DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Lock account by brute force attack (#3995)

Browse source 
Après un certain nombre d'authentifications infructueuses, le compte utilisateur est temporairement verrouillé
This commit is contained in:
Pierre de La Morinerie 2019-07-29 18:01:32 +02:00 committed by GitHub
commit 7be022ff48
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 62 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
app/controllers/users/sessions_controller.rb
View file

@ -15,9 +15,14 @@ class Users::SessionsController < Sessions::SessionsController
# POST /resource/sign_in # POST /resource/sign_in
def create def create
remember_me = params[:user][:remember_me] == '1' remember_me = params[:user][:remember_me] == '1'
try_to_authenticate(User, remember_me)
try_to_authenticate(Gestionnaire, remember_me) if resource_locked?(try_to_authenticate(User, remember_me)) ||
try_to_authenticate(Administrateur, remember_me) resource_locked?(try_to_authenticate(Gestionnaire, remember_me)) ||
resource_locked?(try_to_authenticate(Administrateur, remember_me))
flash.alert = 'Votre compte est verrouillé.'
new
return render :new, status: 401
end
if user_signed_in? if user_signed_in?
current_user.update(loged_in_with_france_connect: nil) current_user.update(loged_in_with_france_connect: nil)
@ -109,5 +114,10 @@ class Users::SessionsController < Sessions::SessionsController
resource.force_sync_credentials resource.force_sync_credentials
end end
end end
resource
end
def resource_locked?(resource)
resource.present? && resource.access_locked?
end end
end end

2
app/models/administrateur.rb
View file

@ -4,7 +4,7 @@ class Administrateur < ApplicationRecord
include ActiveRecord::SecureToken include ActiveRecord::SecureToken
devise :database_authenticatable, :registerable, :async, devise :database_authenticatable, :registerable, :async,
:recoverable, :rememberable, :trackable, :validatable :recoverable, :rememberable, :trackable, :validatable, :lockable
has_and_belongs_to_many :gestionnaires has_and_belongs_to_many :gestionnaires
has_many :administrateurs_procedures has_many :administrateurs_procedures

2
app/models/administration.rb
View file

@ -1,7 +1,7 @@
class Administration < ApplicationRecord class Administration < ApplicationRecord
# Include default devise modules. Others available are: # Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable # :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :rememberable, :trackable, :validatable, :omniauthable, :async, omniauth_providers: [:github] devise :database_authenticatable, :rememberable, :trackable, :validatable, :omniauthable, :lockable, :async, omniauth_providers: [:github]
def self.from_omniauth(params) def self.from_omniauth(params)
find_by(email: params["info"]["email"]) find_by(email: params["info"]["email"])

2
app/models/gestionnaire.rb
View file

@ -3,7 +3,7 @@ class Gestionnaire < ApplicationRecord
include EmailSanitizableConcern include EmailSanitizableConcern
devise :database_authenticatable, :registerable, :async, devise :database_authenticatable, :registerable, :async,
:recoverable, :rememberable, :trackable, :validatable :recoverable, :rememberable, :trackable, :validatable, :lockable
has_and_belongs_to_many :administrateurs has_and_belongs_to_many :administrateurs

2
app/models/user.rb
View file

@ -10,7 +10,7 @@ class User < ApplicationRecord
# Include default devise modules. Others available are: # Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable # :confirmable, :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable, :async, devise :database_authenticatable, :registerable, :async,
:recoverable, :rememberable, :trackable, :validatable, :confirmable :recoverable, :rememberable, :trackable, :validatable, :confirmable, :lockable
has_many :dossiers, dependent: :destroy has_many :dossiers, dependent: :destroy
has_many :invites, dependent: :destroy has_many :invites, dependent: :destroy

12
config/initializers/devise.rb
View file

@ -161,27 +161,27 @@ Devise.setup do |config|
# Defines which strategy will be used to lock an account. # Defines which strategy will be used to lock an account.
# :failed_attempts = Locks an account after a number of failed attempts to sign in. # :failed_attempts = Locks an account after a number of failed attempts to sign in.
# :none = No lock strategy. You should handle locking by yourself. # :none = No lock strategy. You should handle locking by yourself.
# config.lock_strategy = :failed_attempts config.lock_strategy = :failed_attempts
# Defines which key will be used when locking and unlocking an account # Defines which key will be used when locking and unlocking an account
# config.unlock_keys = [ :email ] config.unlock_keys = [:email]
# Defines which strategy will be used to unlock an account. # Defines which strategy will be used to unlock an account.
# :email = Sends an unlock link to the user email # :email = Sends an unlock link to the user email
# :time = Re-enables login after a certain amount of time (see :unlock_in below) # :time = Re-enables login after a certain amount of time (see :unlock_in below)
# :both = Enables both strategies # :both = Enables both strategies
# :none = No unlock strategy. You should handle unlocking by yourself. # :none = No unlock strategy. You should handle unlocking by yourself.
# config.unlock_strategy = :both config.unlock_strategy = :both
# Number of authentication tries before locking an account if lock_strategy # Number of authentication tries before locking an account if lock_strategy
# is failed attempts. # is failed attempts.
# config.maximum_attempts = 20 config.maximum_attempts = 6
# Time interval to unlock the account if :time is enabled as unlock_strategy. # Time interval to unlock the account if :time is enabled as unlock_strategy.
# config.unlock_in = 1.hour config.unlock_in = 1.hour
# Warn on the last attempt before the account is locked. # Warn on the last attempt before the account is locked.
# config.last_attempt_warning = true config.last_attempt_warning = true
# ==> Configuration for :recoverable # ==> Configuration for :recoverable
# #

23
db/migrate/20190522131959_add_lockable_to_devise.rb Normal file
View file

@ -0,0 +1,23 @@
class AddLockableToDevise < ActiveRecord::Migration[5.2]
def change
add_column :users, :failed_attempts, :integer, default: 0, null: false
add_column :users, :unlock_token, :string
add_column :users, :locked_at, :datetime
add_index :users, :unlock_token, unique: true
add_column :gestionnaires, :failed_attempts, :integer, default: 0, null: false
add_column :gestionnaires, :unlock_token, :string
add_column :gestionnaires, :locked_at, :datetime
add_index :gestionnaires, :unlock_token, unique: true
add_column :administrateurs, :failed_attempts, :integer, default: 0, null: false
add_column :administrateurs, :unlock_token, :string
add_column :administrateurs, :locked_at, :datetime
add_index :administrateurs, :unlock_token, unique: true
add_column :administrations, :failed_attempts, :integer, default: 0, null: false
add_column :administrations, :unlock_token, :string
add_column :administrations, :locked_at, :datetime
add_index :administrations, :unlock_token, unique: true
end
end

16
db/schema.rb
View file

@ -63,8 +63,12 @@ ActiveRecord::Schema.define(version: 2019_07_17_151228) do
t.boolean "active", default: false t.boolean "active", default: false
t.jsonb "features", default: {}, null: false t.jsonb "features", default: {}, null: false
t.string "encrypted_token" t.string "encrypted_token"
t.integer "failed_attempts", default: 0, null: false
t.string "unlock_token"
t.datetime "locked_at"
t.index ["email"], name: "index_administrateurs_on_email", unique: true t.index ["email"], name: "index_administrateurs_on_email", unique: true
t.index ["reset_password_token"], name: "index_administrateurs_on_reset_password_token", unique: true t.index ["reset_password_token"], name: "index_administrateurs_on_reset_password_token", unique: true
t.index ["unlock_token"], name: "index_administrateurs_on_unlock_token", unique: true
end end
create_table "administrateurs_gestionnaires", id: false, force: :cascade do |t| create_table "administrateurs_gestionnaires", id: false, force: :cascade do |t|
@ -100,8 +104,12 @@ ActiveRecord::Schema.define(version: 2019_07_17_151228) do
t.string "last_sign_in_ip" t.string "last_sign_in_ip"
t.datetime "created_at" t.datetime "created_at"
t.datetime "updated_at" t.datetime "updated_at"
t.integer "failed_attempts", default: 0, null: false
t.string "unlock_token"
t.datetime "locked_at"
t.index ["email"], name: "index_administrations_on_email", unique: true t.index ["email"], name: "index_administrations_on_email", unique: true
t.index ["reset_password_token"], name: "index_administrations_on_reset_password_token", unique: true t.index ["reset_password_token"], name: "index_administrations_on_reset_password_token", unique: true
t.index ["unlock_token"], name: "index_administrations_on_unlock_token", unique: true
end end
create_table "assign_tos", id: :serial, force: :cascade do |t| create_table "assign_tos", id: :serial, force: :cascade do |t|
@ -399,8 +407,12 @@ ActiveRecord::Schema.define(version: 2019_07_17_151228) do
t.text "encrypted_login_token" t.text "encrypted_login_token"
t.datetime "login_token_created_at" t.datetime "login_token_created_at"
t.jsonb "features", default: {"enable_email_login_token"=>true}, null: false t.jsonb "features", default: {"enable_email_login_token"=>true}, null: false
t.integer "failed_attempts", default: 0, null: false
t.string "unlock_token"
t.datetime "locked_at"
t.index ["email"], name: "index_gestionnaires_on_email", unique: true t.index ["email"], name: "index_gestionnaires_on_email", unique: true
t.index ["reset_password_token"], name: "index_gestionnaires_on_reset_password_token", unique: true t.index ["reset_password_token"], name: "index_gestionnaires_on_reset_password_token", unique: true
t.index ["unlock_token"], name: "index_gestionnaires_on_unlock_token", unique: true
end end
create_table "individuals", id: :serial, force: :cascade do |t| create_table "individuals", id: :serial, force: :cascade do |t|
@ -605,10 +617,14 @@ ActiveRecord::Schema.define(version: 2019_07_17_151228) do
t.string "confirmation_token" t.string "confirmation_token"
t.datetime "confirmed_at" t.datetime "confirmed_at"
t.datetime "confirmation_sent_at" t.datetime "confirmation_sent_at"
t.integer "failed_attempts", default: 0, null: false
t.string "unlock_token"
t.datetime "locked_at"
t.text "unconfirmed_email" t.text "unconfirmed_email"
t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
t.index ["email"], name: "index_users_on_email", unique: true t.index ["email"], name: "index_users_on_email", unique: true
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
t.index ["unlock_token"], name: "index_users_on_unlock_token", unique: true
end end
create_table "virus_scans", force: :cascade do |t| create_table "virus_scans", force: :cascade do |t|