"Implement Lockable and Confirmable Features in Devise Authentication"

app/models/user.rb

@@ -1,8 +1,8 @@
 class User < ApplicationRecord
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :validatable
-  before_create :generate_random_username
-
+         :recoverable, :rememberable, :validatable,
+         :lockable, :confirmable
+  
   has_many :posts, dependent: :destroy
   has_many :votes, dependent: :destroy
   has_many :cryptos, through: :votes
@@ -12,21 +12,16 @@ class User < ApplicationRecord
   has_many :favorites, dependent: :destroy
   has_many :favorite_cryptos, through: :favorites, source: :crypto # this relationship represents the cryptos that the user has marked as favorites
 
+  before_create :generate_random_username
+  before_create :set_accepted_at
   after_create :welcome_send
   after_destroy :send_account_deleted_email
 
-  def welcome_send
-    UserMailer.welcome_email(self).deliver_now
-  end
-
   validates :accepted_cgu, inclusion: { in: [true], message: "Please accept the Terms of Service to continue." }, on: :create
   validates :accepted_privacy_policy, inclusion: { in: [true], message: "Please accept the Privacy Policy to continue." }, on: :create
   validates :email, presence: true, uniqueness: true
   validates :password, presence: true, length: { minimum: 6 }, if: :password_required?
 
-
-  before_create :set_accepted_at
-
   private
 
   def set_accepted_at
@@ -44,6 +39,10 @@ def password_required?
     new_record? || password.present?
   end
 
+  def welcome_send
+    UserMailer.welcome_email(self).deliver_now
+  end
+
   def send_account_deleted_email
     UserMailer.account_deleted_email(self).deliver_now
   end

config/initializers/devise.rb

@@ -129,10 +129,10 @@
   # config.pepper = 'd8309c756fed20b8d01e2099ab4b6e21249fea910862fc90bc158edf96843190b1a468bdeb305bdb7150f8d83725984f373f66fd1b6bbca20950e654e681cf8d'
 
   # Send a notification to the original email when the user's email is changed.
-  # config.send_email_changed_notification = false
+  config.send_email_changed_notification = true
 
   # Send a notification email when the user's password is changed.
-  # config.send_password_change_notification = false
+  config.send_password_change_notification = true
 
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
@@ -194,41 +194,42 @@
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.
   # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
+  config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [:email]
+  config.unlock_keys = [:email]
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
   # config.unlock_strategy = :both
+  config.unlock_strategy = :email
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 5
 
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
   # config.unlock_in = 1.hour
 
   # Warn on the last attempt before the account is locked.
-  # config.last_attempt_warning = true
+  config.last_attempt_warning = true
 
   # ==> Configuration for :recoverable
   #
   # Defines which key will be used when recovering the password for an account
-  # config.reset_password_keys = [:email]
+  config.reset_password_keys = [:email]
 
   # Time interval you can reset your password with a reset password key.
   # Don't put a too small interval or your users won't have the time to
   # change their passwords.
-  config.reset_password_within = 6.hours
+  config.reset_password_within = 30.minutes
 
   # When set to false, does not sign a user in automatically after their password is
   # reset. Defaults to true, so a user is signed in automatically after a reset.
-  # config.sign_in_after_reset_password = true
+  config.sign_in_after_reset_password = false
 
   # ==> Configuration for :encryptable
   # Allow you to use another hashing or encryption algorithm besides bcrypt (default).

db/migrate/20241211112558_add_lockable_to_users.rb

@@ -0,0 +1,7 @@
+class AddLockableToUsers < ActiveRecord::Migration[6.1]
+  def change
+    add_column :users, :failed_attempts, :integer, default: 0, null: false 
+    add_column :users, :unlock_token, :string 
+    add_column :users, :locked_at, :datetime 
+  end
+end

db/migrate/20241211135607_add_confirmable_to_users.rb

@@ -0,0 +1,9 @@
+class AddConfirmableToUsers < ActiveRecord::Migration[6.1]
+  def change
+    add_column :users, :confirmation_token, :string
+    add_column :users, :confirmed_at, :datetime
+    add_column :users, :confirmation_sent_at, :datetime
+    add_column :users, :unconfirmed_email, :string # Optional if using reconfirmable
+    add_index :users, :confirmation_token, unique: true
+  end
+end