module Authenticate::Model::BruteForce
Protect from brute force attacks. Lock accounts that have too many failed consecutive logins. Todo: email user to allow unlocking via a token.
To enable brute force protection, set the config params shown below. Example:
Authenticate.configure do |config| config.bad_login_lockout_period = 5.minutes config.max_consecutive_bad_logins_allowed = 3 end
Columns¶ ↑
-
failed_logins_count - each consecutive failed login increments this counter. Set back to 0 on successful login.
-
lock_expires_at - datetime a locked account will again become available.
Configuration
¶ ↑
-
max_consecutive_bad_logins_allowed - how many failed logins are allowed?
-
bad_login_lockout_period - how long is the user locked out? nil indicates forever.
Methods¶ ↑
The following methods are added to your user model:
Public Class Methods
required_fields(_klass)
click to toggle source
# File lib/authenticate/model/brute_force.rb, line 35 def self.required_fields(_klass) [:failed_logins_count, :lock_expires_at] end
Public Instance Methods
lock!()
click to toggle source
# File lib/authenticate/model/brute_force.rb, line 45 def lock! update_attribute(:lock_expires_at, Time.now.utc + lockout_period) end
locked?()
click to toggle source
# File lib/authenticate/model/brute_force.rb, line 53 def locked? !unlocked? end
register_failed_login!()
click to toggle source
# File lib/authenticate/model/brute_force.rb, line 39 def register_failed_login! self.failed_logins_count ||= 0 self.failed_logins_count += 1 lock! if self.failed_logins_count > max_bad_logins end
unlock!()
click to toggle source
# File lib/authenticate/model/brute_force.rb, line 49 def unlock! update_attributes(failed_logins_count: 0, lock_expires_at: nil) end
unlocked?()
click to toggle source
# File lib/authenticate/model/brute_force.rb, line 57 def unlocked? lock_expires_at.nil? end
Private Instance Methods
lockout_period()
click to toggle source
# File lib/authenticate/model/brute_force.rb, line 67 def lockout_period Authenticate.configuration.bad_login_lockout_period end
max_bad_logins()
click to toggle source
# File lib/authenticate/model/brute_force.rb, line 63 def max_bad_logins Authenticate.configuration.max_consecutive_bad_logins_allowed end