Merge pull request #1012 from NARKOZ/devise

Add 10 minutes lock after 10 failed login attempts (Devise :lockable)
This commit is contained in:
Dmitriy Zaporozhets 2012-07-06 08:18:18 -07:00
commit 4c24cabf47
10 changed files with 66 additions and 35 deletions

View file

@ -7,7 +7,7 @@ gem "sqlite3"
gem "mysql2" gem "mysql2"
# Auth # Auth
gem "devise", "~> 1.5" gem "devise", "~> 2.1.0"
# GITLAB patched libs # GITLAB patched libs
gem "grit", :git => "https://github.com/gitlabhq/grit.git", :ref => "7f35cb98ff17d534a07e3ce6ec3d580f67402837" gem "grit", :git => "https://github.com/gitlabhq/grit.git", :ref => "7f35cb98ff17d534a07e3ce6ec3d580f67402837"

View file

@ -148,10 +148,11 @@ GEM
nokogiri (>= 1.5.0) nokogiri (>= 1.5.0)
daemons (1.1.8) daemons (1.1.8)
database_cleaner (0.8.0) database_cleaner (0.8.0)
devise (1.5.3) devise (2.1.2)
bcrypt-ruby (~> 3.0) bcrypt-ruby (~> 3.0)
orm_adapter (~> 0.0.3) orm_adapter (~> 0.1)
warden (~> 1.1) railties (~> 3.1)
warden (~> 1.2.1)
diff-lcs (1.1.3) diff-lcs (1.1.3)
drapper (0.8.4) drapper (0.8.4)
email_spec (1.2.1) email_spec (1.2.1)
@ -225,7 +226,7 @@ GEM
omniauth (1.1.0) omniauth (1.1.0)
hashie (~> 1.2) hashie (~> 1.2)
rack rack
orm_adapter (0.0.7) orm_adapter (0.3.0)
polyglot (0.3.3) polyglot (0.3.3)
posix-spawn (0.3.6) posix-spawn (0.3.6)
pry (0.9.9.6) pry (0.9.9.6)
@ -356,7 +357,7 @@ GEM
raindrops (~> 0.7) raindrops (~> 0.7)
vegas (0.1.11) vegas (0.1.11)
rack (>= 1.0.0) rack (>= 1.0.0)
warden (1.2.0) warden (1.2.1)
rack (>= 1.0) rack (>= 1.0)
webmock (1.8.7) webmock (1.8.7)
addressable (>= 2.2.7) addressable (>= 2.2.7)
@ -383,7 +384,7 @@ DEPENDENCIES
colored colored
cucumber-rails cucumber-rails
database_cleaner database_cleaner
devise (~> 1.5) devise (~> 2.1.0)
drapper drapper
email_spec email_spec
ffaker ffaker

View file

@ -52,7 +52,7 @@ class ApplicationController < ActionController::Base
def layout_by_resource def layout_by_resource
if devise_controller? if devise_controller?
"devise" "devise_layout"
else else
"application" "application"
end end

View file

@ -1,7 +1,7 @@
class User < ActiveRecord::Base class User < ActiveRecord::Base
include Account include Account
devise :database_authenticatable, :token_authenticatable, devise :database_authenticatable, :token_authenticatable, :lockable,
:recoverable, :rememberable, :trackable, :validatable, :omniauthable :recoverable, :rememberable, :trackable, :validatable, :omniauthable
attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, attr_accessible :email, :password, :password_confirmation, :remember_me, :bio,

View file

@ -93,10 +93,6 @@ Devise.setup do |config|
# If true, extends the user's remember period when remembered via cookie. # If true, extends the user's remember period when remembered via cookie.
# config.extend_remember_period = false # config.extend_remember_period = false
# If true, uses the password salt as remember token. This should be turned
# to false if you are not using database authenticatable.
config.use_salt_as_remember_token = true
# Options to be passed to the created cookie. For instance, you can set # Options to be passed to the created cookie. For instance, you can set
# :secure => true in order to force SSL only cookies. # :secure => true in order to force SSL only cookies.
# config.cookie_options = {} # config.cookie_options = {}
@ -119,7 +115,7 @@ Devise.setup do |config|
# Defines which strategy will be used to lock an account. # Defines which strategy will be used to lock an account.
# :failed_attempts = Locks an account after a number of failed attempts to sign in. # :failed_attempts = Locks an account after a number of failed attempts to sign in.
# :none = No lock strategy. You should handle locking by yourself. # :none = No lock strategy. You should handle locking by yourself.
# config.lock_strategy = :failed_attempts config.lock_strategy = :failed_attempts
# Defines which key will be used when locking and unlocking an account # Defines which key will be used when locking and unlocking an account
# config.unlock_keys = [ :email ] # config.unlock_keys = [ :email ]
@ -129,14 +125,14 @@ Devise.setup do |config|
# :time = Re-enables login after a certain amount of time (see :unlock_in below) # :time = Re-enables login after a certain amount of time (see :unlock_in below)
# :both = Enables both strategies # :both = Enables both strategies
# :none = No unlock strategy. You should handle unlocking by yourself. # :none = No unlock strategy. You should handle unlocking by yourself.
# config.unlock_strategy = :both config.unlock_strategy = :time
# Number of authentication tries before locking an account if lock_strategy # Number of authentication tries before locking an account if lock_strategy
# is failed attempts. # is failed attempts.
# config.maximum_attempts = 20 config.maximum_attempts = 10
# Time interval to unlock the account if :time is enabled as unlock_strategy. # Time interval to unlock the account if :time is enabled as unlock_strategy.
# config.unlock_in = 1.hour config.unlock_in = 10.minutes
# ==> Configuration for :recoverable # ==> Configuration for :recoverable
# #
@ -160,9 +156,9 @@ Devise.setup do |config|
# Defines name of the authentication token params key # Defines name of the authentication token params key
config.token_authentication_key = :private_token config.token_authentication_key = :private_token
# If true, authentication through token does not store user in session and needs # Authentication through token does not store user in session and needs
# to be supplied on each request. Useful if you are using the token as API token. # to be supplied on each request. Useful if you are using the token as API token.
config.stateless_token = true config.skip_session_storage << :token_auth
# ==> Scopes configuration # ==> Scopes configuration
# Turn scoped views on. Before rendering "sessions/new", it will first check for # Turn scoped views on. Before rendering "sessions/new", it will first check for

View file

@ -35,13 +35,11 @@ en:
confirmed: 'Your account was successfully confirmed. You are now signed in.' confirmed: 'Your account was successfully confirmed. You are now signed in.'
registrations: registrations:
signed_up: 'Welcome! You have signed up successfully.' signed_up: 'Welcome! You have signed up successfully.'
inactive_signed_up: 'You have signed up successfully. However, we could not sign you in because your account is %{reason}.'
updated: 'You updated your account successfully.' updated: 'You updated your account successfully.'
destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.' destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
reasons: signed_up_but_unconfirmed: 'A message with a confirmation link has been sent to your email address. Please open the link to activate your account.'
inactive: 'inactive' signed_up_but_inactive: 'You have signed up successfully. However, we could not sign you in because your account is not yet activated.'
unconfirmed: 'unconfirmed' signed_up_but_locked: 'You have signed up successfully. However, we could not sign you in because your account is locked.'
locked: 'locked'
unlocks: unlocks:
send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.' send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
unlocked: 'Your account was successfully unlocked. You are now signed in.' unlocked: 'Your account was successfully unlocked. You are now signed in.'

View file

@ -1,15 +1,43 @@
class DeviseCreateUsers < ActiveRecord::Migration class DeviseCreateUsers < ActiveRecord::Migration
def self.up def self.up
create_table(:users) do |t| create_table(:users) do |t|
t.database_authenticatable :null => false ## Database authenticatable
t.recoverable t.string :email, :null => false, :default => ""
t.rememberable t.string :encrypted_password, :null => false, :default => ""
t.trackable
# t.encryptable ## Recoverable
# t.confirmable t.string :reset_password_token
# t.lockable :lock_strategy => :failed_attempts, :unlock_strategy => :both t.datetime :reset_password_sent_at
# t.token_authenticatable
## Rememberable
t.datetime :remember_created_at
## Trackable
t.integer :sign_in_count, :default => 0
t.datetime :current_sign_in_at
t.datetime :last_sign_in_at
t.string :current_sign_in_ip
t.string :last_sign_in_ip
## Encryptable
# t.string :password_salt
## Confirmable
# t.string :confirmation_token
# t.datetime :confirmed_at
# t.datetime :confirmation_sent_at
# t.string :unconfirmed_email # Only if using reconfirmable
## Lockable
# t.integer :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
# t.string :unlock_token # Only if unlock strategy is :email or :both
# t.datetime :locked_at
# Token authenticatable
# t.string :authentication_token
## Invitable
# t.string :invitation_token
t.timestamps t.timestamps
end end
@ -18,7 +46,7 @@ class DeviseCreateUsers < ActiveRecord::Migration
add_index :users, :reset_password_token, :unique => true add_index :users, :reset_password_token, :unique => true
# add_index :users, :confirmation_token, :unique => true # add_index :users, :confirmation_token, :unique => true
# add_index :users, :unlock_token, :unique => true # add_index :users, :unlock_token, :unique => true
# add_index :users, :authentication_token, :unique => true add_index :users, :authentication_token, :unique => true
end end
def self.down def self.down

View file

@ -0,0 +1,6 @@
class AddLockableToUsers < ActiveRecord::Migration
def change
add_column :users, :failed_attempts, :integer, :default => 0
add_column :users, :locked_at, :datetime
end
end

View file

@ -11,7 +11,7 @@
# #
# It's strongly recommended to check this file into your version control system. # It's strongly recommended to check this file into your version control system.
ActiveRecord::Schema.define(:version => 20120627145613) do ActiveRecord::Schema.define(:version => 20120706065612) do
create_table "events", :force => true do |t| create_table "events", :force => true do |t|
t.string "target_type" t.string "target_type"
@ -169,6 +169,8 @@ ActiveRecord::Schema.define(:version => 20120627145613) do
t.integer "theme_id", :default => 1, :null => false t.integer "theme_id", :default => 1, :null => false
t.string "bio" t.string "bio"
t.boolean "blocked", :default => false, :null => false t.boolean "blocked", :default => false, :null => false
t.integer "failed_attempts", :default => 0
t.datetime "locked_at"
end end
add_index "users", ["email"], :name => "index_users_on_email", :unique => true add_index "users", ["email"], :name => "index_users_on_email", :unique => true