Module: Devise::Models::PasswordExpirable

Extended by:
ActiveSupport::Concern
Defined in:
lib/devise-security/models/password_expirable.rb

Overview

PasswordExpirable makes passwords expire after a configurable amount of time, or on demand.

Configuration

Set expire_password_after to the number of seconds a password is valid for (example: 3.months). Setting it to true will allow passwords to be expired on-demand only, and false disables this feature.

Expire On-Demand

This is useful to force users to change passwords for complex business reasons. Call need_change_password to indicate a record needs a new password.

Defined Under Namespace

Modules: ClassMethods

Instance Method Summary collapse

Instance Method Details

#expire_password_afterInteger, ...

Returns:

  • (Integer)

    number of seconds passwords are valid for

  • (true)

    passwords are expired 'on demand' only.

  • (false)

    passwords never expire (this feature is disabled)


64
65
66
# File 'lib/devise-security/models/password_expirable.rb', line 64

def expire_password_after
  self.class.expire_password_after
end

#need_change_passwordvoid Also known as: expire_password, request_password_change

Note:

Does not save the record

This method returns an undefined value.

Clear the password_changed_at field so that the user will be required to

update their password.

53
54
55
56
57
# File 'lib/devise-security/models/password_expirable.rb', line 53

def need_change_password
  return unless password_expiration_enabled?

  self.password_changed_at = nil
end

#need_change_password!Boolean Also known as: expire_password!, request_password_change!

Note:

Saves the record (without validations)

Clear the password_changed_at field so that the user will be required to update their password.

Returns:

  • (Boolean)

40
41
42
43
44
45
# File 'lib/devise-security/models/password_expirable.rb', line 40

def need_change_password!
  return unless password_expiration_enabled?

  need_change_password
  save(validate: false)
end

#need_change_password?Boolean, true

Is a password change required?

Returns:

  • (Boolean)
  • (true)

    if password_changed_at has not been set or if it is old enough based on expire_password_after configuration.


32
33
34
# File 'lib/devise-security/models/password_expirable.rb', line 32

def need_change_password?
  password_change_requested? || password_too_old?
end

#password_change_requested?Boolean

When password_changed_at is set to NULL in the database the user is required to change their password. This only happens on demand or when the column is first added to the table.

Returns:

  • (Boolean)

72
73
74
75
76
77
# File 'lib/devise-security/models/password_expirable.rb', line 72

def password_change_requested?
  return false unless password_expiration_enabled?
  return false if new_record?

  password_changed_at.nil?
end

#password_too_old?Boolean Also known as: password_expired?

Is this password older than the configured expiration timeout?

Returns:

  • (Boolean)

81
82
83
84
85
86
87
# File 'lib/devise-security/models/password_expirable.rb', line 81

def password_too_old?
  return false if new_record?
  return false unless password_expiration_enabled?
  return false if expire_password_on_demand?

  password_changed_at < expire_password_after.seconds.ago
end