Unlimited password attempts when devise lockable is enabled #46
Description
If the lockable module is enabled, as in:
# app/models/user.rb
devise :lockable, maximum_attempts: 5, unlock_in: 1.hour, unlock_strategy: :both
The current setup will allow unlimited passwords attempts while the user is locked - because of the:
# app/controllers/sessions_controller.rb
prepend_before_action :authenticate_with_otp_two_factor',
if: -> { action_name == 'create' && otp_two_factor_enabled? }
Solution is to add extra conditions to check if lockable is enabled (by looking if :access_locked? is available) and if user isn't locked:
# app/controllers/sessions_controller.rb
prepend_before_action :authenticate_with_otp_two_factor, if: lambda {
action_name == 'create' && otp_two_factor_enabled? &&
(!find_user.respond_to?(:access_locked?) || !find_user.access_locked?)
}