devise-suspicious_login
A devise extension that helps protect again suspicious logins.
Getting started
gem 'devise-suspicious_login
Run bundle
command to install.
Quick Installation
Quick Installation should work on most default rails apps.
Run the install generator:
rails generate suspicious_login:install
to install the relevant config files config/initializers/suspicious_login.rb
with default settings.
Next run the ActiveRecord generator for each model you want to enable suspicious_login detection for.
rails generate active_record:suspicious_login User
will update and configure the User model automatically. This will also automatically create a database migration that adds the necessary fields to the User model.
Run this migration wih
rails db:migrate
By default only dormant users (3 months without a login by default setting) are considered suspicious. Suspicious check for dormant users can be turned of by setting:
config.dormant_sign_in after = nil
To add a custom suspicious check for a model simply define a method suspicious_login_attempt?(request)
eg:
# request parameter contains the contents of the rails request
def suspicious_login_attempt?(request)
if request.ip.botnet? return true
false
end
Manual Installation
Once installed you need to add login_token
and login_token_sent_at
fields to any resources (eg User) that will use need this feature. Below shows how to add this to the User
model.
# For a new migration for the users table, define a migration as follows:
create_table :users do |t|
t.login_token
end
# If the table already exists, define a migration and add the following:
change_table :users do |t|
t.string login_token
t.datetime :login_token_sent_at
end
Add the :suspicious_login
module to the resource.
This extension requires the resource to have the native devise modules :trackable
and :recoverable
attached to it eg:
class User < ApplicationRecord
devise :database_authenticatable, :recoverable, :registerable, :authenticatable, :trackable, :suspicious_login
end
Configuration
Devise.setup do |config|
# Period of time to expire token after login_tokens
# config.expire_login_token_after = 10.minutes
# Period of time to wait before resending another email for a suspicious login
# config.resend_login_token_after = 1.minute
# Period of time after which a user is considered to be dormant and a login treated as suspicious
# dormant_sign_in_after = 3.months
# Column to store login token for resource
# config.token_field_name = :login_token
# Column to store login token create time for resource
# config.token_created_at_field_name = :login_token_sent_at
# Clear token on login (allows tokens to be one time use only)
# config.clear_token_on_login = true
# Login methods that should trigger a suspicious login (defaults to devise default login strategy)
#config.trigger_strategies = [Devise::Strategies::DatabaseAuthenticatable]
end
Be sure to set all of your devise login failure messages to be the same otherwise an attack will know if the login credentials are correct depending on the failure message returned!
See (test/dummy/config/locales/devise.en.yml)
Requirements
- Devise (https://github.com/plataformatec/devise)
- Rails 5.1 onwards (http://github.com/rails/rails)