class DoorMat::Configuration

Attributes

add_email_success_url[RW]
allow_redirect_to_requested_url[RW]
allow_remember_me_feature[RW]
allow_sign_in_from_sign_up_form[RW]
allow_sign_up[RW]
change_password_success_url[RW]
confirm_email_success_url[RW]
crypto_bcrypt_cost[RW]
crypto_pbkdf2_iterations[RW]
crypto_pbkdf2_password_length[RW]
crypto_pbkdf2_salt_length[RW]
crypto_secure_compare_default_length[RW]
define_door_mat_routes[RW]
destroy_email_redirect_url[RW]
event_hook_after_confirm_email[RW]
event_hook_after_download_recovery_key[RW]
event_hook_after_failed_confirm_email[RW]
event_hook_after_failed_download_recovery_key[RW]
event_hook_after_failed_sign_in[RW]
event_hook_after_failed_sign_up[RW]
event_hook_after_sign_in[RW]
event_hook_after_sign_out[RW]
event_hook_after_sign_up[RW]
event_hook_before_confirm_email[RW]
event_hook_before_download_recovery_key[RW]
event_hook_before_sign_in[RW]
event_hook_before_sign_out[RW]
event_hook_before_sign_up[RW]
forgot_password_verification_mail_sent_url[RW]
leak_email_address_at_reconfirm[RW]
lockdown_default_redirect_url[RW]
logger[RW]
mailer_from_address[RW]
max_email_count_per_actor[RW]
password_less_sessions[RW]
password_reconfirm_delay[RW]
plausible_deniability_count[RW]
private_computer_access_session_timeout[RW]
public_computer_access_session_timeout[RW]
reconfirm_password_success_url[RW]
remember_me_max_day_count[RW]
remember_me_require_private_computer_confirmation[RW]
resend_email_confirmation_redirect_url[RW]
set_primary_email_redirect_url[RW]
sign_in_success_url[RW]
sign_out_success_url[RW]
sign_up_success_url[RW]
transmit_cookies_only_over_https[RW]

Public Class Methods

new() click to toggle source
# File lib/door_mat/configuration.rb, line 56
def initialize
  @mailer_from_address = "noreply@example.com"

  # Controllers that require_password_reconfirm will only
  # allow the user in without requesting an additional sign-in if the user password
  # was last entered less than password_reconfirm_delay
  # minutes ago.
  # All sections of the site allowing access to or modification
  # of sensitive information or settings should be protected this way.
  # This includes operations resulting in
  # a financial transaction using stored or pre-authorized payment methods.
  @password_reconfirm_delay = 5

  # A session from a public computer will only last
  # until the browser is closed and will timeout
  # after public_computer_access_session_timeout
  # minutes of inactivity.
  @public_computer_access_session_timeout = 30

  # A session from a private computer will survive
  # a browser restart but will expire in the
  # browser and timeout on the system
  # after private_computer_access_session_timeout
  # minutes of inactivity.
  @private_computer_access_session_timeout = 60


  # To prevent email flooding, a new request for a recovery password
  # links will only be sent after the specified delay
  @forgot_password_link_request_delay_minutes = 30

  # Password recovery links older than this delay become invalid
  @forgot_password_link_expiration_delay_minutes = 30

  # Does the system allow the remember me feature?
  # High value target systems such as financial sites
  # should not allow the remember me feature.
  # Even when this feature is enabled, sensitive area of the site
  # should require users to re-authenticate using a
  # before_action -> {require_password_reconfirm()}
  # filter
  @allow_remember_me_feature = false

  # As a safety reminder, the user must confirm that they
  # are not loging in from a public computer before enabling
  # the remember me feature
  @remember_me_require_private_computer_confirmation = true

  # A session from a private computer for which the
  # cookie will remain for a number of days specified
  # by remember_me_max_day_count and automatically
  # renew the session for that period of time
  @remember_me_max_day_count = 30

  # Do not pre-populate the email address field
  # in the sign_in form while doing a password reconfirmation
  # as it could be considered to leak the information about which
  # email address was used to login to the system before the reconfirmation request
  @leak_email_address_at_reconfirm = false

  # How many different accounts a single email address can be associated with on the system
  @plausible_deniability_count = 1

  # How many different emails can be linked to an actor
  @max_email_count_per_actor = 2

  # Production systems should eventually redefine their own routes explicitly
  # instead of relying on those provided by the engine
  @define_door_mat_routes = true

  #
  @allow_redirect_to_requested_url = true

  # When specifying redirects in
  # config/initializers/door_mat.rb you can use:
  # [ :main_app, :__path__ ] or [:__engine_name_, :__path__] respectively to redirect to an
  # existing path defined in your main application or loaded engine.
  # [:main_app, :root_url] to redirect to the root of your main application.
  # [ :request, :referer ] for an alternative to redirect_to :back.
  @lockdown_default_redirect_url = [ :request, :referer ]
  @sign_up_success_url = [ :sign_up_success_url ]
  @sign_in_success_url = [ :sign_in_success_url ]
  @add_email_success_url = [ :add_email_success_url ]
  @destroy_email_redirect_url = [ :request, :referer ]
  @set_primary_email_redirect_url = [ :request, :referer ]
  @resend_email_confirmation_redirect_url = [ :request, :referer ]
  @confirm_email_success_url = [ :confirm_email_success_url ]
  @reconfirm_password_success_url = [ :reconfirm_password_success_url ]
  @change_password_success_url = [ :change_password_success_url ]
  @sign_out_success_url = [ :sign_out_success_url ]
  @forgot_password_verification_mail_sent_url = [ :forgot_password_verification_mail_sent_url ]

  @allow_sign_up = true
  @allow_sign_in_from_sign_up_form = false

  @transmit_cookies_only_over_https = true

  @crypto_pbkdf2_salt_length = 32
  @crypto_pbkdf2_password_length = 32
  @crypto_pbkdf2_iterations = 10_000

  @crypto_bcrypt_cost = 12

  @crypto_secure_compare_default_length = 1024


  @event_hook_before_sign_up = []
  @event_hook_after_sign_up = []
  @event_hook_after_failed_sign_up = []
  @event_hook_before_sign_in = []
  @event_hook_after_sign_in = []
  @event_hook_after_failed_sign_in = []
  @event_hook_before_confirm_email = []
  @event_hook_after_confirm_email = [] # The confirmed DoorMat::Email is passed as function argument
  @event_hook_after_failed_confirm_email = []
  @event_hook_before_download_recovery_key = []
  @event_hook_after_download_recovery_key = []
  @event_hook_after_failed_download_recovery_key = []
  @event_hook_before_sign_out = []
  @event_hook_after_sign_out = []

  @logger = Rails.logger

  # By default, there are no password less sessions defined
  # see test_app/config/initializers/door_mat.rb for sample usage
  @password_less_sessions = {}

end