The Attempt here is to give more flexibility on multiple signup barriers, like captacha or 2fa. Based on the requests it gives you a decisive criteria of the barriers a user have to take for sign in. It stores a permanent cookie and a table for tracking requests for specific routes you track within a controller method.
its built for systems on higher security requirements, for users which have sign-in multiple times on same login.
The RequestControlViewHelper.captcha_tag? delivers true if captcha is necessary and showed on a login form.
This decision is based on the status of failed login attempts, which is stored in rails-session-cookie.
For a user that had never a successfully login, captcha_tag? is always true. After first successful login, captcha_tag? is true if attempts are less than configured (default: 10) and last_attempt is older than config.x.login_control.retry_after_seconds
On localhost captcha is never required.
gem 'login-control'
run
$ bundle
$ rails g model login_control session_id:string login_name:string scope:string sign_in_success:integer attempts:integer last_attempt:datetime validate_captcha:boolean
$ rails db:migrate
initializer
require 'login_control_module'
require 'login_control_view_helper'
ApplicationHelper
include LoginControlViewHelper
Login Form
- if captcha_tag?
= hcaptcha xxx
Controller example for subclassed devise controller
class SessionsController < Devise::SessionsController
include LoginControlModule
def create
notice_login_attempt
if (captcha_validation? ? verify_hcaptcha(secret_key: ...) : true) && credentials-matched
super
notice_successful_login
else
redirect_to login_path, alert: 'captcha failed'
end
end
end
config.x.login_control.attempts_allowed integer, default: 10
config.x.login_control.retry_after_seconds integer, default: 30 (seconds) # => if, after a failed login, within status :known, within attempts_allowed, within retry_after_seconds RequestControlViewHelper.captcha_tag? returns true
config.x.login_control.debug boolean, default: false only for production
FAQs
Unknown package
We found that login-control demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.