Module: Devise::Models::PasswordExpirable

Extended by:

ActiveSupport::Concern

Defined in:

lib/devise-security/models/password_expirable.rb

Overview

PasswordExpirable makes passwords expire after a configurable amount of time, or on demand.

Configuration

Set expire_password_after to the number of seconds a password is valid for (example: 3.months). Setting it to true will allow passwords to be expired on-demand only, and false disables this feature.

Expire On-Demand

This is useful to force users to change passwords for complex business reasons. Call need_change_password to indicate a record needs a new password.

Defined Under Namespace

Modules: ClassMethods

Instance Method Summary

• #expire_password_after ⇒ Integer, ...
• #need_change_password ⇒ void (also: #expire_password, #request_password_change)

  Clear the password_changed_at field so that the user will be required to update their password.

• #need_change_password! ⇒ Boolean (also: #expire_password!, #request_password_change!)

  Clear the password_changed_at field so that the user will be required to update their password.

• #need_change_password? ⇒ Boolean, true

  Is a password change required?.

• #password_change_requested? ⇒ Boolean

  When password_changed_at is set to NULL in the database the user is required to change their password.

• #password_too_old? ⇒ Boolean (also: #password_expired?)

  Is this password older than the configured expiration timeout?.

Instance Method Details

#expire_password_after ⇒ Integer, ...

Returns:

• (Integer) —

  number of seconds passwords are valid for

• (true) —

  passwords are expired ‘on demand’ only.

• (false) —

  passwords never expire (this feature is disabled)

# File 'lib/devise-security/models/password_expirable.rb', line 62

def expire_password_after
  self.class.expire_password_after
end

#need_change_password ⇒ void Also known as: expire_password, request_password_change

Note:

Does not save the record

This method returns an undefined value.

Clear the password_changed_at field so that the user will be required to

update their password.

# File 'lib/devise-security/models/password_expirable.rb', line 52

def need_change_password
  return unless password_expiration_enabled?
  self.password_changed_at = nil
end

#need_change_password! ⇒ Boolean Also known as: expire_password!, request_password_change!

Note:

Saves the record (without validations)

Clear the password_changed_at field so that the user will be required to update their password.

Returns:

• (Boolean)

# File 'lib/devise-security/models/password_expirable.rb', line 40

def need_change_password!
  return unless password_expiration_enabled?
  need_change_password
  save(validate: false)
end

#need_change_password? ⇒ Boolean, true

Is a password change required?

Returns:

• (Boolean)
• (true) —

  if password_changed_at has not been set or if it is old enough based on expire_password_after configuration.

# File 'lib/devise-security/models/password_expirable.rb', line 32

def need_change_password?
  password_change_requested? || password_too_old?
end

#password_change_requested? ⇒ Boolean

When password_changed_at is set to NULL in the database the user is required to change their password. This only happens on demand or when the column is first added to the table.

Returns:

• (Boolean)

# File 'lib/devise-security/models/password_expirable.rb', line 70

def password_change_requested?
  return false unless password_expiration_enabled?
  return false if new_record?
  password_changed_at.nil?
end

#password_too_old? ⇒ Boolean Also known as: password_expired?

Is this password older than the configured expiration timeout?

Returns:

• (Boolean)

# File 'lib/devise-security/models/password_expirable.rb', line 78

def password_too_old?
  return false if new_record?
  return false unless password_expiration_enabled?
  return false if expire_password_on_demand?
  password_changed_at < expire_password_after.seconds.ago
end