Add an option to unlock resource in two steps

[redseafan]

Current behavior

When using the lockable module with the lock_strategy :email or :both, the user who fails N attempts will be locked and will receive an email with a unlock link. Clicking on this link is sufficient to unlock the account.

We have verified that some spam filters click on all links in received emails and thus systematically unlocks a locked user within seconds. This actually nullify the security brought by the lockable module.

Expected behavior

In our application we have overridden the UnlocksController to add an extra step: the show action now only renders a page with a button to confirm the unlock and we have added an update action that is performed when the button is clicked. If this behavior would be interesting for others I could submit a PR with an new option in the lockable module.

What do you think?

[TomGibbon]

Hi @redseafan, I ran into this problem the other day when trying to use lockable so I'd say it's still relevant. I ended up using a similar fix to you to overcome it by adding an extra step to the UnlocksController.

I've drafted up a branch that could add this extra step as an additional config option extra_step, and would be happy submitting it as a PR if the community thinks its worth it.