Playing with Devise and noticed that if I register an account but do not confirm it, the email address is made unavailable regardless - surely the whole point of confirming an email address is to ensure that the person registering owns it. I want to stop "malicious" users registerting email addresses and effectively rendering them unavailable.
Surely Devise has considered this so what am I missing?
I don't think this is something Devise is going to resolve for you, since it's focussed on authentication, not user management.
A solution might be to write a cronjob with whenever that runs a cleanup task. For example removing all unconfirmed email addresses after a certain period. This period should resemble your :confirmable settings for Devise in config/initializers/devise.rb
Related
In my Rails app, we use Devise gem for authentication and authorization. But for viewing some of the pages clients want a second password to be entered who will act like super users. This is not an Multi-Factor authentication request, but a kind of One Time Password (OTP) for a given set of pages/resources, just that the OTP will be static.
Devise does not provide this feature. Googling hasn't helped. Any idea how could this be achieved?
This sounds like a bit of an anti-pattern. Why not have an additional field on User that denotes if the user is a super user or not?
This has the benefits that:
there is no password to remember and distribute
super users have one less step to perform
you can easily remove users from this group, if needed
you don't need to build a secondary login form/page
It seems that various popular authentication gems including devise are heavily built around email. However in some developing countries, a lot of users don't use emails at all and prefer to do the verification by SMS verification codes. It seems to be possible in devise to allow users to sign in using something other than email address. However is it possible for the user to recover his/her password by cellphone as well?(i.e. just sending the new password to his/her phone by a SMS service).
Also, it is not clear to me from https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-sign-in-with-something-other-than-their-email-address whether I can ditch email field in the sign up form altogether, or just make it not mandatory, but still there?
If the above cannot be achieved, then is there any alternative gem solution available? I see gems like https://github.com/binarylogic/authlogic seem to be method-agnostic enough. But I'm not sure whether the better solution would be to just build my own authentication system instead of using any gem. I see on RailsGuide that it's preferable to use a gem to do authentication but I'm not exactly sure why.
Thanks!
If you're certain you want to use SMSes for login, I recommend you ditch devise and roll out your own authentication method.
However there are a few things to consider:
The deliverability of SMS is lower than emails. There are
countries with strict no automated SMS policies (e.g. India) and
countries where SMSes don't work at all (e.g. Myanmar)
To alleviate the above problem, implement fallback to voice (take a
look at Nexmo's text to speech API)
Keep in mind country specific restrictions
If you send out a lot of SMSes, spread the load across multiple numbers
For safe storage of passwords
use has_secure_password
I would suggest that you implement your own authentication logic if you are not comfortable with overriding devise way of using emails for authentication. For understanding how a simple authentication is done please look at this book by Micheal Hartl. Replace confirmation by email with confirmation by sms one time password or something of that sort using an API like Twilio.
I am using Rails 4.0.2 and Devise 3.2.2 to handle user registration / authentication. I have enabled :confirmable but was wondering if there is a way to configure :confirmable?
eg: authentication key expiry...etc
Currently, when users sign up with email address: example#exmple.com, that email address stays taken/unavailable even when the user doesn't activate/verify that email address.
How do I configure Devise :confirmable so that the email address a user signed up with will becomes available again if the user does not activate in a period of time ?
Thanks!
check the following link it has enough information about confirmable module
[1]https://github.com/plataformatec/devise/wiki/How-To%3a-Add-%3aconfirmable-to-Users
I don't think the devise 'confirmable' will do that for you. However, you can use 'recoverable' to reset passwords for the account. It is very unlikely that someone different will now own an email account so your best bet is to add a "Forgot your password?" page using recoverable for your end users.
If you want to explicitly to remove the user entries, I think your best bet is to generate a rake task that checks when the user was created and that the account hasn't been confirmed. Then put that task on a cron so you run it say every night. Though I really don't see the need for it. I believe you're approaching the problem from the wrong angle, and I recommend recoverable as your approach.
Take care, and good luck!
I have hosted a rails application, an online examination system. The users need to get registered to get access to the system. So each user will be provided with a unique combination of credentials. Let us assume my user-name/password is demo/demo123. I want my app to block another person logging in to the system even if he knows my credentials. Any solution for such scenario.
Thanks for any help :)-
Using Cookie would be a better solution. When the user gets registered create a Cookie value specific to the User and System and in encrypted format (for security reason) and save it in the database corresponding to that user. Check for this Cookie token while logging in. When the user clears the cookie, s(he) can request the Administrator to clear out the DB cookie for creating a new one.
Using IP will not be a better solution since in a network, there can be dynamic IP's allocated to the PC's.
You could record the user's IP address in the database when they first log in, and only allow logging in using the same credentials but from a new IP address after some waiting period of, say, 1 hour, or until the current examination is complete. That should prevent more than one user being logged in to the same user account within a short time period.
The user's IP address can be accessed in a Rails controller using request.remote_ip.
You could use the lock gem to add a password to the entire application.
First, add to your Gemfile.
gem 'lock'
Then
bundle install
Next, create your password
rails g lock:create_password_file yourpasswordhere
Finally, add lock your application controller, or whatever you'd like (see documentation).
ApplicationController < ActionController::Base
lock
end
Im trying to customize Devise registration process to generate a random password and sends it with the confirmation mail.
What I have already done is to override the default Devise's :validtable and to generate a new random password if needed.
before_validation :password_generation
def password_generation
password_confirmation = password = Devise.friendly_token.first(7) if password.nil? || password.blank?
end
Now my problem is to include the newly generated random password with the original confirmation mail.
Is there any possibility to keep up with the original usability of Devise while customizing it's new user process or should I build the authentication process from scratch ?
Thanks,
Hadar.
(four months too late, but perhaps someone else can use this)
Mostly what you need to do is copy the default Devise mailer and views to your project and in the config/initializers/devise.rb specify your local class in config.mailer. At that point, you can customize the email as you like. (note that Devise uses the term resource as an abstraction, but mostly it means an instance of User).
The only trick will be to find a way to remember the generated password between the time that the new user account is created and when the email is generated and sent. What Devise will store, when saving the user record is an encrypted version of the password. I would have to follow the path of logic in Devise to be sure, but I'll bet you could store it in an instance variable on User, perhaps params or maybe the flash. Be very careful about this; you want this value to be as short-lived as possible -- presumably just the lifetime of the request.