feat: add lockable functionality for user login attempts

2022-11-29 13:08:12 +05:30 · 2022-11-29 13:08:12 +05:30 · 4484dd6e08
commit 4484dd6e08
parent 4755031e1d
5 changed files with 30 additions and 13 deletions
--- a/app/models/super_admin.rb
+++ b/app/models/super_admin.rb
@ -13,8 +13,10 @@
 #  display_name           :string
 #  email                  :string
 #  encrypted_password     :string           default(""), not null
+#  failed_attempts        :integer
 #  last_sign_in_at        :datetime
 #  last_sign_in_ip        :string
+#  locked_at              :datetime
 #  message_signature      :text
 #  name                   :string           not null
 #  provider               :string           default("email"), not null
@ -28,6 +30,7 @@
 #  ui_settings            :jsonb
 #  uid                    :string           default(""), not null
 #  unconfirmed_email      :string
+#  unlock_token           :string
 #  created_at             :datetime         not null
 #  updated_at             :datetime         not null
 #
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -13,8 +13,10 @@
 #  display_name           :string
 #  email                  :string
 #  encrypted_password     :string           default(""), not null
+#  failed_attempts        :integer
 #  last_sign_in_at        :datetime
 #  last_sign_in_ip        :string
+#  locked_at              :datetime
 #  message_signature      :text
 #  name                   :string           not null
 #  provider               :string           default("email"), not null
@ -28,6 +30,7 @@
 #  ui_settings            :jsonb
 #  uid                    :string           default(""), not null
 #  unconfirmed_email      :string
+#  unlock_token           :string
 #  created_at             :datetime         not null
 #  updated_at             :datetime         not null
 #
@ -56,6 +59,7 @@ class User < ApplicationRecord
         :trackable,
         :validatable,
         :confirmable,
+         :lockable,
         :password_has_required_content

  # TODO: remove in a future version once online status is moved to account users
@ -170,10 +174,8 @@ class User < ApplicationRecord

  def push_event_data
    {
-      id: id,
-      name: name,
-      available_name: available_name,
-      avatar_url: avatar_url,
+      id: id, name: name,
+      available_name: available_name, avatar_url: avatar_url,
      type: 'user',
      availability_status: availability_status,
      thumbnail: avatar_url
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -170,32 +170,32 @@ Devise.setup do |config|
  # Defines which strategy will be used to lock an account.
  # :failed_attempts = Locks an account after a number of failed attempts to sign in.
  # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
+  config.lock_strategy = :failed_attempts

  # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [:email]
+  config.unlock_keys = [:email]

  # Defines which strategy will be used to unlock an account.
  # :email = Sends an unlock link to the user email
  # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
  # :both  = Enables both strategies
  # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
+  config.unlock_strategy = :both

  # Number of authentication tries before locking an account if lock_strategy
  # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 5

  # Time interval to unlock the account if :time is enabled as unlock_strategy.
-  # config.unlock_in = 1.hour
+  config.unlock_in = 1.hour

  # Warn on the last attempt before the account is locked.
-  # config.last_attempt_warning = true
+  config.last_attempt_warning = true

  # ==> Configuration for :recoverable
  #
  # Defines which key will be used when recovering the password for an account
-  # config.reset_password_keys = [:email]
+  config.reset_password_keys = [:email]

  # Time interval you can reset your password with a reset password key.
  # Don't put a too small interval or your users won't have the time to
--- a/db/migrate/20221129072405_add_locked_at_in_users.rb
+++ b/db/migrate/20221129072405_add_locked_at_in_users.rb
@ -0,0 +1,9 @@
+class AddLockedAtInUsers < ActiveRecord::Migration[6.1]
+  def change
+    change_table :users, bulk: true do |t|
+      t.datetime :locked_at
+      t.integer :failed_attempts
+      t.string :unlock_token
+    end
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 2022_11_16_000514) do
+ActiveRecord::Schema.define(version: 2022_11_29_072405) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "pg_stat_statements"
@ -399,7 +399,7 @@ ActiveRecord::Schema.define(version: 2022_11_16_000514) do
    t.datetime "agent_last_seen_at"
    t.jsonb "additional_attributes", default: {}
    t.bigint "contact_inbox_id"
-    t.uuid "uuid", default: -> { "gen_random_uuid()" }, null: false
+    t.uuid "uuid", default: -> { "public.gen_random_uuid()" }, null: false
    t.string "identifier"
    t.datetime "last_activity_at", default: -> { "CURRENT_TIMESTAMP" }, null: false
    t.bigint "team_id"
@ -836,6 +836,9 @@ ActiveRecord::Schema.define(version: 2022_11_16_000514) do
    t.jsonb "custom_attributes", default: {}
    t.string "type"
    t.text "message_signature"
+    t.datetime "locked_at"
+    t.integer "failed_attempts"
+    t.string "unlock_token"
    t.index ["email"], name: "index_users_on_email"
    t.index ["pubsub_token"], name: "index_users_on_pubsub_token", unique: true
    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true