Things to be aware of when using devise's lockable

In other words

Think carefully when setting config.unlock_strategy to: time or : none

version

About lockable

devise's lockable is to lock your account if you fail to log in several times. It's important to note that the account is locked, not the login locked. This means that all logged-in sessions accessed during account lock will be forcibly logged out.

If you use this to make the following mischief, you will be in trouble.

  1. User A is logged in to a web service using devise
  2. Another person tries to log in with User A's email address, but fails in succession, and User A's account is locked.
  3. User A accesses the web service while the account is locked
  4. Log out and user A will not be able to use the web service until unlocked

Workaround

I thought about three things to avoid.

Allow you to unlock with your email address

There is a thing called unlock_strategy in the devise setting, which can specify: email, : time,: both, : none.

Of these, in the case of : email and: both, the owner of the locked account can unlock it by himself, so there is little damage related to not being able to use the account. However, in the case of : time, if there is a user who is locked by mischief, you have to wait for it to be released over time (config.unlock_in defaults to 1 hour), so it can be a problem. appear.

Lock only login

If you want to lock your login instead of your account lock. I don't recommend it because it's very difficult, but there is a way to override active_for_authentication?. If you're using only lockable in a very simple app, you might do the following:

  def active_for_authentication?
    true
  end

But what if you also use confirmable? What if there are other specifications for activating various accounts? Don't easily set active_for_authentication? To true, which increases the extra security risk.

Do not use devise

For example, avoid devise

At the end

It's about security, so it's bad if it's wrong. We look forward to your strict comments.

Recommended Posts

Things to be aware of when using devise's lockable
Things to be aware of when writing Java
[Java] Things to be aware of when outputting FizzBuzz
Things to be aware of when writing code in Java
[Rails] When using ajax, be aware of "CSRF measures".
To be aware of easy-to-read code
[Java Silver] Things to be aware of regarding switch statements
5 things new programmers should be aware of
Basic rules to be aware of to write easy-to-read code
Things to keep in mind when using if statements
Things to watch out for when using Deeplearning4j Kmeans
[Java] [Microsoft] Things to be aware of when including the JDBC driver for SQL Server in one jar
I want to be aware of the contents of variables!
Be careful of initialization timing when using MessageEncryptor with Rails 5.2 / 6.0
Things to keep in mind when using Sidekiq with Rails
[Technical memo] Things to be careful of from an engineer's point of view when creating a view
Be careful when using multiple articles
Things to note when using Spring AOP in Jersery resource classes
Things to consider when running a specified job using Spring Batch
Is it easy for the user to use when implementing general-purpose functions? Let's be aware of
Things to keep in mind when using Apache PDFBox® with AWS Lambda
JSESSIONID could not be assigned to the URL when using Spring Security
Be careful when using rails_semantic_logger with unicorn
[Beginner] Points to be aware of after Java exercises / Inheritance / Abstract method [Note 26]
Summarize the life cycle of Java objects to be aware of in Android development
Pay attention to the boundary check of the input value when using the float type
Verification of performance impact when using Java volatile
Summary of moss when updating from JMockit 1.4 to 1.30
[Java] Be aware of short circuits (short-circuit evaluation)
Things to keep in mind when committing to CRuby
Java Servlet should be aware of multithreaded environment
How to get the class name of the argument of LoggerFactory.getLogger when using SLF4J in Java