store user in session and needs
+  # Authentication through token does not store user in session and needs
   # to be supplied on each request. Useful if you are using the token as API token.
-  config.stateless_token = true
+  config.skip_session_storage << :token_auth
  
   # ==> Scopes configuration
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
@@ -35,13 +35,11 @@ en:
       confirmed: 'Your account was successfully confirmed. You are now signed in.'
     registrations:
       signed_up: 'Welcome! You have signed up successfully.'
-      inactive_signed_up: 'You have signed up successfully. However, we could not sign you in because your account is %{reason}.'
       updated: 'You updated your account successfully.'
       destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
-      reasons:
-        inactive: 'inactive'
-        unconfirmed: 'unconfirmed'
-        locked: 'locked'
+      signed_up_but_unconfirmed: 'A message with a confirmation link has been sent to your email address. Please open the link to activate your account.'
+      signed_up_but_inactive: 'You have signed up successfully. However, we could not sign you in because your account is not yet activated.'
+      signed_up_but_locked: 'You have signed up successfully. However, we could not sign you in because your account is locked.'
     unlocks:
       send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
       unlocked: 'Your account was successfully unlocked. You are now signed in.'
 class DeviseCreateUsers < ActiveRecord::Migration
   def self.up
     create_table(:users) do |t|
-      t.database_authenticatable :null => false
-      t.recoverable
-      t.rememberable
-      t.trackable
+      ## Database authenticatable
+      t.string :email,              :null => false, :default => ""
+      t.string :encrypted_password, :null => false, :default => ""
  
-      # t.encryptable
-      # t.confirmable
-      # t.lockable :lock_strategy => :failed_attempts, :unlock_strategy => :both
-      # t.token_authenticatable
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer  :sign_in_count, :default => 0
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+
+      ## Encryptable
+      # t.string :password_salt
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      # Token authenticatable
+      # t.string :authentication_token
+
+      ## Invitable
+      # t.string :invitation_token
  
       t.timestamps
     end
@@ -18,7 +46,7 @@ class DeviseCreateUsers &lt; ActiveRecord::Migration
     add_index :users, :reset_password_token, :unique => true
     # add_index :users, :confirmation_token,   :unique => true
     # add_index :users, :unlock_token,         :unique => true
-    # add_index :users, :authentication_token, :unique => true
+    add_index :users, :authentication_token, :unique => true
   end
  
   def self.down
@@ -0,0 +1,6 @@
+class AddLockableToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :failed_attempts, :integer, :default => 0
+    add_column :users, :locked_at, :datetime
+  end
+end
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
  
-ActiveRecord::Schema.define(:version => 20120627145613) do
+ActiveRecord::Schema.define(:version => 20120706065612) do
  
   create_table "events", :force => true do |t|
     t.string   "target_type"
@@ -169,6 +169,8 @@ ActiveRecord::Schema.define(:version =&gt; 20120627145613) do
     t.integer  "theme_id",                              :default => 1,     :null => false
     t.string   "bio"
     t.boolean  "blocked",                               :default => false, :null => false
+    t.integer  "failed_attempts",                       :default => 0
+    t.datetime "locked_at"
   end
  
   add_index "users", ["email"], :name => "index_users_on_email", :unique => true
...	...	@@ -7,7 +7,7 @@ gem "sqlite3"
7	7	gem "mysql2"
8	8
9	9	# Auth
10		-gem "devise", "~> 1.5"
	10	+gem "devise", "~> 2.1.0"
11	11
12	12	# GITLAB patched libs
13	13	gem "grit", :git => "https://github.com/gitlabhq/grit.git", :ref => "7f35cb98ff17d534a07e3ce6ec3d580f67402837"
...	...
...	...	@@ -148,10 +148,11 @@ GEM
148	148	nokogiri (>= 1.5.0)
149	149	daemons (1.1.8)
150	150	database_cleaner (0.8.0)
151		- devise (1.5.3)
	151	+ devise (2.1.2)
152	152	bcrypt-ruby (~> 3.0)
153		- orm_adapter (~> 0.0.3)
154		- warden (~> 1.1)
	153	+ orm_adapter (~> 0.1)
	154	+ railties (~> 3.1)
	155	+ warden (~> 1.2.1)
155	156	diff-lcs (1.1.3)
156	157	drapper (0.8.4)
157	158	email_spec (1.2.1)
...	...	@@ -225,7 +226,7 @@ GEM
225	226	omniauth (1.1.0)
226	227	hashie (~> 1.2)
227	228	rack
228		- orm_adapter (0.0.7)
	229	+ orm_adapter (0.3.0)
229	230	polyglot (0.3.3)
230	231	posix-spawn (0.3.6)
231	232	pry (0.9.9.6)
...	...	@@ -356,7 +357,7 @@ GEM
356	357	raindrops (~> 0.7)
357	358	vegas (0.1.11)
358	359	rack (>= 1.0.0)
359		- warden (1.2.0)
	360	+ warden (1.2.1)
360	361	rack (>= 1.0)
361	362	webmock (1.8.7)
362	363	addressable (>= 2.2.7)
...	...	@@ -383,7 +384,7 @@ DEPENDENCIES
383	384	colored
384	385	cucumber-rails
385	386	database_cleaner
386		- devise (~> 1.5)
	387	+ devise (~> 2.1.0)
387	388	drapper
388	389	email_spec
389	390	ffaker
...	...
...	...	@@ -52,7 +52,7 @@ class ApplicationController < ActionController::Base
52	52
53	53	def layout_by_resource
54	54	if devise_controller?
55		- "devise"
	55	+ "devise_layout"
56	56	else
57	57	"application"
58	58	end
...	...
1	1	class User < ActiveRecord::Base
2	2	include Account
3	3
4		- devise :database_authenticatable, :token_authenticatable,
	4	+ devise :database_authenticatable, :token_authenticatable, :lockable,
5	5	:recoverable, :rememberable, :trackable, :validatable, :omniauthable
6	6
7	7	attr_accessible :email, :password, :password_confirmation, :remember_me, :bio,
8		- :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme,
	8	+ :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme,
9	9	:theme_id, :force_random_password
10	10
11	11	attr_accessor :force_random_password
...	...
...	...	@@ -1,6 +0,0 @@
1		-!!! 5
2		-%html{ :lang => "en"}
3		- = render "layouts/head"
4		- %body.ui_basic.login-page
5		- = render :partial => "layouts/flash"
6		- .container= yield
...	...	@@ -0,0 +1,6 @@
	1	+!!! 5
	2	+%html{ :lang => "en"}
	3	+ = render "layouts/head"
	4	+ %body.ui_basic.login-page
	5	+ = render :partial => "layouts/flash"
	6	+ .container= yield
...	...
...	...	@@ -93,10 +93,6 @@ Devise.setup do \|config\|
93	93	# If true, extends the user's remember period when remembered via cookie.
94	94	# config.extend_remember_period = false
95	95
96		- # If true, uses the password salt as remember token. This should be turned
97		- # to false if you are not using database authenticatable.
98		- config.use_salt_as_remember_token = true
99		-
100	96	# Options to be passed to the created cookie. For instance, you can set
101	97	# :secure => true in order to force SSL only cookies.
102	98	# config.cookie_options = {}
...	...	@@ -119,7 +115,7 @@ Devise.setup do \|config\|
119	115	# Defines which strategy will be used to lock an account.
120	116	# :failed_attempts = Locks an account after a number of failed attempts to sign in.
121	117	# :none = No lock strategy. You should handle locking by yourself.
122		- # config.lock_strategy = :failed_attempts
	118	+ config.lock_strategy = :failed_attempts
123	119
124	120	# Defines which key will be used when locking and unlocking an account
125	121	# config.unlock_keys = [ :email ]
...	...	@@ -129,14 +125,14 @@ Devise.setup do \|config\|
129	125	# :time = Re-enables login after a certain amount of time (see :unlock_in below)
130	126	# :both = Enables both strategies
131	127	# :none = No unlock strategy. You should handle unlocking by yourself.
132		- # config.unlock_strategy = :both
	128	+ config.unlock_strategy = :time
133	129
134	130	# Number of authentication tries before locking an account if lock_strategy
135	131	# is failed attempts.
136		- # config.maximum_attempts = 20
	132	+ config.maximum_attempts = 10
137	133
138	134	# Time interval to unlock the account if :time is enabled as unlock_strategy.
139		- # config.unlock_in = 1.hour
	135	+ config.unlock_in = 10.minutes
140	136
141	137	# ==> Configuration for :recoverable
142	138	#
...	...	@@ -160,9 +156,9 @@ Devise.setup do \|config\|
160	156	# Defines name of the authentication token params key
161	157	config.token_authentication_key = :private_token
162	158
163		- # If true, authentication through token does not store user in session and needs
	159	+ # Authentication through token does not store user in session and needs
164	160	# to be supplied on each request. Useful if you are using the token as API token.
165		- config.stateless_token = true
	161	+ config.skip_session_storage << :token_auth
166	162
167	163	# ==> Scopes configuration
168	164	# Turn scoped views on. Before rendering "sessions/new", it will first check for
...	...
...	...	@@ -35,13 +35,11 @@ en:
35	35	confirmed: 'Your account was successfully confirmed. You are now signed in.'
36	36	registrations:
37	37	signed_up: 'Welcome! You have signed up successfully.'
38		- inactive_signed_up: 'You have signed up successfully. However, we could not sign you in because your account is %{reason}.'
39	38	updated: 'You updated your account successfully.'
40	39	destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
41		- reasons:
42		- inactive: 'inactive'
43		- unconfirmed: 'unconfirmed'
44		- locked: 'locked'
	40	+ signed_up_but_unconfirmed: 'A message with a confirmation link has been sent to your email address. Please open the link to activate your account.'
	41	+ signed_up_but_inactive: 'You have signed up successfully. However, we could not sign you in because your account is not yet activated.'
	42	+ signed_up_but_locked: 'You have signed up successfully. However, we could not sign you in because your account is locked.'
45	43	unlocks:
46	44	send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
47	45	unlocked: 'Your account was successfully unlocked. You are now signed in.'
...	...
1	1	class DeviseCreateUsers < ActiveRecord::Migration
2	2	def self.up
3	3	create_table(:users) do \|t\|
4		- t.database_authenticatable :null => false
5		- t.recoverable
6		- t.rememberable
7		- t.trackable
	4	+ ## Database authenticatable
	5	+ t.string :email, :null => false, :default => ""
	6	+ t.string :encrypted_password, :null => false, :default => ""
8	7
9		- # t.encryptable
10		- # t.confirmable
11		- # t.lockable :lock_strategy => :failed_attempts, :unlock_strategy => :both
12		- # t.token_authenticatable
	8	+ ## Recoverable
	9	+ t.string :reset_password_token
	10	+ t.datetime :reset_password_sent_at
	11	+
	12	+ ## Rememberable
	13	+ t.datetime :remember_created_at
	14	+
	15	+ ## Trackable
	16	+ t.integer :sign_in_count, :default => 0
	17	+ t.datetime :current_sign_in_at
	18	+ t.datetime :last_sign_in_at
	19	+ t.string :current_sign_in_ip
	20	+ t.string :last_sign_in_ip
	21	+
	22	+ ## Encryptable
	23	+ # t.string :password_salt
	24	+
	25	+ ## Confirmable
	26	+ # t.string :confirmation_token
	27	+ # t.datetime :confirmed_at
	28	+ # t.datetime :confirmation_sent_at
	29	+ # t.string :unconfirmed_email # Only if using reconfirmable
	30	+
	31	+ ## Lockable
	32	+ # t.integer :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
	33	+ # t.string :unlock_token # Only if unlock strategy is :email or :both
	34	+ # t.datetime :locked_at
	35	+
	36	+ # Token authenticatable
	37	+ # t.string :authentication_token
	38	+
	39	+ ## Invitable
	40	+ # t.string :invitation_token
13	41
14	42	t.timestamps
15	43	end
...	...	@@ -18,7 +46,7 @@ class DeviseCreateUsers < ActiveRecord::Migration
18	46	add_index :users, :reset_password_token, :unique => true
19	47	# add_index :users, :confirmation_token, :unique => true
20	48	# add_index :users, :unlock_token, :unique => true
21		- # add_index :users, :authentication_token, :unique => true
	49	+ add_index :users, :authentication_token, :unique => true
22	50	end
23	51
24	52	def self.down
...	...
...	...	@@ -0,0 +1,6 @@
	1	+class AddLockableToUsers < ActiveRecord::Migration
	2	+ def change
	3	+ add_column :users, :failed_attempts, :integer, :default => 0
	4	+ add_column :users, :locked_at, :datetime
	5	+ end
	6	+end
...	...