Merge branch 'restrict-failed-2fa-attempts' into 'master'

Restrict failed login attempts from users with 2FA enabled. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/19799. See merge request !6668
author: Rémy Coutable <remy@rymai.me> 2016-10-04 15:04:57 +0000
committer: Rémy Coutable <remy@rymai.me> 2016-10-04 15:04:57 +0000
commit: b8005b6112d7322ff8b2cf0a1e55e6c56f0fcba3 (patch)
tree: a802cabde9fe3fe9efe4a25cc09e7360399b27b8 /app/models
parent: 385817a11f568ca8fa165eaf57fa88789fc6fcd5 (diff)
parent: 194fbc3c3d4b068f191fca75488b986df88c5333 (diff)
download: gitlab-ce-b8005b6112d7322ff8b2cf0a1e55e6c56f0fcba3.tar.gz
1 files changed, 16 insertions, 0 deletions
diff --git a/app/models/user.rb b/app/models/user.rb
index 6996740eebd..7f5a8562907 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -827,6 +827,22 @@ class User < ActiveRecord::Base
     todos_pending_count(force: true)
   end
 
+  # This is copied from Devise::Models::Lockable#valid_for_authentication?, as our auth
+  # flow means we don't call that automatically (and can't conveniently do so).
+  #
+  # See:
+  #   <https://github.com/plataformatec/devise/blob/v4.0.0/lib/devise/models/lockable.rb#L92>
+  #
+  def increment_failed_attempts!
+    self.failed_attempts ||= 0
+    self.failed_attempts += 1
+    if attempts_exceeded?
+      lock_access! unless access_locked?
+    else
+      save(validate: false)
+    end
+  end
+
   private
 
   def projects_union(min_access_level = nil)
author	Rémy Coutable <remy@rymai.me>	2016-10-04 15:04:57 +0000
committer	Rémy Coutable <remy@rymai.me>	2016-10-04 15:04:57 +0000
commit	b8005b6112d7322ff8b2cf0a1e55e6c56f0fcba3 (patch)
tree	a802cabde9fe3fe9efe4a25cc09e7360399b27b8 /app/models
parent	385817a11f568ca8fa165eaf57fa88789fc6fcd5 (diff)
parent	194fbc3c3d4b068f191fca75488b986df88c5333 (diff)
download	gitlab-ce-b8005b6112d7322ff8b2cf0a1e55e6c56f0fcba3.tar.gz