Devise: lockable - last_attempt_warning not displaying

Question

I'm trying to implement the :lockable module to my devise following this wiki but ran into some issues. In development, when login attempted more than maximum_attempts times, the failed_attempts attribute gets updated correctly and the user account gets locked but:

1) despite config.last_attempt_warning = true no warning message is displayed

2) I get an unlock_instructions email, but when I copy paste the link into the browser, I get an invalid authorisation token error.

config/initializers/devise.rb

# ==> Configuration for :lockable
config.lock_strategy = :failed_attempts
config.unlock_keys = [:email]
config.unlock_strategy = :email
config.maximum_attempts = 3
config.last_attempt_warning = true

models/user.rb

class User < ApplicationRecord
  devise :database_authenticatable, :confirmable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable, :lockable
end

views/devise/sessions/new

= flash[:alert] if flash[:alert]
= flash[:notice] if flash[:notice]

= simple_form_for(resource, as: resource_name, url: session_path(resource_name)) do |f|
  .form-inputs
    = f.input :email, required: false, autofocus: true
    = f.input :password, required: false, autocomplete: "off"
    = f.input :remember_me, as: :boolean if devise_mapping.rememberable?
  .form-actions
    = f.button :submit, "Log in"

db/migrate/YYYYMMDDxxx_add_lockable_to_devise.rb

class AddLockableToUsers < ActiveRecord::Migration[5.2]
  def change
    add_column :users, :failed_attempts, :integer, default: 0, null: false
    add_column :users, :unlock_token, :string
    add_column :users, :locked_at, :datetime
    add_index :users, :unlock_token, unique: true
  end
end

I don't have any migrations pending, also tried resetting the db and restarting the server but with no luck. Any ideas on what I'm doing wrong? Thanks in advance.

Answer 1

After lots of digging, I managed to solve both issues:

Warning message not displaying

The first issue was caused by the config:

config/initializers/devise.rb

config.paranoid = true

If you have a look at the devise module:

If set to paranoid mode, do not show the locked message because it leaks the existence of an account.

Depending on your security requirements, you can either change this value to false or keep the emails secret and not provide feedback. If you're interested in customising your message on failed log in attempts I strongly recommend reading this.

---

Invalid authorisation token

The second issue was caused by me copying the link directly from the source code of the email - since = is encoded as 3D=, the link was obviously breaking. Further explanation here.

Hope this helps someone if they run into similar issues.