Module: Devise::Models::SecurityNg

Extended by:

ActiveSupport::Concern

Defined in:

lib/devise_security_ng/model.rb

Defined Under Namespace

Modules: ClassMethods

Instance Method Summary

• #access_locked? ⇒ Boolean

  Verifies whether a user is locked or not.

• #active_for_authentication? ⇒ Boolean

  Overwrites active_for_authentication? from Devise::Models::Activatable.

• #inactive_message ⇒ Object

  Overwrites inactive_message from Devise::Models::Authenticatable.

• #lock_access! ⇒ Object

  Lock a user.

• #unauthenticated_message ⇒ Object
• #unlock_access! ⇒ Object

  Unlock a user by cleaning locked_at.

• #update_tracked_fields!(request) ⇒ Object

  Overwrites update_tracked_fields! from Devise::Models::Trackable to be able to verify if user successfully signed in.

• #valid_for_authentication? ⇒ Boolean

  Overwrites valid_for_authentication? from Devise::Models::Authenticatable for verifying whether a user is allowed to sign in or not.

Instance Method Details

#access_locked? ⇒ Boolean

Verifies whether a user is locked or not.

Returns:

• (Boolean)

# File 'lib/devise_security_ng/model.rb', line 21

def access_locked?
  !!locked_at && !lock_expired?
end

#active_for_authentication? ⇒ Boolean

Overwrites active_for_authentication? from Devise::Models::Activatable

Returns:

• (Boolean)

# File 'lib/devise_security_ng/model.rb', line 26

def active_for_authentication?
  super && !access_locked?
end

#inactive_message ⇒ Object

Overwrites inactive_message from Devise::Models::Authenticatable

# File 'lib/devise_security_ng/model.rb', line 31

def inactive_message
  access_locked? ? locked_message : super
end

#lock_access! ⇒ Object

Lock a user

# File 'lib/devise_security_ng/model.rb', line 9

def lock_access!
  self.locked_at = Time.current
  self.save!
end

#unauthenticated_message ⇒ Object

# File 'lib/devise_security_ng/model.rb', line 66

def unauthenticated_message
  # If set to paranoid mode, do not show the locked message because it
  # leaks the existence of an account.
  if Devise.paranoid
    super
  elsif access_locked? || attempts_exceeded?
    locked_message
  elsif last_attempt? && self.class.last_attempt_warning && !!self.lockable
    :last_attempt
  else
    super
  end
end

#unlock_access! ⇒ Object

Unlock a user by cleaning locked_at

# File 'lib/devise_security_ng/model.rb', line 15

def unlock_access!
  self.locked_at = nil
  self.save!
end

#update_tracked_fields!(request) ⇒ Object

Overwrites update_tracked_fields! from Devise::Models::Trackable to be able to verify if user successfully signed in

# File 'lib/devise_security_ng/model.rb', line 61

def update_tracked_fields!(request)
  self.login_attempts = 0
  super
end

#valid_for_authentication? ⇒ Boolean

Overwrites valid_for_authentication? from Devise::Models::Authenticatable for verifying whether a user is allowed to sign in or not. If the user is locked, it should never be allowed.

Returns:

• (Boolean)

# File 'lib/devise_security_ng/model.rb', line 38

def valid_for_authentication?
  # Unlock the user if the lock is expired, no matter
  # if the user can login or not (wrong password, etc)
  unlock_access! if lock_expired?

  if super && !access_locked?
    true
  else
    self.login_attempts ||= 0
    if !!self.lockable
      self.login_attempts += 1
    end
    if attempts_exceeded? && !access_locked?
      lock_access!
    else
      self.save!
    end
    false
  end
end