Lock account by brute force attack (#3995)
Après un certain nombre d'authentifications infructueuses, le compte utilisateur est temporairement verrouillé
This commit is contained in:
Pierre de La Morinerie
GitHub
commit
7be022ff48
8 changed files with 62 additions and 13 deletions
|
|
@ -15,9 +15,14 @@ class Users::SessionsController < Sessions::SessionsController
|
|||
# POST /resource/sign_in
|
||||
def create
|
||||
remember_me = params[:user][:remember_me] == '1'
|
||||
try_to_authenticate(User, remember_me)
|
||||
try_to_authenticate(Gestionnaire, remember_me)
|
||||
try_to_authenticate(Administrateur, remember_me)
|
||||
|
||||
if resource_locked?(try_to_authenticate(User, remember_me)) ||
|
||||
resource_locked?(try_to_authenticate(Gestionnaire, remember_me)) ||
|
||||
resource_locked?(try_to_authenticate(Administrateur, remember_me))
|
||||
flash.alert = 'Votre compte est verrouillé.'
|
||||
new
|
||||
return render :new, status: 401
|
||||
end
|
||||
|
||||
if user_signed_in?
|
||||
current_user.update(loged_in_with_france_connect: nil)
|
||||
|
|
@ -109,5 +114,10 @@ class Users::SessionsController < Sessions::SessionsController
|
|||
resource.force_sync_credentials
|
||||
end
|
||||
end
|
||||
resource
|
||||
end
|
||||
|
||||
def resource_locked?(resource)
|
||||
resource.present? && resource.access_locked?
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ class Administrateur < ApplicationRecord
|
|||
include ActiveRecord::SecureToken
|
||||
|
||||
devise :database_authenticatable, :registerable, :async,
|
||||
:recoverable, :rememberable, :trackable, :validatable
|
||||
:recoverable, :rememberable, :trackable, :validatable, :lockable
|
||||
|
||||
has_and_belongs_to_many :gestionnaires
|
||||
has_many :administrateurs_procedures
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
class Administration < ApplicationRecord
|
||||
# Include default devise modules. Others available are:
|
||||
# :confirmable, :lockable, :timeoutable and :omniauthable
|
||||
devise :database_authenticatable, :rememberable, :trackable, :validatable, :omniauthable, :async, omniauth_providers: [:github]
|
||||
devise :database_authenticatable, :rememberable, :trackable, :validatable, :omniauthable, :lockable, :async, omniauth_providers: [:github]
|
||||
|
||||
def self.from_omniauth(params)
|
||||
find_by(email: params["info"]["email"])
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ class Gestionnaire < ApplicationRecord
|
|||
include EmailSanitizableConcern
|
||||
|
||||
devise :database_authenticatable, :registerable, :async,
|
||||
:recoverable, :rememberable, :trackable, :validatable
|
||||
:recoverable, :rememberable, :trackable, :validatable, :lockable
|
||||
|
||||
has_and_belongs_to_many :administrateurs
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ class User < ApplicationRecord
|
|||
# Include default devise modules. Others available are:
|
||||
# :confirmable, :lockable, :timeoutable and :omniauthable
|
||||
devise :database_authenticatable, :registerable, :async,
|
||||
:recoverable, :rememberable, :trackable, :validatable, :confirmable
|
||||
:recoverable, :rememberable, :trackable, :validatable, :confirmable, :lockable
|
||||
|
||||
has_many :dossiers, dependent: :destroy
|
||||
has_many :invites, dependent: :destroy
|
||||
|
|
|
|||
|
|
@ -161,27 +161,27 @@ Devise.setup do |config|
|
|||
# Defines which strategy will be used to lock an account.
|
||||
# :failed_attempts = Locks an account after a number of failed attempts to sign in.
|
||||
# :none = No lock strategy. You should handle locking by yourself.
|
||||
# config.lock_strategy = :failed_attempts
|
||||
config.lock_strategy = :failed_attempts
|
||||
|
||||
# Defines which key will be used when locking and unlocking an account
|
||||
# config.unlock_keys = [ :email ]
|
||||
config.unlock_keys = [:email]
|
||||
|
||||
# Defines which strategy will be used to unlock an account.
|
||||
# :email = Sends an unlock link to the user email
|
||||
# :time = Re-enables login after a certain amount of time (see :unlock_in below)
|
||||
# :both = Enables both strategies
|
||||
# :none = No unlock strategy. You should handle unlocking by yourself.
|
||||
# config.unlock_strategy = :both
|
||||
config.unlock_strategy = :both
|
||||
|
||||
# Number of authentication tries before locking an account if lock_strategy
|
||||
# is failed attempts.
|
||||
# config.maximum_attempts = 20
|
||||
config.maximum_attempts = 6
|
||||
|
||||
# Time interval to unlock the account if :time is enabled as unlock_strategy.
|
||||
# config.unlock_in = 1.hour
|
||||
config.unlock_in = 1.hour
|
||||
|
||||
# Warn on the last attempt before the account is locked.
|
||||
# config.last_attempt_warning = true
|
||||
config.last_attempt_warning = true
|
||||
|
||||
# ==> Configuration for :recoverable
|
||||
#
|
||||
|
|
|
|||
23
db/migrate/20190522131959_add_lockable_to_devise.rb
Normal file
23
db/migrate/20190522131959_add_lockable_to_devise.rb
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
class AddLockableToDevise < ActiveRecord::Migration[5.2]
|
||||
def change
|
||||
add_column :users, :failed_attempts, :integer, default: 0, null: false
|
||||
add_column :users, :unlock_token, :string
|
||||
add_column :users, :locked_at, :datetime
|
||||
add_index :users, :unlock_token, unique: true
|
||||
|
||||
add_column :gestionnaires, :failed_attempts, :integer, default: 0, null: false
|
||||
add_column :gestionnaires, :unlock_token, :string
|
||||
add_column :gestionnaires, :locked_at, :datetime
|
||||
add_index :gestionnaires, :unlock_token, unique: true
|
||||
|
||||
add_column :administrateurs, :failed_attempts, :integer, default: 0, null: false
|
||||
add_column :administrateurs, :unlock_token, :string
|
||||
add_column :administrateurs, :locked_at, :datetime
|
||||
add_index :administrateurs, :unlock_token, unique: true
|
||||
|
||||
add_column :administrations, :failed_attempts, :integer, default: 0, null: false
|
||||
add_column :administrations, :unlock_token, :string
|
||||
add_column :administrations, :locked_at, :datetime
|
||||
add_index :administrations, :unlock_token, unique: true
|
||||
end
|
||||
end
|
||||
16
db/schema.rb
16
db/schema.rb
|
|
@ -63,8 +63,12 @@ ActiveRecord::Schema.define(version: 2019_07_17_151228) do
|
|||
t.boolean "active", default: false
|
||||
t.jsonb "features", default: {}, null: false
|
||||
t.string "encrypted_token"
|
||||
t.integer "failed_attempts", default: 0, null: false
|
||||
t.string "unlock_token"
|
||||
t.datetime "locked_at"
|
||||
t.index ["email"], name: "index_administrateurs_on_email", unique: true
|
||||
t.index ["reset_password_token"], name: "index_administrateurs_on_reset_password_token", unique: true
|
||||
t.index ["unlock_token"], name: "index_administrateurs_on_unlock_token", unique: true
|
||||
end
|
||||
|
||||
create_table "administrateurs_gestionnaires", id: false, force: :cascade do |t|
|
||||
|
|
@ -100,8 +104,12 @@ ActiveRecord::Schema.define(version: 2019_07_17_151228) do
|
|||
t.string "last_sign_in_ip"
|
||||
t.datetime "created_at"
|
||||
t.datetime "updated_at"
|
||||
t.integer "failed_attempts", default: 0, null: false
|
||||
t.string "unlock_token"
|
||||
t.datetime "locked_at"
|
||||
t.index ["email"], name: "index_administrations_on_email", unique: true
|
||||
t.index ["reset_password_token"], name: "index_administrations_on_reset_password_token", unique: true
|
||||
t.index ["unlock_token"], name: "index_administrations_on_unlock_token", unique: true
|
||||
end
|
||||
|
||||
create_table "assign_tos", id: :serial, force: :cascade do |t|
|
||||
|
|
@ -399,8 +407,12 @@ ActiveRecord::Schema.define(version: 2019_07_17_151228) do
|
|||
t.text "encrypted_login_token"
|
||||
t.datetime "login_token_created_at"
|
||||
t.jsonb "features", default: {"enable_email_login_token"=>true}, null: false
|
||||
t.integer "failed_attempts", default: 0, null: false
|
||||
t.string "unlock_token"
|
||||
t.datetime "locked_at"
|
||||
t.index ["email"], name: "index_gestionnaires_on_email", unique: true
|
||||
t.index ["reset_password_token"], name: "index_gestionnaires_on_reset_password_token", unique: true
|
||||
t.index ["unlock_token"], name: "index_gestionnaires_on_unlock_token", unique: true
|
||||
end
|
||||
|
||||
create_table "individuals", id: :serial, force: :cascade do |t|
|
||||
|
|
@ -605,10 +617,14 @@ ActiveRecord::Schema.define(version: 2019_07_17_151228) do
|
|||
t.string "confirmation_token"
|
||||
t.datetime "confirmed_at"
|
||||
t.datetime "confirmation_sent_at"
|
||||
t.integer "failed_attempts", default: 0, null: false
|
||||
t.string "unlock_token"
|
||||
t.datetime "locked_at"
|
||||
t.text "unconfirmed_email"
|
||||
t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
|
||||
t.index ["email"], name: "index_users_on_email", unique: true
|
||||
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
|
||||
t.index ["unlock_token"], name: "index_users_on_unlock_token", unique: true
|
||||
end
|
||||
|
||||
create_table "virus_scans", force: :cascade do |t|
|
||||
|
|
|
|||
Loading…
Reference in a new issue