2017-12-21 17:36:29 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2012-03-19 21:02:33 +00:00
|
|
|
require "devise/hooks/lockable"
|
|
|
|
|
2009-12-30 17:19:33 +00:00
|
|
|
module Devise
|
|
|
|
module Models
|
2010-01-24 23:22:45 +00:00
|
|
|
# Handles blocking a user access after a certain number of attempts.
|
|
|
|
# Lockable accepts two different strategies to unlock a user after it's
|
|
|
|
# blocked: email and time. The former will send an email to the user when
|
2011-08-16 20:06:13 +00:00
|
|
|
# the lock happens, containing a link to unlock its account. The second
|
2010-01-24 23:22:45 +00:00
|
|
|
# will unlock the user automatically after some configured time (ie 2.hours).
|
2016-02-02 18:00:17 +00:00
|
|
|
# It's also possible to set up lockable to use both email and time strategies.
|
2010-01-24 23:22:45 +00:00
|
|
|
#
|
2010-07-15 11:01:31 +00:00
|
|
|
# == Options
|
2010-01-24 23:22:45 +00:00
|
|
|
#
|
2011-08-16 15:00:44 +00:00
|
|
|
# Lockable adds the following options to +devise+:
|
2010-07-15 11:01:31 +00:00
|
|
|
#
|
|
|
|
# * +maximum_attempts+: how many attempts should be accepted before blocking the user.
|
|
|
|
# * +lock_strategy+: lock the user account by :failed_attempts or :none.
|
|
|
|
# * +unlock_strategy+: unlock the user account by :time, :email, :both or :none.
|
|
|
|
# * +unlock_in+: the time you want to lock the user after to lock happens. Only available when unlock_strategy is :time or :both.
|
2010-12-29 08:06:55 +00:00
|
|
|
# * +unlock_keys+: the keys you want to use when locking and unlocking an account
|
2010-01-24 23:22:45 +00:00
|
|
|
#
|
2009-12-30 17:19:33 +00:00
|
|
|
module Lockable
|
2010-03-29 21:44:47 +00:00
|
|
|
extend ActiveSupport::Concern
|
2009-12-30 17:19:33 +00:00
|
|
|
|
2014-02-25 16:42:55 +00:00
|
|
|
delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, to: "self.class"
|
2010-03-31 09:54:11 +00:00
|
|
|
|
2012-02-20 11:20:19 +00:00
|
|
|
def self.required_fields(klass)
|
2012-03-13 18:50:13 +00:00
|
|
|
attributes = []
|
|
|
|
attributes << :failed_attempts if klass.lock_strategy_enabled?(:failed_attempts)
|
2012-06-23 01:31:56 +00:00
|
|
|
attributes << :locked_at if klass.unlock_strategy_enabled?(:time)
|
2012-03-13 18:50:13 +00:00
|
|
|
attributes << :unlock_token if klass.unlock_strategy_enabled?(:email)
|
|
|
|
|
|
|
|
attributes
|
2012-02-20 11:20:19 +00:00
|
|
|
end
|
|
|
|
|
2011-08-16 20:06:13 +00:00
|
|
|
# Lock a user setting its locked_at to actual time.
|
2013-12-24 00:46:15 +00:00
|
|
|
# * +opts+: Hash options if you don't want to send email
|
|
|
|
# when you lock access, you could pass the next hash
|
2014-02-25 16:42:55 +00:00
|
|
|
# `{ send_instructions: false } as option`.
|
2013-12-24 00:46:15 +00:00
|
|
|
def lock_access!(opts = { })
|
2011-11-09 20:25:48 +00:00
|
|
|
self.locked_at = Time.now.utc
|
2010-03-10 15:13:54 +00:00
|
|
|
|
2013-12-24 00:46:15 +00:00
|
|
|
if unlock_strategy_enabled?(:email) && opts.fetch(:send_instructions, true)
|
2010-01-24 01:40:32 +00:00
|
|
|
send_unlock_instructions
|
2012-06-11 20:52:10 +00:00
|
|
|
else
|
2014-02-25 16:42:55 +00:00
|
|
|
save(validate: false)
|
2009-12-30 17:19:33 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-03-17 01:06:43 +00:00
|
|
|
# Unlock a user by cleaning locked_at and failed_attempts.
|
2010-03-10 15:13:54 +00:00
|
|
|
def unlock_access!
|
2011-02-25 20:59:27 +00:00
|
|
|
self.locked_at = nil
|
|
|
|
self.failed_attempts = 0 if respond_to?(:failed_attempts=)
|
|
|
|
self.unlock_token = nil if respond_to?(:unlock_token=)
|
2014-02-25 16:42:55 +00:00
|
|
|
save(validate: false)
|
2009-12-30 17:19:33 +00:00
|
|
|
end
|
|
|
|
|
2010-01-24 23:22:45 +00:00
|
|
|
# Verifies whether a user is locked or not.
|
2010-03-10 15:13:54 +00:00
|
|
|
def access_locked?
|
2013-06-07 03:11:00 +00:00
|
|
|
!!locked_at && !lock_expired?
|
2009-12-30 17:19:33 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Send unlock instructions by email
|
|
|
|
def send_unlock_instructions
|
2013-08-05 16:56:07 +00:00
|
|
|
raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
|
|
|
|
self.unlock_token = enc
|
2016-04-26 19:16:11 +00:00
|
|
|
save(validate: false)
|
2013-08-05 16:56:07 +00:00
|
|
|
send_devise_notification(:unlock_instructions, raw, {})
|
|
|
|
raw
|
2009-12-30 17:19:33 +00:00
|
|
|
end
|
|
|
|
|
2010-01-24 23:22:45 +00:00
|
|
|
# Resend the unlock instructions if the user is locked.
|
2013-08-05 16:56:07 +00:00
|
|
|
def resend_unlock_instructions
|
2010-03-28 21:09:28 +00:00
|
|
|
if_access_locked { send_unlock_instructions }
|
2009-12-30 17:19:33 +00:00
|
|
|
end
|
|
|
|
|
2011-03-25 14:39:08 +00:00
|
|
|
# Overwrites active_for_authentication? from Devise::Models::Activatable for locking purposes
|
2011-02-06 15:34:31 +00:00
|
|
|
# by verifying whether a user is active to sign in or not based on locked?
|
2011-03-25 14:39:08 +00:00
|
|
|
def active_for_authentication?
|
2010-03-10 15:13:54 +00:00
|
|
|
super && !access_locked?
|
2009-12-30 17:19:33 +00:00
|
|
|
end
|
|
|
|
|
2010-01-24 01:40:32 +00:00
|
|
|
# Overwrites invalid_message from Devise::Models::Authenticatable to define
|
|
|
|
# the correct reason for blocking the sign in.
|
|
|
|
def inactive_message
|
2010-03-10 15:13:54 +00:00
|
|
|
access_locked? ? :locked : super
|
2010-01-24 01:40:32 +00:00
|
|
|
end
|
|
|
|
|
2009-12-30 17:19:33 +00:00
|
|
|
# Overwrites valid_for_authentication? from Devise::Models::Authenticatable
|
2011-02-06 15:34:31 +00:00
|
|
|
# for verifying whether a user is allowed to sign in or not. If the user
|
2009-12-30 17:19:33 +00:00
|
|
|
# is locked, it should never be allowed.
|
2010-03-29 21:44:47 +00:00
|
|
|
def valid_for_authentication?
|
2010-04-06 14:34:22 +00:00
|
|
|
return super unless persisted? && lock_strategy_enabled?(:failed_attempts)
|
2010-03-29 21:44:47 +00:00
|
|
|
|
2011-02-25 20:59:27 +00:00
|
|
|
# Unlock the user if the lock is expired, no matter
|
|
|
|
# if the user can login or not (wrong password, etc)
|
|
|
|
unlock_access! if lock_expired?
|
|
|
|
|
2011-12-29 18:25:16 +00:00
|
|
|
if super && !access_locked?
|
2011-11-05 21:54:40 +00:00
|
|
|
true
|
2011-11-05 21:47:58 +00:00
|
|
|
else
|
2017-12-21 18:49:09 +00:00
|
|
|
increment_failed_attempts
|
2010-03-29 21:44:47 +00:00
|
|
|
if attempts_exceeded?
|
2011-11-05 21:47:58 +00:00
|
|
|
lock_access! unless access_locked?
|
2011-02-18 08:45:18 +00:00
|
|
|
else
|
2014-02-25 16:42:55 +00:00
|
|
|
save(validate: false)
|
2010-03-29 21:44:47 +00:00
|
|
|
end
|
2011-11-05 21:54:40 +00:00
|
|
|
false
|
2009-12-30 17:19:33 +00:00
|
|
|
end
|
|
|
|
end
|
2017-12-21 18:49:09 +00:00
|
|
|
|
|
|
|
def increment_failed_attempts
|
2018-12-28 19:00:50 +00:00
|
|
|
self.class.increment_counter(:failed_attempts, id)
|
|
|
|
reload
|
2017-12-21 18:49:09 +00:00
|
|
|
end
|
2009-12-30 17:19:33 +00:00
|
|
|
|
2012-03-13 17:24:21 +00:00
|
|
|
def unauthenticated_message
|
2012-10-25 21:51:56 +00:00
|
|
|
# If set to paranoid mode, do not show the locked message because it
|
|
|
|
# leaks the existence of an account.
|
|
|
|
if Devise.paranoid
|
|
|
|
super
|
2014-05-15 21:57:18 +00:00
|
|
|
elsif access_locked? || (lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?)
|
|
|
|
:locked
|
2014-10-02 21:50:48 +00:00
|
|
|
elsif lock_strategy_enabled?(:failed_attempts) && last_attempt? && self.class.last_attempt_warning
|
2013-10-11 23:22:43 +00:00
|
|
|
:last_attempt
|
2012-03-13 17:24:21 +00:00
|
|
|
else
|
|
|
|
super
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2009-12-30 17:19:33 +00:00
|
|
|
protected
|
|
|
|
|
2010-03-29 21:44:47 +00:00
|
|
|
def attempts_exceeded?
|
2014-01-07 04:51:45 +00:00
|
|
|
self.failed_attempts >= self.class.maximum_attempts
|
2010-03-29 21:44:47 +00:00
|
|
|
end
|
|
|
|
|
2013-10-11 23:22:43 +00:00
|
|
|
def last_attempt?
|
2014-01-07 04:51:45 +00:00
|
|
|
self.failed_attempts == self.class.maximum_attempts - 1
|
2013-10-11 23:22:43 +00:00
|
|
|
end
|
|
|
|
|
2009-12-30 17:19:33 +00:00
|
|
|
# Tells if the lock is expired if :time unlock strategy is active
|
|
|
|
def lock_expired?
|
2010-03-31 09:54:11 +00:00
|
|
|
if unlock_strategy_enabled?(:time)
|
2010-01-24 01:40:32 +00:00
|
|
|
locked_at && locked_at < self.class.unlock_in.ago
|
2009-12-30 17:19:33 +00:00
|
|
|
else
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Checks whether the record is locked or not, yielding to the block
|
|
|
|
# if it's locked, otherwise adds an error to email.
|
2010-03-10 15:13:54 +00:00
|
|
|
def if_access_locked
|
|
|
|
if access_locked?
|
2009-12-30 17:19:33 +00:00
|
|
|
yield
|
|
|
|
else
|
2013-05-14 11:58:20 +00:00
|
|
|
self.errors.add(Devise.unlock_keys.first, :not_locked)
|
2009-12-30 17:19:33 +00:00
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
module ClassMethods
|
2016-05-02 18:22:09 +00:00
|
|
|
# List of strategies that are enabled/supported if :both is used.
|
|
|
|
BOTH_STRATEGIES = [:time, :email]
|
|
|
|
|
2013-05-14 11:58:20 +00:00
|
|
|
# Attempt to find a user by its unlock keys. If a record is found, send new
|
2009-12-30 17:19:33 +00:00
|
|
|
# unlock instructions to it. If not user is found, returns a new user
|
|
|
|
# with an email not found error.
|
2013-05-14 11:58:20 +00:00
|
|
|
# Options must contain the user's unlock keys
|
2009-12-30 17:19:33 +00:00
|
|
|
def send_unlock_instructions(attributes={})
|
2012-03-17 01:06:43 +00:00
|
|
|
lockable = find_or_initialize_with_errors(unlock_keys, attributes, :not_found)
|
2013-08-05 16:56:07 +00:00
|
|
|
lockable.resend_unlock_instructions if lockable.persisted?
|
2012-03-17 01:06:43 +00:00
|
|
|
lockable
|
2009-12-30 17:19:33 +00:00
|
|
|
end
|
|
|
|
|
2011-08-16 20:06:13 +00:00
|
|
|
# Find a user by its unlock token and try to unlock it.
|
2009-12-30 17:19:33 +00:00
|
|
|
# If no user is found, returns a new user with an error.
|
|
|
|
# If the user is not locked, creates an error for the user
|
|
|
|
# Options must have the unlock_token
|
2010-03-10 15:13:54 +00:00
|
|
|
def unlock_access_by_token(unlock_token)
|
2013-08-05 16:56:07 +00:00
|
|
|
original_token = unlock_token
|
2013-08-06 09:55:13 +00:00
|
|
|
unlock_token = Devise.token_generator.digest(self, :unlock_token, unlock_token)
|
2013-08-05 16:56:07 +00:00
|
|
|
|
2010-03-10 15:13:54 +00:00
|
|
|
lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
|
2010-03-28 20:26:07 +00:00
|
|
|
lockable.unlock_access! if lockable.persisted?
|
2013-08-06 09:55:13 +00:00
|
|
|
lockable.unlock_token = original_token
|
2009-12-30 17:19:33 +00:00
|
|
|
lockable
|
|
|
|
end
|
|
|
|
|
2010-03-28 21:09:28 +00:00
|
|
|
# Is the unlock enabled for the given unlock strategy?
|
|
|
|
def unlock_strategy_enabled?(strategy)
|
2016-04-29 21:31:33 +00:00
|
|
|
self.unlock_strategy == strategy ||
|
2016-05-02 18:22:09 +00:00
|
|
|
(self.unlock_strategy == :both && BOTH_STRATEGIES.include?(strategy))
|
2010-03-28 21:09:28 +00:00
|
|
|
end
|
|
|
|
|
2010-03-31 09:54:11 +00:00
|
|
|
# Is the lock enabled for the given lock strategy?
|
|
|
|
def lock_strategy_enabled?(strategy)
|
|
|
|
self.lock_strategy == strategy
|
|
|
|
end
|
|
|
|
|
2014-10-02 21:50:48 +00:00
|
|
|
Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys, :last_attempt_warning)
|
2009-12-30 17:19:33 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2010-01-24 01:40:32 +00:00
|
|
|
end
|