heartcombo
Make config.paranoid = true the default in devise:install generator
Environment
- Ruby 2.7.1
- Rails 6.0.2
- Devise 4.7.1
Current behavior
When running the generators for a devise installation in rails via rails g devise:install the generated devise initializer includes a passage to activate devise's paranoid mode that is commented out.
Expected behavior
I would have expected that the generator sets up devise so that it prevents common attack vectors such as email enumeration by default in new installations. So I would suggest changing the generator to create a devise initializer that enables the paranoid mode.
Considerations
As far as I understand it from the previous issues, it is not possible to just default to paranoid = true so that people would
opt out because this would break with the expected behaviour in other applications, therefore this issue does not suggest to change the defaults, but to override them by default in the generated devise initializer.
Why?
I was stumbling into this issue, when reading about common penetration tests for websites and was a bit suprised that the defacto standard rails authentication library does have such a default state that allows outsiders to enumerate emails and therefore leak the information about a user's membership on a specific website. I was always in the believe and I think most other users share this believe that devise is a batteries included library that sets sensible defaults.
I think it is dangerous to not enable paranoid mode by default and therefore leave developers in a state where they lull themselves in a false sense of security.
Next steps
This is dear to me and I would like to help, so if this issue gets traction and can be worked on I am willing to implement it.
