Devise Lockable: How to check if the user account is locked during sign in?

[Froilan Olavidez]

Hi All,

I would like to know how can i determine if the user is already locked during sign in. When the user enters a valid username/email address with correct password but his/her account is tagged as locked, the system throws error message that the account is already locked, this is the current correct behaviour of the devise lockable module.

However, when the user enters valid username/email address with INCORRECT password, Devise didn't recognize that the user is already locked and throws error message that login details is invalid.

What I want to achieve is, when the user account is already locked and the users enter valid username/email add with either CORRECT or INCORRECT password, devise will throw an error message stating that account is already locked.

What implementation I need to do? Maybe override some model functions to achieve this?

I am using Rails 4 and latest devise gem in my application.

Please advise and thanks in advance.

[Walter Lee Davis]

On Mar 24, 2014, at 5:10 AM, Froilan Olavidez wrote:

> Hi All,
>
> I would like to know how can i determine if the user is already locked during sign in. When the user enters a valid username/email address with correct password but his/her account is tagged as locked, the system throws error message that the account is already locked, this is the current correct behaviour of the devise lockable module.
>
> However, when the user enters valid username/email address with INCORRECT password, Devise didn't recognize that the user is already locked and throws error message that login details is invalid.
>
> What I want to achieve is, when the user account is already locked and the users enter valid username/email add with either CORRECT or INCORRECT password, devise will throw an error message stating that account is already locked.
>
> What implementation I need to do? Maybe override some model functions to achieve this?

I think that this would violate one of Devise's rules of engagement -- never give away details to an unauthenticated person. If you know the username and password, then you get more detail about why you can't log in. But if you don't know both, you get the "no-answer" that you give to anyone who can't log in for any reason. You don't tell them that the email is right but the password is wrong, or vice-versa, because that gives one of the keys to an attacker. I think this falls into that same valley.

Walter

>
> I am using Rails 4 and latest devise gem in my application.
>
> Please advise and thanks in advance.
>
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "Devise" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to plataformatec-de...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Mike Atlas]

Walter is correct. Let's say you suspect Bob TheTreasonist of being a member of SubversiveSite.com (hypothetical). You know bob's email is b...@badguy.com. You want to know if Bob is a member of SubversiveSite.com? Simple: Try logging in with an incorrect password to SubversiveSite.com a few times, and if you see "Account Locked", you now have definitive confirmation that said email address is a member of SubversiveSite.com.

This example is contrived from a real-world example - I can't find the article on it, but I recall a case where a number of French anti-government political activists were "outed" for being members of a particular forum-based website using the above technique.

The correct behavior around dealing with this is to lock the account after N attempts (but only tell them it is locked if they have the right password); allow the user to request a password reset via email; and to always say "password reset instructions sent" regardless of whether you have a user with said email in your system that is being sent the reset instructions. This way, an attacker cannot determine definitively whether or not b...@badguy.com is a member of your site (or not).

-Mike

[Amit Mutreja]

But still, how can I check that account is locked when email and password entered are correct?