Think carefully when setting config.unlock_strategy to: time or : none
devise's lockable is to lock your account if you fail to log in several times. It's important to note that the account is locked, not the login locked. This means that all logged-in sessions accessed during account lock will be forcibly logged out.
If you use this to make the following mischief, you will be in trouble.
I thought about three things to avoid.
There is a thing called unlock_strategy in the devise setting, which can specify: email, : time,: both, : none.
:email:time:both: email or spontaneously with: time or both:noneOf these, in the case of : email and: both, the owner of the locked account can unlock it by himself, so there is little damage related to not being able to use the account.
However, in the case of : time, if there is a user who is locked by mischief, you have to wait for it to be released over time (config.unlock_in defaults to 1 hour), so it can be a problem. appear.
If you want to lock your login instead of your account lock.
I don't recommend it because it's very difficult, but there is a way to override active_for_authentication?.
If you're using only lockable in a very simple app, you might do the following:
def active_for_authentication?
true
end
But what if you also use confirmable? What if there are other specifications for activating various accounts?
Don't easily set active_for_authentication? To true, which increases the extra security risk.
For example, avoid devise
It's about security, so it's bad if it's wrong. We look forward to your strict comments.
Recommended Posts