{"id":13792450,"url":"https://github.com/devise-security/devise-security","last_synced_at":"2025-05-12T14:31:54.697Z","repository":{"id":37470645,"uuid":"100394918","full_name":"devise-security/devise-security","owner":"devise-security","description":"A security extension for devise, meeting industry-standard security demands for web applications.","archived":false,"fork":false,"pushed_at":"2025-05-05T07:39:38.000Z","size":804,"stargazers_count":614,"open_issues_count":30,"forks_count":152,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-05-05T08:25:38.823Z","etag":null,"topics":["activerecord","devise","devise-modules","hacktoberfest","mongoid","password-expiration","passwords","rails","ruby","security","session-management"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devise-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-08-15T16:03:33.000Z","updated_at":"2025-05-05T07:13:49.000Z","dependencies_parsed_at":"2023-01-20T21:18:44.152Z","dependency_job_id":"54b06e89-280c-437f-9c98-0ac851437da0","html_url":"https://github.com/devise-security/devise-security","commit_stats":{"total_commits":576,"total_committers":115,"mean_commits":5.008695652173913,"dds":0.8055555555555556,"last_synced_commit":"8df7d64483df8cf8de4997ec1f5ffcad0c542458"},"previous_names":[],"tags_count":36,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devise-security%2Fdevise-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devise-security%2Fdevise-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devise-security%2Fdevise-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devise-security%2Fdevise-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devise-security","download_url":"https://codeload.github.com/devise-security/devise-security/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253754967,"owners_count":21958934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["activerecord","devise","devise-modules","hacktoberfest","mongoid","password-expiration","passwords","rails","ruby","security","session-management"],"created_at":"2024-08-03T22:01:12.389Z","updated_at":"2025-05-12T14:31:54.685Z","avatar_url":"https://github.com/devise-security.png","language":"Ruby","readme":"# Devise Security\n\n[![Build Status](https://github.com/devise-security/devise-security/actions/workflows/test_suite.yml/badge.svg?branch=main)](https://github.com/devise-security/devise-security/actions/workflows/test_suite.yml)\n[![Coverage Status](https://coveralls.io/repos/github/devise-security/devise-security/badge.svg?branch=master)](https://coveralls.io/github/devise-security/devise-security?branch=main)\n[![Maintainability](https://api.codeclimate.com/v1/badges/ace7cd003a0db8bffa5a/maintainability)](https://codeclimate.com/github/devise-security/devise-security/maintainability)\n\nA [Devise](https://github.com/heartcombo/devise) extension to add additional\nsecurity features required by modern web applications. Forked from\n[Devise Security Extension](https://github.com/phatworx/devise_security_extension)\n\nIt is composed of 7 additional Devise modules:\n\n- `:password_expirable` - passwords will expire after a configured time (and\n  will need to be changed by the user). You will most likely want to use\n  `:password_expirable` together with the `:password_archivable` module to\n  [prevent the current expired password from being reused](https://github.com/phatworx/devise_security_extension/issues/175)\n  immediately as the new password.\n- `:secure_validatable` - better way to validate a model (email, stronger\n  password validation). Don't use with Devise `:validatable` module!\n- `:password_archivable` - save used passwords in an `old_passwords` table for\n  history checks (prevent reusing passwords)\n- `:session_limitable` - ensures, that there is only one session usable per\n  account at once\n- `:expirable` - expires a user account after x days of inactivity (default 90\n  days)\n- `:security_questionable` - as accessible substitution for captchas (security\n  question with captcha fallback)\n- `:paranoid_verification` - admin can generate verification code that user\n  needs to fill in otherwise he won't be able to use the application.\n\nConfiguration and database schema for each module below.\n\n## Additional features\n\n**captcha support** for `sign_up`, `sign_in`, `recover` and `unlock` (to make\nautomated mass creation and brute forcing of accounts harder)\n\n## Getting started\n\nDevise Security works with Devise on Rails \u003e= 7.0. You can add it to your\nGemfile after you successfully set up Devise (see\n[Devise documentation](https://github.com/heartcombo/devise)) with:\n\n```ruby\ngem 'devise-security'\n```\n\nRun the bundle command to install it.\n\nAfter you installed Devise Security you need to run the generator:\n\n```console\nrails generate devise_security:install\n```\n\nThe generator adds optional configurations to\n`config/initializers/devise_security.rb`. Enable the modules you wish to use in\nthe initializer you are ready to add Devise Security modules on top of Devise\nmodules to any of your Devise models:\n\n```ruby\ndevise :password_expirable, :secure_validatable, :password_archivable, :session_limitable, :expirable\n```\n\n### E-mail Validation\n\nFor `:secure_validatable` you need to have a way to validate an e-mail. There\nare multiple libraries that support this, and even a way built into Ruby!\n\n- (Recommended) Ruby built-in `URI::MailTo::EMAIL_REGEXP` constant\n  \u003e Note: This method would require a `email_validation` method to be defined in\n  \u003e order to hook into the `validates` method defined here.\n- [email_address](https://github.com/afair/email_address) gem\n- [valid_email2](https://github.com/micke/valid_email2) gem\n- [rails_email_validator](https://github.com/phatworx/rails_email_validator) gem\n  (deprecated)\n\n## Configuration\n\n```ruby\nDevise.setup do |config|\n  # ==\u003e Security Extension\n  # Configure security extension for devise\n\n  # Password expires after a configurable time (in seconds).\n  # Or expire passwords on demand by setting this configuration to `true`\n  # Use `user.need_change_password!` to expire a password.\n  # Setting the configuration to `false` will completely disable expiration checks.\n  # config.expire_password_after = 3.months | true | false\n\n  # Need 1 char each of: A-Z, a-z, 0-9, and a punctuation mark or symbol\n  # You may use \"digits\" in place of \"digit\" and \"symbols\" in place of\n  # \"symbol\" based on your preference\n  # config.password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }\n\n  # Number of old passwords in archive\n  # config.password_archiving_count = 5\n\n  # Deny old password (true, false, count)\n  # config.deny_old_passwords = true\n\n  # captcha integration for recover form\n  # config.captcha_for_recover = true\n\n  # captcha integration for sign up form\n  # config.captcha_for_sign_up = true\n\n  # captcha integration for sign in form\n  # config.captcha_for_sign_in = true\n\n  # captcha integration for unlock form\n  # config.captcha_for_unlock = true\n\n  # security_question integration for recover form\n  # this automatically enables captchas (captcha_for_recover, as fallback)\n  # config.security_question_for_recover = false\n\n  # security_question integration for unlock form\n  # this automatically enables captchas (captcha_for_unlock, as fallback)\n  # config.security_question_for_unlock = false\n\n  # security_question integration for confirmation form\n  # this automatically enables captchas (captcha_for_confirmation, as fallback)\n  # config.security_question_for_confirmation = false\n\n  # ==\u003e Configuration for :expirable\n  # Time period for account expiry from last_activity_at\n  # config.expire_after = 90.days\n\n  # Allow passwords to be equal to email (false, true)\n  # config.allow_passwords_equal_to_email = false\n\n  # paranoid_verification will regenerate verification code after failed attempt\n  # config.paranoid_code_regenerate_after_attempt = 10\nend\n```\n\n## Other ORMs\n\nDevise-security supports [Mongoid](https://rubygems.org/gems/mongoid) as an\nalternative ORM to active_record. To use this ORM, add this to your `Gemfile`.\n\n```ruby\ngem 'mongoid'\n```\n\nAnd then ensure that the environment variable `DEVISE_ORM=mongoid` is set.\n\nFor local development you will need to have MongoDB installed locally.\n\n```bash\nbrew install mongodb\n```\n\n### Rails App setup example with Mongoid\n\n```ruby\n# inside config/application.rb\n    require File.expand_path('../boot', __FILE__)\n    #...\n    DEVISE_ORM=:mongoid\n\n# Require the gems listed in Gemfile, including any gems\n# you've limited to :test, :development, or :production.\n    Bundler.require(*Rails.groups)\n\n    module MyApp\n  class Application \u003c Rails::Application\n    #...\n  end\nend\n```\n\n## Captcha-Support\n\nThe captcha support depends on\n[EasyCaptcha](https://github.com/phatworx/easy_captcha). See further\ndocumentation there.\n\n### Installation\n\n1. Add EasyCaptcha to your `Gemfile` with\n\n   ```ruby\n   gem 'easy_captcha'\n   ```\n\n2. Run the initializer\n\n   ```ruby\n   rails generate easy_captcha:install\n   ```\n\n3. Enable captcha - see \"Configuration\" of Devise Security above.\n4. Add the captcha in the generated devise views for each controller you have\n   activated.\n\n   ```erb\n   \u003cp\u003e\u003c%= captcha_tag %\u003e\u003c/p\u003e\n   \u003cp\u003e\u003c%= text_field_tag :captcha %\u003e\u003c/p\u003e\n   ```\n\n## Schema\n\n### Password expirable\n\n```ruby\ncreate_table :the_resources do |t|\n  # other devise fields\n\n  t.datetime :password_changed_at\nend\nadd_index :the_resources, :password_changed_at\n```\n\nNote: setting `password_changed_at` to `nil` will require the user to change\ntheir password.\n\n### Password archivable\n\n```ruby\ncreate_table :old_passwords do |t|\n  t.string :encrypted_password, null: false\n  t.string :password_archivable_type, null: false\n  t.integer :password_archivable_id, null: false\n  t.string :password_salt # Optional. bcrypt stores the salt in the encrypted password field so this column may not be necessary.\n  t.datetime :created_at\nend\nadd_index :old_passwords, [:password_archivable_type, :password_archivable_id], name: 'index_password_archivable'\n```\n\n### Session limitable\n\n```ruby\ncreate_table :the_resources do |t|\n  # other devise fields\n\n  t.string :unique_session_id\nend\n```\n\n#### Bypassing session limitable\n\nSometimes it's useful to impersonate a user without authentication (e.g.\n[administrator impersonating a user](https://github.com/heartcombo/devise/wiki/How-To:-Sign-in-as-another-user-if-you-are-an-admin)),\nin this case the `session_limitable` strategy will log out the user, and if the\nuser logs in while the administrator is still logged in, the administrator will\nbe logged out.\n\nFor such cases the following can be used:\n\n```ruby\nsign_in(User.find(params[:id]), scope: :user, skip_session_limitable: true)\n```\n\n### Expirable\n\n```ruby\ncreate_table :the_resources do |t|\n  # other devise fields\n\n  t.datetime :last_activity_at\n  t.datetime :expired_at\nend\nadd_index :the_resources, :last_activity_at\nadd_index :the_resources, :expired_at\n```\n\n### Paranoid verifiable\n\n```ruby\ncreate_table :the_resources do |t|\n  # other devise fields\n\n  t.string   :paranoid_verification_code\n  t.integer  :paranoid_verification_attempt, default: 0\n  t.datetime :paranoid_verified_at\nend\nadd_index :the_resources, :paranoid_verification_code\nadd_index :the_resources, :paranoid_verified_at\n```\n\n[Documentation for Paranoid Verifiable module](https://github.com/devise-security/devise-security/wiki/Paranoid-Verification)\n\n### Security questionable\n\n```ruby\n# app/models/security_question.rb\nclass SecurityQuestion \u003c ActiveRecord::Base\n  validates :locale, presence: true\n  validates :name, presence: true, uniqueness: true\nend\n```\n\n```ruby\ncreate_table :security_questions do |t|\n  t.string :locale, null: false\n  t.string :name, null: false\nend\n\nSecurityQuestion.create! locale: :de, name: 'Wie lautet der Geburstname Ihrer Mutter?'\nSecurityQuestion.create! locale: :de, name: 'Wo sind sie geboren?'\nSecurityQuestion.create! locale: :de, name: 'Wie lautet der Name Ihres ersten Haustieres?'\nSecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingsfilm?'\nSecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingsbuch?'\nSecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingstier?'\nSecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblings-Reiseland?'\n```\n\n```ruby\nadd_column :the_resources, :security_question_id, :integer\nadd_column :the_resources, :security_question_answer, :string\n```\n\nor\n\n```ruby\ncreate_table :the_resources do |t|\n  # other devise fields\n\n  t.integer :security_question_id\n  t.string :security_question_answer\nend\n```\n\n## Requirements\n\n- Devise (\u003chttps://github.com/heartcombo/devise\u003e)\n- Rails 7.0 onwards (\u003chttp://github.com/rails/rails\u003e)\n- recommendations:\n  - `autocomplete-off` (\u003chttp://github.com/phatworx/autocomplete-off\u003e)\n  - `easy_captcha` (\u003chttp://github.com/phatworx/easy_captcha\u003e)\n  - `mongodb` (\u003chttps://www.mongodb.com/\u003e)\n  - `rvm` (\u003chttps://rvm.io/\u003e)\n\n## Todo\n\n- see the github issues (feature requests)\n\n## History\n\n- 0.1 expire passwords\n- 0.2 strong password validation\n- 0.3 password archivable with validation\n- 0.4 captcha support for sign_up, sign_in, recover and unlock\n- 0.5 session_limitable module\n- 0.6 expirable module\n- 0.7 security questionable module for recover and unlock\n- 0.8 Support for Rails 4 (+ variety of patches)\n- 0.11 Support for Rails 5. Forked to allow project maintenance and features\n\nSee also\n[Github Releases](https://github.com/devise-security/devise-security/releases)\n\n## Maintainers\n\n- Nate Bird (\u003chttps://github.com/natebird\u003e)\n- Kevin Olbrich (\u003chttp://github.com/olbrich\u003e)\n- Dillon Welch (\u003chttp://github.com/oniofchaos\u003e)\n\n## Contributing to devise-security\n\n- Check out the latest main to make sure the feature hasn't been implemented\n  or the bug hasn't been fixed yet\n- Check out the issue tracker to make sure someone already hasn't requested it\n  and/or contributed it\n- Fork the project\n- Start a feature/bugfix branch\n- Commit and push until you are happy with your contribution\n- Make sure to add tests for it. This is important so I don't break it in a\n  future version unintentionally.\n- Please try not to mess with the Rakefile, version, or history. If you want to\n  have your own version, or is otherwise necessary, that is fine, but please\n  isolate to its own commit so I can cherry-pick around it.\n\n## Running tests\n\nStandard tests can be invoked using `rake`. To run the tests against the\n`mongoid` ORM, use `DEVISE_ORM=mongoid rake` while `mongodb` is running.\n\n## Appraisal\n\nIt is possible to locally run the tests against multiple versions of Rails by using `appraisal`.\n\n```sh\nexport DEVISE_ORM=active_record # or mongoid. Default is active_record\nbundle exec appraisal # installs dependencies for each Rails version\nbundle exec appraisal update # if updating dependencies is necessary\nbundle exec appraisal generate # to regenerate the appraisal gemfiles (if necessary)\nbundle exec appraisal rake # run the tests for each Rails version\n```\n\n## Maintenance Policy\n\nWe are committed to maintaining support for `devise-security` for all normal or\nsecurity maintenance versions of the Ruby language\n[as listed here](https://www.ruby-lang.org/en/downloads/branches/), and for the\nRuby on Rails framework\n[as per their maintenance policy](https://rubyonrails.org/maintenance/).\n\nTo avoid introducing bugs caused by backwardly incompatible Ruby language features, it is highly recommended that all\ndevelopment work be done using the oldest supported Ruby version. In order for the devcontainer to build properly the\nruby version in `.ruby-version` should be the oldest version that supports installing dependencies for all of the\nsupported Rails versions.\n\n## Copyright\n\nCopyright (c) 2017-2025 Dillon Welch \u0026 Kevin Olbrich.\n\nCopyright (c) 2011-2017 Marco Scholl as the project [`devise_security_extension`](https://github.com/phatworx/devise_security_extension).\n\nThis repo was created as a fork from [b2ee978a](https://github.com/phatworx/devise_security_extension/commit/b2ee978af7d49f0fb0e7271c6ac074dfb4d39353).\n\nSee LICENSE.txt for further details.\n","funding_links":[],"categories":["Ruby","Gems"],"sub_categories":["Authentication and OAuth"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevise-security%2Fdevise-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevise-security%2Fdevise-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevise-security%2Fdevise-security/lists"}