Add Lockable option to Devise

Locking Admin users after consecutive failed attempts is a good practice to prevent Brute Force password detection.

This adds the necessary backbone (controller, routes and email template) so that using the lockable strategy with the extension requires minimal work over it.

app/mailers/spree/user_mailer.rb

@@ -13,5 +13,13 @@ def confirmation_instructions(user, token, _opts = {})
       @confirmation_url = spree.spree_user_confirmation_url(confirmation_token: token, host: @store.url)
       mail to: user.email, from: from_address(@store), subject: "#{@store.name} #{I18n.t(:subject, scope: [:devise, :mailer, :confirmation_instructions])}"
     end
+
+    def unlock_instructions(user, token, _opts = {})
+      @store = Spree::Store.default
+      @user = user
+
+      @unlock_url = spree.admin_unlock_url(unlock_token: token, host: @store.url)
+      mail to: user.email, from: from_address(@store), subject: "#{@store.name} #{I18n.t(:subject, scope: [:devise, :mailer, :unlock_instructions])}"
+    end
   end
 end

app/models/spree/user.rb

@@ -5,7 +5,8 @@ class User < Spree::Base
     include UserMethods
 
     devise :database_authenticatable, :registerable, :recoverable,
-           :rememberable, :trackable, :validatable, :encryptable
+           :rememberable, :trackable, :validatable, :encryptable,
+           :lockable
     devise :confirmable if Spree::Auth::Config[:confirmable]
 
     if defined?(Spree::SoftDeletable)

config/initializers/devise.rb

@@ -81,14 +81,14 @@
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.
   # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
+  config.lock_strategy = :none
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
+  config.unlock_strategy = :both
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.

config/routes.rb

@@ -46,7 +46,8 @@
         path_names: { sign_out: 'logout' },
         controllers: {
           sessions: 'spree/admin/user_sessions',
-          passwords: 'spree/admin/user_passwords'
+          passwords: 'spree/admin/user_passwords',
+          unlocks: 'spree/admin/user_unlocks'
         },
         router_name: :spree
       })
@@ -61,6 +62,9 @@
         post '/password/recover', to: 'user_passwords#create', as: :reset_password
         get '/password/change', to: 'user_passwords#edit', as: :edit_password
         put '/password/change', to: 'user_passwords#update', as: :update_password
+
+        get '/unlock', to: 'user_unlocks#show', as: :unlock
+        post '/unlock', to: 'user_unlocks#create'
       end
     end
   end

lib/controllers/backend/spree/admin/user_unlocks_controller.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Spree
+  module Admin
+    class UserUnlocksController < Devise::UnlocksController
+      helper 'spree/base'
+
+      include Spree::Core::ControllerHelpers::Auth
+      include Spree::Core::ControllerHelpers::Common
+      include Spree::Core::ControllerHelpers::Store
+
+      helper 'spree/admin/navigation'
+      layout 'spree/layouts/admin'
+
+      private
+
+      def after_unlock_path_for(_resource)
+        admin_login_path if is_navigational_format?
+      end
+    end
+  end
+end

lib/views/backend/spree/user_mailer/unlock_instructions.html.erb

@@ -0,0 +1,7 @@
+<p>Hello <%= @user.email %>!</p>
+
+<p>Your account has been locked due to an excessive number of unsuccessful sign in attempts.</p>
+
+<p>Click the link below to unlock your account:</p>
+
+<p><%= link_to 'Unlock my account', @unlock_url %></p>