| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 31 Jul 2025 02:21:03 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"6e8717a9f8b0b273a06f45a82ee8b8a0"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=99IyGuYdC%2BdIZ4jyCpz0prVSVRdxKTquFTpjR8In2u2sNDesuSEkZrGPDdJPLnu5kT9rkclkJ1R%2F1GvlY0L8pM6EtEyXlBV8iUtqxrLZ%2FRyK9WMQ%2BCkFbgFWR%2FVJjtnARao8WlLPbzocPzLmsOwtANEj1dHvO8Ybk75PlcPsvviMrMpu6NYzgSy6An%2BHZhnAxmCrngd15UpRlxQc4IZHbNoMMnI9vI8%2FtDFZbLQGcNwwAscdP5eTpL8J1lepLNuZB5Lk5T7FmdDxXQqf3xbecA%3D%3D--5wnIFRU3%2FT8VWNYU--zfLtcTc%2B28K3gs1d1HxQ4Q%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.482344523.1753928462; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 02:21:02 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 02:21:02 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: C050:33DAA7:166F2F:21D4EF:688AD30E
Paranoid Verification · devise-security/devise-security Wiki · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 154
Paranoid Verification
Nate Bird edited this page Apr 17, 2018
·
1 revision
Paranoid verification generates a verification code that the user needs to submit before using application. The user won't be able to access other parts of the application until the verification code is valid. The intention of this module was hardcore security scenario where the user needs to contact application support and they provide a verification code to unlock his account.
The verification code is not sent via email by default but can be introduced in your app.
user = User.first
user.paranoid_verification_code
# => nil
user.paranoid_verification_attempt
# => 0
user.need_paranoid_verification?
# => false
user.generate_paranoid_code
# => true
user.paranoid_verification_code
# => "9aaf4"
user.need_paranoid_verification?
# => true
user.verify_code 'wrong-code'
user.paranoid_verification_attempt
# => 1
user.need_paranoid_verification?
# => true
user.paranoid_attempts_remaining
# => 9
user.verify_code '9aaf4'
user.need_paranoid_verification?
# => false
user.paranoid_verification_code
# => nil
One example of usage could be that after a user resets their password they need to contact support for the verification code. Just add to your authentication resource code similar to this:
class User < ActiveRecord::Base
# ...
def unlock_access!
generate_paranoid_code
super
end
end
Another example is when admin wants to lock a suspicious account
class User < ActiveRecord::Base
# ...
def lock_user!
generate_paranoid_code
end
end
suspicious_user = User.last
suspicious_user.lock_user!
Due to security best practices, it's a bad idea to show to the user how many attempts are remaining before the code will regenerate.
However, if you still want to show this to the user you can do it by adding something like this to your view:
<p>After <strong><%= Devise.paranoid_code_regenerate_after_attempt %></strong> failed attempts, code will be regenerated<p>
<p><strong><%= resource.paranoid_attempts_remaining %></strong> attempts remaining</p># config/initializers/devise.rb
Devise.setup do |config|
# ...
config.paranoid_code_regenerate_after_attempt = 99
# ...
end
..or
Devise.paranoid_code_regenerate_after_attempt = 99
Clone this wiki locally
You can’t perform that action at this time.