From 023d2a498980e9e72535e76ac9d81dd1ba06f658 Mon Sep 17 00:00:00 2001
From: pabois <pierreandre.boissinot@noesya.coop>
Date: Thu, 15 Sep 2022 11:43:53 +0200
Subject: [PATCH] devise semi-paranoid mode

---
 config/initializers/devise.rb | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index a41037223..699a431fe 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -90,7 +90,7 @@ Devise.setup do |config|
   # It will change confirmation, password recovery and other workflows
   # to behave the same regardless if the e-mail provided was right or wrong.
   # Does not affect registerable.
-  # config.paranoid = true
+  config.paranoid = true
 
   # By default Devise will store the user in session. You can skip storage for
   # particular strategies by setting this option.
@@ -322,3 +322,20 @@ Devise.setup do |config|
   config.second_factor_resource_id = 'id' # Field or method name used to set value for 2fA remember cookie
   config.delete_cookie_on_logout = false # Delete cookie when user signs out, to force 2fA again on login
 end
+
+require 'devise/models/lockable'
+
+Devise::Models::Lockable.class_eval do
+  def unauthenticated_message
+    # paranoid mode normally hide the locked message because it leaks the existence of an account.
+    # but I think this is totally not user friendly: a user can lock is account and still has the message "uncorrect"
+    # so I reverted to something less secure but more user friendly
+    if access_locked? || (lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?)
+      :locked
+    elsif lock_strategy_enabled?(:failed_attempts) && last_attempt? && self.class.last_attempt_warning
+      :last_attempt
+    else
+      super
+    end
+  end
+end
-- 
GitLab