Is there a way to ask all users to change their passwords upon
logging into a Rails application using Devise authentication? In other words, I'd like a way to "expire" a password, so that the next time a user signs in, they have to change it.
I don't think that Devise can do that out of the box, but i guess it's pretty to do it yourself. What i would do :
Upon user sign in, i would nil out the encrypted_password field of the database.
I would have overriden devise's session controller (responsible for the logins), in order to check whether encrypted_password of a user that tries to log in is nil.
If that was nil, i would redirect them to login, also flashing an error like "Your password has expired. Please create a new one."
Related
Scenario: As an Administrator I need to invalidate a user's session (log them out) after I update the user's password. This is in accordance with best practices as per https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#Renew_the_Session_ID_After_Any_Privilege_Level_Change
I am using Devise and I saw here https://stackoverflow.com/a/45756884/664675 there is a config to log the user out: config.sign_in_after_reset_password = false
However, I have enabled this config in my devise.rb but the user remains logged in. Not sure why that is?
I am also using Redis as the session_store
Example::Application.config.session_store :cache_store,
key: '_example_session',
secure: true
Is it feasible to delete the particular user's session store from Redis upon Password reset by the Administrator? And if so how could I find their particular session key within Redis?
the flag sign_in_after_reset_password does not relate to logout user at all, sign_in_after_reset_password = false imply that in case a user update his account password by himself then do not automatically sign-in his account again, and that logic happen only on PasswordsController#update.
So you as admin try to change password of another user in a custom controller, of course it's not logout user no matter the value of sign_in_after_reset_password is.
devise use gem warden to logout user (in other word: destroy user session) and warden base on request session not base on database, that mean there's no way an admin can get another user's session to reset, so you can not force logout another user by only devise, you need to handle this feature outside devise (such as add session to user table or a devise hook something like timeoutable)
reference: https://github.com/heartcombo/devise/issues/5262
What you're looking for is the setting sign_in_after_change_password which you should set to false (it defaults to true). The method has a slightly confusing name – it means "should we sign the user in after changing their password" instead of "should the user have to sign in after changing their password".
References:
https://github.com/heartcombo/devise/blob/master/lib/devise.rb#L296-L298
https://github.com/heartcombo/devise/blob/c82e4cf47b02002b2fd7ca31d441cf1043fc634c/app/controllers/devise/registrations_controller.rb#L163-L167
I have a simple rails application that uses devise authentication and I want to prevent a user from login in or requesting for password request or any thing that can grant access to a registered user.
In my user model I have a boolean field that helps me easily determine if the account has been activated or not, the boolean field is called active.
What call back methods can I use to go around this and to check if the user has been activated of not with devise. Thanks
If you mean how you can set your active boolean after a confirmation email, you can override the confirm! method devise gives.
If you need a method to prevent a non active user to login etc., override the new method in the SessionsController.
I'm using active admin in my rails application.
I want to enter user's account page from active admin page because I want to check what the user exactly is seeing.
I thought that I can decrypt devise encrypted password, but I found out that I cannot do that Rails Devise, how to unencrypt a password?
I tried entering the site by using the encrypted password, but I couldn't.
How can I implement this?
If it so important, you can copy encrypted password from db and paste own encrypted password for this user. You can do it via rails c. After your actions rewrite password again. But it is a bad way. You must write some tests for your app.
There is an example in the Devise Wiki How to :
How To: Sign in as another user if you are an admin
The proposed solution replaces the current user in session, so I think you'll be signed out of ActiveAdmin.
Use case: User fills out a form to add a product and register at once. When the user has submitted the combined form, the app authenticates the user and is logged in (assume validations passed) without the need to confirm or login.
I've removed the confirmable feature out, but when the user fill out the form, it succeeds, but the user doesn't get logged in unless they go to a login form. This isn't such a great experience, so is there a way to Register a user and immediately log them in?
What I actually wanted was sign_in(#user) from my controller
If you want to login without confirmation then Remove :confirmable option from devise options in User model.
I am using devise in my application. When a user goes to my website, if i know that the user had previously visited my website and checked 'Remember Me' while logging in, I want to show ihm a special message. How I do get this remember me value from devise in my view? Thanks.
If you have a saved user and wants to know whereas he clicked on the remember_me use the field:
#user.remember_created_at
If you have a instantiated user in your controller after the form submission, you can access the value using:
#user.remember_me
remember_me is a attr_accessor in Devise gem, see here. Which means it will not be persisted when saving you user's instance.