rept
Reputation: 2236
Manually lock an account in Devise
I have set up 2-factor authentication and I also have lockable activated in devise (with 10 minute timeout).
The lockable works fine, but I want it to work for the 2fa code too.
2 questions with this:
- Can I use the counter in devise to be increase when a wrong tfa code is entered? Or would this reset because for Devise the user is already signed in. (I use the 2fa by doing a before_action in the ApplicationController.
- If I can't use the Devise counter I'll save the failed attempts in the session, how can I manually lock a user after X wrong attempts?
Upvotes: 2
Views: 2302
Answers (1)
rylanb
Reputation: 614
Part 1: You could look at adding a new column to the user model to track the # of 2FA attempts and tick that up. But you run into a LOT of what-ifs almost immediately. What if they stop, come back, re-authenticate properly? Make sure to reset that count so it doesn't fail them faster next time, for one example.
Part 2: Manually locking is done with lock_access! call on the user instance variable.
Upvotes: 4
Related Questions
- How to lock users using Devise?
- Is There a Way to Show Devise 'Lockable' Link Only if User Account is Locked?
- Preventing password reuse with Devise
- Devise lockable - How to unlock account using unlock_in
- How to use Devise lockable functionality outside of devise controller or method?
- How to integrate Devise REST API Login with lockable
- Locking a user using a per-user `maximum_attempts` value with Devise for Rails
- rails devise trigger lock of lockable
- Devise -- how to lock an account with lockable?
- rails 3, using Devise, how add :lockable after the fact?