Commit 4c24cabf4709b8421c751970fa72a9eba145b992
Exists in
master
and in
4 other branches
Merge pull request #1012 from NARKOZ/devise
Add 10 minutes lock after 10 failed login attempts (Devise :lockable)
Showing
11 changed files
with
72 additions
and
41 deletions
Show diff stats
Gemfile
| @@ -7,7 +7,7 @@ gem "sqlite3" | @@ -7,7 +7,7 @@ gem "sqlite3" | ||
| 7 | gem "mysql2" | 7 | gem "mysql2" |
| 8 | 8 | ||
| 9 | # Auth | 9 | # Auth |
| 10 | -gem "devise", "~> 1.5" | 10 | +gem "devise", "~> 2.1.0" |
| 11 | 11 | ||
| 12 | # GITLAB patched libs | 12 | # GITLAB patched libs |
| 13 | gem "grit", :git => "https://github.com/gitlabhq/grit.git", :ref => "7f35cb98ff17d534a07e3ce6ec3d580f67402837" | 13 | gem "grit", :git => "https://github.com/gitlabhq/grit.git", :ref => "7f35cb98ff17d534a07e3ce6ec3d580f67402837" |
Gemfile.lock
| @@ -148,10 +148,11 @@ GEM | @@ -148,10 +148,11 @@ GEM | ||
| 148 | nokogiri (>= 1.5.0) | 148 | nokogiri (>= 1.5.0) |
| 149 | daemons (1.1.8) | 149 | daemons (1.1.8) |
| 150 | database_cleaner (0.8.0) | 150 | database_cleaner (0.8.0) |
| 151 | - devise (1.5.3) | 151 | + devise (2.1.2) |
| 152 | bcrypt-ruby (~> 3.0) | 152 | bcrypt-ruby (~> 3.0) |
| 153 | - orm_adapter (~> 0.0.3) | ||
| 154 | - warden (~> 1.1) | 153 | + orm_adapter (~> 0.1) |
| 154 | + railties (~> 3.1) | ||
| 155 | + warden (~> 1.2.1) | ||
| 155 | diff-lcs (1.1.3) | 156 | diff-lcs (1.1.3) |
| 156 | drapper (0.8.4) | 157 | drapper (0.8.4) |
| 157 | email_spec (1.2.1) | 158 | email_spec (1.2.1) |
| @@ -225,7 +226,7 @@ GEM | @@ -225,7 +226,7 @@ GEM | ||
| 225 | omniauth (1.1.0) | 226 | omniauth (1.1.0) |
| 226 | hashie (~> 1.2) | 227 | hashie (~> 1.2) |
| 227 | rack | 228 | rack |
| 228 | - orm_adapter (0.0.7) | 229 | + orm_adapter (0.3.0) |
| 229 | polyglot (0.3.3) | 230 | polyglot (0.3.3) |
| 230 | posix-spawn (0.3.6) | 231 | posix-spawn (0.3.6) |
| 231 | pry (0.9.9.6) | 232 | pry (0.9.9.6) |
| @@ -356,7 +357,7 @@ GEM | @@ -356,7 +357,7 @@ GEM | ||
| 356 | raindrops (~> 0.7) | 357 | raindrops (~> 0.7) |
| 357 | vegas (0.1.11) | 358 | vegas (0.1.11) |
| 358 | rack (>= 1.0.0) | 359 | rack (>= 1.0.0) |
| 359 | - warden (1.2.0) | 360 | + warden (1.2.1) |
| 360 | rack (>= 1.0) | 361 | rack (>= 1.0) |
| 361 | webmock (1.8.7) | 362 | webmock (1.8.7) |
| 362 | addressable (>= 2.2.7) | 363 | addressable (>= 2.2.7) |
| @@ -383,7 +384,7 @@ DEPENDENCIES | @@ -383,7 +384,7 @@ DEPENDENCIES | ||
| 383 | colored | 384 | colored |
| 384 | cucumber-rails | 385 | cucumber-rails |
| 385 | database_cleaner | 386 | database_cleaner |
| 386 | - devise (~> 1.5) | 387 | + devise (~> 2.1.0) |
| 387 | drapper | 388 | drapper |
| 388 | email_spec | 389 | email_spec |
| 389 | ffaker | 390 | ffaker |
app/controllers/application_controller.rb
| @@ -52,7 +52,7 @@ class ApplicationController < ActionController::Base | @@ -52,7 +52,7 @@ class ApplicationController < ActionController::Base | ||
| 52 | 52 | ||
| 53 | def layout_by_resource | 53 | def layout_by_resource |
| 54 | if devise_controller? | 54 | if devise_controller? |
| 55 | - "devise" | 55 | + "devise_layout" |
| 56 | else | 56 | else |
| 57 | "application" | 57 | "application" |
| 58 | end | 58 | end |
app/models/user.rb
| 1 | class User < ActiveRecord::Base | 1 | class User < ActiveRecord::Base |
| 2 | include Account | 2 | include Account |
| 3 | 3 | ||
| 4 | - devise :database_authenticatable, :token_authenticatable, | 4 | + devise :database_authenticatable, :token_authenticatable, :lockable, |
| 5 | :recoverable, :rememberable, :trackable, :validatable, :omniauthable | 5 | :recoverable, :rememberable, :trackable, :validatable, :omniauthable |
| 6 | 6 | ||
| 7 | attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, | 7 | attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, |
| 8 | - :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme, | 8 | + :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme, |
| 9 | :theme_id, :force_random_password | 9 | :theme_id, :force_random_password |
| 10 | 10 | ||
| 11 | attr_accessor :force_random_password | 11 | attr_accessor :force_random_password |
app/views/layouts/devise.html.haml
config/initializers/devise.rb
| @@ -93,10 +93,6 @@ Devise.setup do |config| | @@ -93,10 +93,6 @@ Devise.setup do |config| | ||
| 93 | # If true, extends the user's remember period when remembered via cookie. | 93 | # If true, extends the user's remember period when remembered via cookie. |
| 94 | # config.extend_remember_period = false | 94 | # config.extend_remember_period = false |
| 95 | 95 | ||
| 96 | - # If true, uses the password salt as remember token. This should be turned | ||
| 97 | - # to false if you are not using database authenticatable. | ||
| 98 | - config.use_salt_as_remember_token = true | ||
| 99 | - | ||
| 100 | # Options to be passed to the created cookie. For instance, you can set | 96 | # Options to be passed to the created cookie. For instance, you can set |
| 101 | # :secure => true in order to force SSL only cookies. | 97 | # :secure => true in order to force SSL only cookies. |
| 102 | # config.cookie_options = {} | 98 | # config.cookie_options = {} |
| @@ -119,7 +115,7 @@ Devise.setup do |config| | @@ -119,7 +115,7 @@ Devise.setup do |config| | ||
| 119 | # Defines which strategy will be used to lock an account. | 115 | # Defines which strategy will be used to lock an account. |
| 120 | # :failed_attempts = Locks an account after a number of failed attempts to sign in. | 116 | # :failed_attempts = Locks an account after a number of failed attempts to sign in. |
| 121 | # :none = No lock strategy. You should handle locking by yourself. | 117 | # :none = No lock strategy. You should handle locking by yourself. |
| 122 | - # config.lock_strategy = :failed_attempts | 118 | + config.lock_strategy = :failed_attempts |
| 123 | 119 | ||
| 124 | # Defines which key will be used when locking and unlocking an account | 120 | # Defines which key will be used when locking and unlocking an account |
| 125 | # config.unlock_keys = [ :email ] | 121 | # config.unlock_keys = [ :email ] |
| @@ -129,14 +125,14 @@ Devise.setup do |config| | @@ -129,14 +125,14 @@ Devise.setup do |config| | ||
| 129 | # :time = Re-enables login after a certain amount of time (see :unlock_in below) | 125 | # :time = Re-enables login after a certain amount of time (see :unlock_in below) |
| 130 | # :both = Enables both strategies | 126 | # :both = Enables both strategies |
| 131 | # :none = No unlock strategy. You should handle unlocking by yourself. | 127 | # :none = No unlock strategy. You should handle unlocking by yourself. |
| 132 | - # config.unlock_strategy = :both | 128 | + config.unlock_strategy = :time |
| 133 | 129 | ||
| 134 | # Number of authentication tries before locking an account if lock_strategy | 130 | # Number of authentication tries before locking an account if lock_strategy |
| 135 | # is failed attempts. | 131 | # is failed attempts. |
| 136 | - # config.maximum_attempts = 20 | 132 | + config.maximum_attempts = 10 |
| 137 | 133 | ||
| 138 | # Time interval to unlock the account if :time is enabled as unlock_strategy. | 134 | # Time interval to unlock the account if :time is enabled as unlock_strategy. |
| 139 | - # config.unlock_in = 1.hour | 135 | + config.unlock_in = 10.minutes |
| 140 | 136 | ||
| 141 | # ==> Configuration for :recoverable | 137 | # ==> Configuration for :recoverable |
| 142 | # | 138 | # |
| @@ -160,9 +156,9 @@ Devise.setup do |config| | @@ -160,9 +156,9 @@ Devise.setup do |config| | ||
| 160 | # Defines name of the authentication token params key | 156 | # Defines name of the authentication token params key |
| 161 | config.token_authentication_key = :private_token | 157 | config.token_authentication_key = :private_token |
| 162 | 158 | ||
| 163 | - # If true, authentication through token does not store user in session and needs | 159 | + # Authentication through token does not store user in session and needs |
| 164 | # to be supplied on each request. Useful if you are using the token as API token. | 160 | # to be supplied on each request. Useful if you are using the token as API token. |
| 165 | - config.stateless_token = true | 161 | + config.skip_session_storage << :token_auth |
| 166 | 162 | ||
| 167 | # ==> Scopes configuration | 163 | # ==> Scopes configuration |
| 168 | # Turn scoped views on. Before rendering "sessions/new", it will first check for | 164 | # Turn scoped views on. Before rendering "sessions/new", it will first check for |
config/locales/devise.en.yml
| @@ -35,13 +35,11 @@ en: | @@ -35,13 +35,11 @@ en: | ||
| 35 | confirmed: 'Your account was successfully confirmed. You are now signed in.' | 35 | confirmed: 'Your account was successfully confirmed. You are now signed in.' |
| 36 | registrations: | 36 | registrations: |
| 37 | signed_up: 'Welcome! You have signed up successfully.' | 37 | signed_up: 'Welcome! You have signed up successfully.' |
| 38 | - inactive_signed_up: 'You have signed up successfully. However, we could not sign you in because your account is %{reason}.' | ||
| 39 | updated: 'You updated your account successfully.' | 38 | updated: 'You updated your account successfully.' |
| 40 | destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.' | 39 | destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.' |
| 41 | - reasons: | ||
| 42 | - inactive: 'inactive' | ||
| 43 | - unconfirmed: 'unconfirmed' | ||
| 44 | - locked: 'locked' | 40 | + signed_up_but_unconfirmed: 'A message with a confirmation link has been sent to your email address. Please open the link to activate your account.' |
| 41 | + signed_up_but_inactive: 'You have signed up successfully. However, we could not sign you in because your account is not yet activated.' | ||
| 42 | + signed_up_but_locked: 'You have signed up successfully. However, we could not sign you in because your account is locked.' | ||
| 45 | unlocks: | 43 | unlocks: |
| 46 | send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.' | 44 | send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.' |
| 47 | unlocked: 'Your account was successfully unlocked. You are now signed in.' | 45 | unlocked: 'Your account was successfully unlocked. You are now signed in.' |
db/migrate/20110913200833_devise_create_users.rb
| 1 | class DeviseCreateUsers < ActiveRecord::Migration | 1 | class DeviseCreateUsers < ActiveRecord::Migration |
| 2 | def self.up | 2 | def self.up |
| 3 | create_table(:users) do |t| | 3 | create_table(:users) do |t| |
| 4 | - t.database_authenticatable :null => false | ||
| 5 | - t.recoverable | ||
| 6 | - t.rememberable | ||
| 7 | - t.trackable | 4 | + ## Database authenticatable |
| 5 | + t.string :email, :null => false, :default => "" | ||
| 6 | + t.string :encrypted_password, :null => false, :default => "" | ||
| 8 | 7 | ||
| 9 | - # t.encryptable | ||
| 10 | - # t.confirmable | ||
| 11 | - # t.lockable :lock_strategy => :failed_attempts, :unlock_strategy => :both | ||
| 12 | - # t.token_authenticatable | 8 | + ## Recoverable |
| 9 | + t.string :reset_password_token | ||
| 10 | + t.datetime :reset_password_sent_at | ||
| 11 | + | ||
| 12 | + ## Rememberable | ||
| 13 | + t.datetime :remember_created_at | ||
| 14 | + | ||
| 15 | + ## Trackable | ||
| 16 | + t.integer :sign_in_count, :default => 0 | ||
| 17 | + t.datetime :current_sign_in_at | ||
| 18 | + t.datetime :last_sign_in_at | ||
| 19 | + t.string :current_sign_in_ip | ||
| 20 | + t.string :last_sign_in_ip | ||
| 21 | + | ||
| 22 | + ## Encryptable | ||
| 23 | + # t.string :password_salt | ||
| 24 | + | ||
| 25 | + ## Confirmable | ||
| 26 | + # t.string :confirmation_token | ||
| 27 | + # t.datetime :confirmed_at | ||
| 28 | + # t.datetime :confirmation_sent_at | ||
| 29 | + # t.string :unconfirmed_email # Only if using reconfirmable | ||
| 30 | + | ||
| 31 | + ## Lockable | ||
| 32 | + # t.integer :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts | ||
| 33 | + # t.string :unlock_token # Only if unlock strategy is :email or :both | ||
| 34 | + # t.datetime :locked_at | ||
| 35 | + | ||
| 36 | + # Token authenticatable | ||
| 37 | + # t.string :authentication_token | ||
| 38 | + | ||
| 39 | + ## Invitable | ||
| 40 | + # t.string :invitation_token | ||
| 13 | 41 | ||
| 14 | t.timestamps | 42 | t.timestamps |
| 15 | end | 43 | end |
| @@ -18,7 +46,7 @@ class DeviseCreateUsers < ActiveRecord::Migration | @@ -18,7 +46,7 @@ class DeviseCreateUsers < ActiveRecord::Migration | ||
| 18 | add_index :users, :reset_password_token, :unique => true | 46 | add_index :users, :reset_password_token, :unique => true |
| 19 | # add_index :users, :confirmation_token, :unique => true | 47 | # add_index :users, :confirmation_token, :unique => true |
| 20 | # add_index :users, :unlock_token, :unique => true | 48 | # add_index :users, :unlock_token, :unique => true |
| 21 | - # add_index :users, :authentication_token, :unique => true | 49 | + add_index :users, :authentication_token, :unique => true |
| 22 | end | 50 | end |
| 23 | 51 | ||
| 24 | def self.down | 52 | def self.down |
db/schema.rb
| @@ -11,7 +11,7 @@ | @@ -11,7 +11,7 @@ | ||
| 11 | # | 11 | # |
| 12 | # It's strongly recommended to check this file into your version control system. | 12 | # It's strongly recommended to check this file into your version control system. |
| 13 | 13 | ||
| 14 | -ActiveRecord::Schema.define(:version => 20120627145613) do | 14 | +ActiveRecord::Schema.define(:version => 20120706065612) do |
| 15 | 15 | ||
| 16 | create_table "events", :force => true do |t| | 16 | create_table "events", :force => true do |t| |
| 17 | t.string "target_type" | 17 | t.string "target_type" |
| @@ -169,6 +169,8 @@ ActiveRecord::Schema.define(:version => 20120627145613) do | @@ -169,6 +169,8 @@ ActiveRecord::Schema.define(:version => 20120627145613) do | ||
| 169 | t.integer "theme_id", :default => 1, :null => false | 169 | t.integer "theme_id", :default => 1, :null => false |
| 170 | t.string "bio" | 170 | t.string "bio" |
| 171 | t.boolean "blocked", :default => false, :null => false | 171 | t.boolean "blocked", :default => false, :null => false |
| 172 | + t.integer "failed_attempts", :default => 0 | ||
| 173 | + t.datetime "locked_at" | ||
| 172 | end | 174 | end |
| 173 | 175 | ||
| 174 | add_index "users", ["email"], :name => "index_users_on_email", :unique => true | 176 | add_index "users", ["email"], :name => "index_users_on_email", :unique => true |