add admin account autolock feature

Gemfile

@@ -14,6 +14,8 @@ gem 'combine_pdf', '~> 1.0'
 gem 'config', '~> 2.0' # Deprecate for Resource Registry
 
 gem 'devise', '~> 4.8'
+# for account locking
+gem 'devise-security'
 
 gem 'dry-matcher', '~> 0.8'
 gem 'dry-monads', '~> 1.3'

Gemfile.lock

@@ -213,6 +213,8 @@ GEM
       railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
+    devise-security (0.18.0)
+      devise (>= 4.3.0)
     diff-lcs (1.4.4)
     dry-configurable (0.9.0)
       concurrent-ruby (~> 1.0)
@@ -651,6 +653,7 @@ DEPENDENCIES
   config (~> 2.0)
   database_cleaner-mongoid
   devise (~> 4.8)
+  devise-security
   dry-matcher (~> 0.8)
   dry-monads (~> 1.3)
   dry-schema (~> 1.6)

app/models/account.rb

@@ -5,7 +5,8 @@ class Account
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :validatable
+         :recoverable, :rememberable, :validatable,
+         :session_limitable, :expirable
 
   ## Database authenticatable
   field :email,              type: String, default: ""
@@ -18,6 +19,17 @@ class Account
   ## Rememberable
   field :remember_created_at, type: Time
 
+  # Session limitable
+  field :unique_session_id, type: String
+
+  # Expirable
+  field :last_activity_at, type: Time
+  field :expired_at, type: Time
+
+  index({ unique_session_id: 1 })
+  index({ last_activity_at: 1 })
+  index({ expired_at: 1 })
+
   ## Trackable
   # field :sign_in_count,      type: Integer, default: 0
   # field :current_sign_in_at, type: Time

config/application.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+DEVISE_ORM = :mongoid
 require_relative "boot"
 
 require "rails"

config/initializers/devise.rb

@@ -308,4 +308,14 @@
   # When set to false, does not sign a user in automatically after their password is
   # changed. Defaults to true, so a user is signed in automatically after changing a password.
   # config.sign_in_after_change_password = true
+
+  # ==> Configuration for :expirable
+  # Time period for account expiry from last_activity_at
+  user_account_lock_period = 60
+  unless ENV['DEVISE_USER_INACTIVITY_LOCK_PERIOD_IN_DAYS'].blank?
+    period_in_days_env = ENV['DEVISE_USER_INACTIVITY_LOCK_PERIOD_IN_DAYS']
+    num_days = period_in_days_env.to_i
+    user_account_lock_period = num_days if num_days.to_s == period_in_days_env
+  end
+  config.expire_after = user_account_lock_period.days
 end

spec/controllers/sections_controller_spec.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe New::SectionsController,
+               "attempting to log in an expired account",
+               type: :controller, dbclean: :after_each do
+  let(:account) do
+    account_record = FactoryBot.create(:account)
+    account_record.last_activity_at = Time.now - 180.days
+    account_record.save!
+    account_record
+  end
+
+  before :each do
+    sign_in account
+  end
+
+  it "can't access the endpoint" do
+    get :new
+    expect(response).to redirect_to("http://test.host/accounts/sign_in")
+  end
+end

spec/factories/accounts.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
-# FactoryBot.define do
-#   factory :account do
-#   end
-# end
+FactoryBot.define do
+  factory :account do
+    sequence(:email) {|n| "example#{n}@example.com"}
+    password { "dfkjghfj!!123" }
+  end
+end

spec/rails_helper.rb

@@ -58,4 +58,7 @@
   config.filter_rails_from_backtrace!
   # arbitrary gems may also be filtered via:
   # config.filter_gems_from_backtrace("gem name")
+
+  config.include Devise::Test::ControllerHelpers, type: :controller
+  config.include Warden::Test::Helpers
 end