In October 2024, I presented at the Toronto Ruby Meetup on discovering the potential of using Lockable. Devise is a popular authentication library that provides ready-made solutions for user authentication. One of the features it offers is Lockable, which is used to lock a user account after a certain number of failed login attempts. This feature helps improve security by preventing brute force attacks.
A few days months ago, as I was logging into my work laptop, I mistyped my password and ended up getting locked out for one minute. After the minute was up, I tried again, but I was locked out for 10 minutes this time.
The lockable module locks an account after several failed sign-in attempts. You can unlock by email or after a specified period or it can require manual unlocking by an admin. This helps protect user accounts from unauthorized access.
Step-by-step guide
This guide outlines how to implement lockable functionality in your Rails application using two strategies: 1) unlocking via email or time-based methods, and 2) customizing failure and unlock strategies.
Install Devise
Before we dive into implementing lockable, ensure you have Devise installed. If you haven't installed it yet, follow the instructions below.
Unlock by email and/or time based unlock
1. Config file
Let’s take a look at how this would look like in your config file. In this example, I am utilizing both email and time-based strategies. Users will have a maximum of five failed login attempts, and a warning will be issued on their final attempt. To regain access, users can either receive an email with a link or wait one hour to unlock their account.
Lockable adds the following options to devise:
maximum_attempts: how many attempts should be accepted before blocking the user.
lock_strategy: lock the user account by :failed_attempts or :none.
unlock_strategy: unlock the user account by :time, :email, :both or :none.
unlock_in: the time you want to unlock the user after lock happens. Only available when unlock_strategy is :time or :both.
unlock_keys: the keys you want to use when locking and unlocking an account
To learn more about lockable options, please refer to this doc.
2. User Model
Next, we can go to the User model. In my user model, I’ve added a few devise modules already. You can add the lockable module here.
3. Create a migration
rails g migration add_lockable_to_devise
In your migration file, you’ll want to add failed_attempts and locked_at to users so that you can keep track of this information in the backend. If your unlock strategy is email or both you can add unlock_token to your users.
Customizable failure and unlock stratgies
1. Config file
In your config file, you can set the lock_strategy and unlock_strategy to none. You might be wondering how users will unlock their accounts in this case. To address this, you can create a toggle button that allows administrators to lock and unlock user accounts.
2. Users controller
In the users_controller, you can create a function to toggle the lock status of a user’s account. The code below first checks whether the user's account is locked. If the account is locked, the function will unlock it; otherwise, it will lock the account.
Key Takeaways
- The Lockable module from Devise adds a critical layer of security to your application
- It is easy to implement the lockable using Devise
- Implementing the lockable feature can enhance user trust and safety by protecting their accounts from unauthorized access
Top comments (0)