Module: Devise::Models::Lockable

Extended by:
ActiveSupport::Concern
Defined in:
lib/devise/models/lockable.rb

Overview

Handles blocking a user access after a certain number of attempts. Lockable accepts two different strategies to unlock a user after it’s blocked: email and time. The former will send an email to the user when the lock happens, containing a link to unlock its account. The second will unlock the user automatically after some configured time (ie 2.hours). It’s also possible to set up lockable to use both email and time strategies.

Options

Lockable adds the following options to devise:

* +maximum_attempts+: how many attempts should be accepted before blocking the user.
* +lock_strategy+: lock the user account by :failed_attempts or :none.
* +unlock_strategy+: unlock the user account by :time, :email, :both or :none.
* +unlock_in+: the time you want to unlock the user after lock happens. Only available when unlock_strategy is :time or :both.
* +unlock_keys+: the keys you want to use when locking and unlocking an account

Defined Under Namespace

Modules: ClassMethods

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.required_fields(klass) ⇒ Object



29
30
31
32
33
34
35
36
# File 'lib/devise/models/lockable.rb', line 29

def self.required_fields(klass)
  attributes = []
  attributes << :failed_attempts if klass.lock_strategy_enabled?(:failed_attempts)
  attributes << :locked_at if klass.unlock_strategy_enabled?(:time)
  attributes << :unlock_token if klass.unlock_strategy_enabled?(:email)

  attributes
end

Instance Method Details

#access_locked?Boolean

Verifies whether a user is locked or not.

Returns:

  • (Boolean)


69
70
71
# File 'lib/devise/models/lockable.rb', line 69

def access_locked?
  !!locked_at && !lock_expired?
end

#active_for_authentication?Boolean

Overwrites active_for_authentication? from Devise::Models::Activatable for locking purposes by verifying whether a user is active to sign in or not based on locked?

Returns:

  • (Boolean)


89
90
91
# File 'lib/devise/models/lockable.rb', line 89

def active_for_authentication?
  super && !access_locked?
end

#attempts_exceeded?Boolean (protected)

Returns:

  • (Boolean)


143
144
145
# File 'lib/devise/models/lockable.rb', line 143

def attempts_exceeded?
  self.failed_attempts >= self.class.maximum_attempts
end

#if_access_lockedObject (protected)

Checks whether the record is locked or not, yielding to the block if it’s locked, otherwise adds an error to email.



162
163
164
165
166
167
168
169
# File 'lib/devise/models/lockable.rb', line 162

def if_access_locked
  if access_locked?
    yield
  else
    self.errors.add(Devise.unlock_keys.first, :not_locked)
    false
  end
end

#inactive_messageObject

Overwrites invalid_message from Devise::Models::Authenticatable to define the correct reason for blocking the sign in.



95
96
97
# File 'lib/devise/models/lockable.rb', line 95

def inactive_message
  access_locked? ? :locked : super
end

#increment_failed_attemptsObject



122
123
124
125
# File 'lib/devise/models/lockable.rb', line 122

def increment_failed_attempts
  self.class.increment_counter(:failed_attempts, id)
  reload
end

#last_attempt?Boolean (protected)

Returns:

  • (Boolean)


147
148
149
# File 'lib/devise/models/lockable.rb', line 147

def last_attempt?
  self.failed_attempts == self.class.maximum_attempts - 1
end

#lock_access!(opts = { }) ⇒ Object

Lock a user setting its locked_at to actual time.

  • opts: Hash options if you don’t want to send email when you lock access, you could pass the next hash ‘{ send_instructions: false } as option`.



42
43
44
45
46
47
48
49
50
# File 'lib/devise/models/lockable.rb', line 42

def lock_access!(opts = { })
  self.locked_at = Time.now.utc

  if unlock_strategy_enabled?(:email) && opts.fetch(:send_instructions, true)
    send_unlock_instructions
  else
    save(validate: false)
  end
end

#lock_expired?Boolean (protected)

Tells if the lock is expired if :time unlock strategy is active

Returns:

  • (Boolean)


152
153
154
155
156
157
158
# File 'lib/devise/models/lockable.rb', line 152

def lock_expired?
  if unlock_strategy_enabled?(:time)
    locked_at && locked_at < self.class.unlock_in.ago
  else
    false
  end
end

#resend_unlock_instructionsObject

Resend the unlock instructions if the user is locked.



83
84
85
# File 'lib/devise/models/lockable.rb', line 83

def resend_unlock_instructions
  if_access_locked { send_unlock_instructions }
end

#reset_failed_attempts!Object

Resets failed attempts counter to 0.



61
62
63
64
65
66
# File 'lib/devise/models/lockable.rb', line 61

def reset_failed_attempts!
  if respond_to?(:failed_attempts) && !failed_attempts.to_i.zero?
    self.failed_attempts = 0
    save(validate: false)
  end
end

#send_unlock_instructionsObject

Send unlock instructions by email



74
75
76
77
78
79
80
# File 'lib/devise/models/lockable.rb', line 74

def send_unlock_instructions
  raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
  self.unlock_token = enc
  save(validate: false)
  send_devise_notification(:unlock_instructions, raw, {})
  raw
end

#unauthenticated_messageObject



127
128
129
130
131
132
133
134
135
136
137
138
139
# File 'lib/devise/models/lockable.rb', line 127

def unauthenticated_message
  # If set to paranoid mode, do not show the locked message because it
  # leaks the existence of an account.
  if Devise.paranoid
    super
  elsif access_locked? || (lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?)
    :locked
  elsif lock_strategy_enabled?(:failed_attempts) && last_attempt? && self.class.last_attempt_warning
    :last_attempt
  else
    super
  end
end

#unlock_access!Object

Unlock a user by cleaning locked_at and failed_attempts.



53
54
55
56
57
58
# File 'lib/devise/models/lockable.rb', line 53

def unlock_access!
  self.locked_at = nil
  self.failed_attempts = 0 if respond_to?(:failed_attempts=)
  self.unlock_token = nil  if respond_to?(:unlock_token=)
  save(validate: false)
end

#valid_for_authentication?Boolean

Overwrites valid_for_authentication? from Devise::Models::Authenticatable for verifying whether a user is allowed to sign in or not. If the user is locked, it should never be allowed.

Returns:

  • (Boolean)


102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# File 'lib/devise/models/lockable.rb', line 102

def valid_for_authentication?
  return super unless persisted? && lock_strategy_enabled?(:failed_attempts)

  # Unlock the user if the lock is expired, no matter
  # if the user can login or not (wrong password, etc)
  unlock_access! if lock_expired?

  if super && !access_locked?
    true
  else
    increment_failed_attempts
    if attempts_exceeded?
      lock_access! unless access_locked?
    else
      save(validate: false)
    end
    false
  end
end