-
Cédric Fabianski committed with GitHub 1 year ago1 parent 802ebd9f
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
-
-
-
-
skipped 2 lines 3 3 "type": "custom_risk", 4 4 "detector_type": "ruby_password_length", 5 5 "source": { 6 + "filename": "devise.rb", 7 + "language": "Ruby", 8 + "language_type": "programming", 9 + "line_number": 11, 10 + "column_number": 1, 11 + "text": "Devise.setup do |config|\n config.password_length = $MIN_LENGTH..$MAX_LENGTH\nend\n" 12 + }, 13 + "value": { 14 + "line_number": 11, 15 + "content": "Devise.setup do |config|\n # The secret key used by Devise. Devise uses this key to generate\n # random tokens. Changing this key will render invalid all existing\n # confirmation, reset password and unlock tokens in the database.\n # Devise will use the `secret_key_base` as its `secret_key`\n # by default. You can change it below and use your own secret key.\n # config.secret_key = '\u003c%= SecureRandom.hex(64) %\u003e'\n\n # ==\u003e Controller configuration\n # Configure the parent class to the devise controllers.\n # config.parent_controller = 'DeviseController'\n\n # ==\u003e Mailer Configuration\n # Configure the e-mail address which will be shown in Devise::Mailer,\n # note that it will be overwritten if you use your own mailer class\n # with default \"from\" parameter.\n config.mailer_sender = '[email protected]'\n\n # Configure the class responsible to send e-mails.\n # config.mailer = 'Devise::Mailer'\n\n # Configure the parent class responsible to send e-mails.\n # config.parent_mailer = 'ActionMailer::Base'\n\n # ==\u003e ORM configuration\n # Load and configure the ORM. Supports :active_record (default) and\n # :mongoid (bson_ext recommended) by default. Other ORMs may be\n # available as additional gems.\n require 'devise/orm/\u003c%= options[:orm] %\u003e'\n\n # ==\u003e Configuration for any authentication mechanism\n # Configure which keys are used when authenticating a user. The default is\n # just :email. You can configure it to use [:username, :subdomain], so for\n # authenticating a user, both parameters are required. Remember that those\n # parameters are used only when authenticating and not when retrieving from\n # session. If you need permissions, you should implement that in a before filter.\n # You can also supply a hash where the value is a boolean determining whether\n # or not authentication should be aborted when the value is not present.\n # config.authentication_keys = [:email]\n\n # Configure parameters from the request object used for authentication. Each entry\n # given should be a request method and it will automatically be passed to the\n # find_for_authentication method and considered in your model lookup. For instance,\n # if you set :request_keys to [:subdomain], :subdomain will be used on authentication.\n # The same considerations mentioned for authentication_keys also apply to request_keys.\n # config.request_keys = []\n\n # Configure which authentication keys should be case-insensitive.\n # These keys will be downcased upon creating or modifying a user and when used\n # to authenticate or find a user. Default is :email.\n config.case_insensitive_keys = [:email]\n\n # Configure which authentication keys should have whitespace stripped.\n # These keys will have whitespace before and after removed upon creating or\n # modifying a user and when used to authenticate or find a user. Default is :email.\n config.strip_whitespace_keys = [:email]\n\n # Tell if authentication through request.params is enabled. True by default.\n # It can be set to an array that will enable params authentication only for the\n # given strategies, for example, `config.params_authenticatable = [:database]` will\n # enable it only for database (email + password) authentication.\n # config.params_authenticatable = true\n\n # Tell if authentication through HTTP Auth is enabled. False by default.\n # It can be set to an array that will enable http authentication only for the\n # given strategies, for example, `config.http_authenticatable = [:database]` will\n # enable it only for database authentication.\n # For API-only applications to support authentication \"out-of-the-box\", you will likely want to\n # enable this with :database unless you are using a custom strategy.\n # The supported strategies are:\n # :database = Support basic authentication with authentication key + password\n # config.http_authenticatable = false\n\n # If 401 status code should be returned for AJAX requests. True by default.\n # config.http_authenticatable_on_xhr = true\n\n # The realm used in Http Basic Authentication. 'Application' by default.\n # config.http_authentication_realm = 'Application'\n\n # It will change confirmation, password recovery and other workflows\n # to behave the same regardless if the e-mail provided was right or wrong.\n # Does not affect registerable.\n # config.paranoid = true\n\n # By default Devise will store the user in session. You can skip storage for\n # particular strategies by setting this option.\n # Notice that if you are skipping storage for all authentication paths, you\n # may want to disable generating routes to Devise's sessions controller by\n # passing skip: :sessions to `devise_for` in your config/routes.rb\n config.skip_session_storage = [:http_auth]\n\n # By default, Devise cleans up the CSRF token on authentication to\n # avoid CSRF token fixation attacks. This means that, when using AJAX\n # requests for sign in and sign up, you need to get a new CSRF token\n # from the server. You can disable this option at your own risk.\n # config.clean_up_csrf_token_on_authentication = true\n\n # When false, Devise will not attempt to reload routes on eager load.\n # This can reduce the time taken to boot the app but if your application\n # requires the Devise mappings to be loaded during boot time the application\n # won't boot properly.\n # config.reload_routes = true\n\n # ==\u003e Configuration for :database_authenticatable\n # For bcrypt, this is the cost for hashing the password and defaults to 12. If\n # using other algorithms, it sets how many times you want the password to be hashed.\n # The number of stretches used for generating the hashed password are stored\n # with the hashed password. This allows you to change the stretches without\n # invalidating existing passwords.\n #\n # Limiting the stretches to just one in testing will increase the performance of\n # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use\n # a value less than 10 in other environments. Note that, for bcrypt (the default\n # algorithm), the cost increases exponentially with the number of stretches (e.g.\n # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation).\n config.stretches = Rails.env.test? ? 1 : 12\n\n # Set up a pepper to generate the hashed password.\n # config.pepper = '\u003c%= SecureRandom.hex(64) %\u003e'\n\n # Send a notification to the original email when the user's email is changed.\n # config.send_email_changed_notification = false\n\n # Send a notification email when the user's password is changed.\n # config.send_password_change_notification = false\n\n # ==\u003e Configuration for :confirmable\n # A period that the user is allowed to access the website even without\n # confirming their account. For instance, if set to 2.days, the user will be\n # able to access the website for two days without confirming their account,\n # access will be blocked just in the third day.\n # You can also set it to nil, which will allow the user to access the website\n # without confirming their account.\n # Default is 0.days, meaning the user cannot access the website without\n # confirming their account.\n # config.allow_unconfirmed_access_for = 2.days\n\n # A period that the user is allowed to confirm their account before their\n # token becomes invalid. For example, if set to 3.days, the user can confirm\n # their account within 3 days after the mail was sent, but on the fourth day\n # their account can't be confirmed with the token any more.\n # Default is nil, meaning there is no restriction on how long a user can take\n # before confirming their account.\n # config.confirm_within = 3.days\n\n # If true, requires any email changes to be confirmed (exactly the same way as\n # initial account confirmation) to be applied. Requires additional unconfirmed_email\n # db field (see migrations). Until confirmed, new email is stored in\n # unconfirmed_email column, and copied to email column on successful confirmation.\n config.reconfirmable = true\n\n # Defines which key will be used when confirming an account\n # config.confirmation_keys = [:email]\n\n # ==\u003e Configuration for :rememberable\n # The time the user will be remembered without asking for credentials again.\n # config.remember_for = 2.weeks\n\n # Invalidates all the remember me tokens when the user signs out.\n config.expire_all_remember_me_on_sign_out = true\n\n # If true, extends the user's remember period when remembered via cookie.\n # config.extend_remember_period = false\n\n # Options to be passed to the created cookie. For instance, you can set\n # secure: true in order to force SSL only cookies.\n # config.rememberable_options = {}\n\n # ==\u003e Configuration for :validatable\n # Range for password length.\n config.password_length = 6..128\n\n # Email regex used to validate email formats. It simply asserts that\n # one (and only one) @ exists in the given string. This is mainly\n # to give user feedback and not to assert the e-mail validity.\n config.email_regexp = /\\A[^@\\s]+@[^@\\s]+\\z/\n\n # ==\u003e Configuration for :timeoutable\n # The time you want to timeout the user session without activity. After this\n # time the user will be asked for credentials again. Default is 30 minutes.\n # config.timeout_in = 30.minutes\n\n # ==\u003e Configuration for :lockable\n # Defines which strategy will be used to lock an account.\n # :failed_attempts = Locks an account after a number of failed attempts to sign in.\n # :none = No lock strategy. You should handle locking by yourself.\n # config.lock_strategy = :failed_attempts\n\n # Defines which key will be used when locking and unlocking an account\n # config.unlock_keys = [:email]\n\n # Defines which strategy will be used to unlock an account.\n # :email = Sends an unlock link to the user email\n # :time = Re-enables login after a certain amount of time (see :unlock_in below)\n # :both = Enables both strategies\n # :none = No unlock strategy. You should handle unlocking by yourself.\n # config.unlock_strategy = :both\n\n # Number of authentication tries before locking an account if lock_strategy\n # is failed attempts.\n # config.maximum_attempts = 20\n\n # Time interval to unlock the account if :time is enabled as unlock_strategy.\n # config.unlock_in = 1.hour\n\n # Warn on the last attempt before the account is locked.\n # config.last_attempt_warning = true\n\n # ==\u003e Configuration for :recoverable\n #\n # Defines which key will be used when recovering the password for an account\n # config.reset_password_keys = [:email]\n\n # Time interval you can reset your password with a reset password key.\n # Don't put a too small interval or your users won't have the time to\n # change their passwords.\n config.reset_password_within = 6.hours\n\n # When set to false, does not sign a user in automatically after their password is\n # reset. Defaults to true, so a user is signed in automatically after a reset.\n # config.sign_in_after_reset_password = true\n\n # ==\u003e Configuration for :encryptable\n # Allow you to use another hashing or encryption algorithm besides bcrypt (default).\n # You can use :sha1, :sha512 or algorithms from others authentication tools as\n # :clearance_sha1, :authlogic_sha512 (then you should set stretches above to 20\n # for default behavior) and :restful_authentication_sha1 (then you should set\n # stretches to 10, and copy REST_AUTH_SITE_KEY to pepper).\n #\n # Require the `devise-encryptable` gem when using anything other than bcrypt\n # config.encryptor = :sha512\n\n # ==\u003e Scopes configuration\n # Turn scoped views on. Before rendering \"sessions/new\", it will first check for\n # \"users/sessions/new\". It's turned off by default because it's slower if you\n # are using only default views.\n # config.scoped_views = false\n\n # Configure the default scope given to Warden. By default it's the first\n # devise role declared in your routes (usually :user).\n # config.default_scope = :user\n\n # Set this configuration to false if you want /users/sign_out to sign out\n # only the current scope. By default, Devise signs out all scopes.\n # config.sign_out_all_scopes = true\n\n # ==\u003e Navigation configuration\n # Lists the formats that should be treated as navigational. Formats like\n # :html, should redirect to the sign in page when the user does not have\n # access, but formats like :xml or :json, should return 401.\n #\n # If you have any extra navigational formats, like :iphone or :mobile, you\n # should add them to the navigational formats lists.\n #\n # The \"*/*\" below is required to match Internet Explorer requests.\n # config.navigational_formats = ['*/*', :html]\n\n # The default HTTP method used to sign out a resource. Default is :delete.\n config.sign_out_via = :delete\n\n # ==\u003e OmniAuth\n # Add a new OmniAuth provider. Check the wiki for more information on setting\n # up on your models and hooks.\n # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'\n\n # ==\u003e Warden configuration\n # If you want to use other strategies, that are not supported by Devise, or\n # change the failure app, you can configure them inside the config.warden block.\n #\n # config.warden do |manager|\n # manager.intercept_401 = false\n # manager.default_strategies(scope: :user).unshift :some_external_strategy\n # end\n\n # ==\u003e Mountable engine configurations\n # When using Devise inside an engine, let's call it `MyEngine`, and this engine\n # is mountable, there are some extra configurations to be taken into account.\n # The following options are available, assuming the engine is mounted as:\n #\n # mount MyEngine, at: '/my_engine'\n #\n # The router that invoked `devise_for`, in the example above, would be:\n # config.router_name = :my_engine\n #\n # When using OmniAuth, Devise cannot automatically set OmniAuth path,\n # so you need to do it manually. For the users scope, it would be:\n # config.omniauth_path_prefix = '/my_engine/users/auth'\n\n # ==\u003e Turbolinks configuration\n # If your app is using Turbolinks, Turbolinks::Controller needs to be included to make redirection work correctly:\n #\n # ActiveSupport.on_load(:devise_failure_app) do\n # include Turbolinks::Controller\n # end\n\n # ==\u003e Configuration for :registerable\n\n # When set to false, does not sign a user in automatically after their password is\n # changed. Defaults to true, so a user is signed in automatically after changing a password.\n # config.sign_in_after_change_password = true\nend" 16 + } 17 + }, 18 + { 19 + "type": "custom_risk", 20 + "detector_type": "ruby_password_length", 21 + "source": { 6 22 "filename": "users.rb", 7 23 "language": "Ruby", 8 24 "language_type": "programming", 9 25 "line_number": 1, 10 26 "column_number": 1, 11 - "text": "Device.setup do |config|\n config.password_length = $LENGTH\nend\n" 27 + "text": "Devise.setup do |config|\n config.password_length = $LENGTH\nend\n" 12 28 }, 13 29 "value": { 14 30 "line_number": 1, 15 - "content": "Device.setup do |config|\n\tconfig.password_length = 6\nend" 31 + "content": "Devise.setup do |config|\n\tconfig.password_length = 6\nend" 16 32 } 17 33 } 18 34 ] skipped 1 lines -
-
-
1 + # frozen_string_literal: true 2 + 3 + # Assuming you have not yet modified this file, each configuration option below 4 + # is set to its default value. Note that some are commented out while others 5 + # are not: uncommented lines are intended to protect your configuration from 6 + # breaking changes in upgrades (i.e., in the event that future versions of 7 + # Devise change the default values for those options). 8 + # 9 + # Use this hook to configure devise mailer, warden hooks and so forth. 10 + # Many of these configuration options can be set straight in your model. 11 + Devise.setup do |config| 12 + # The secret key used by Devise. Devise uses this key to generate 13 + # random tokens. Changing this key will render invalid all existing 14 + # confirmation, reset password and unlock tokens in the database. 15 + # Devise will use the `secret_key_base` as its `secret_key` 16 + # by default. You can change it below and use your own secret key. 17 + # config.secret_key = '<%= SecureRandom.hex(64) %>' 18 + 19 + # ==> Controller configuration 20 + # Configure the parent class to the devise controllers. 21 + # config.parent_controller = 'DeviseController' 22 + 23 + # ==> Mailer Configuration 24 + # Configure the e-mail address which will be shown in Devise::Mailer, 25 + # note that it will be overwritten if you use your own mailer class 26 + # with default "from" parameter. 27 + config.mailer_sender = '[email protected]' 28 + 29 + # Configure the class responsible to send e-mails. 30 + # config.mailer = 'Devise::Mailer' 31 + 32 + # Configure the parent class responsible to send e-mails. 33 + # config.parent_mailer = 'ActionMailer::Base' 34 + 35 + # ==> ORM configuration 36 + # Load and configure the ORM. Supports :active_record (default) and 37 + # :mongoid (bson_ext recommended) by default. Other ORMs may be 38 + # available as additional gems. 39 + require 'devise/orm/<%= options[:orm] %>' 40 + 41 + # ==> Configuration for any authentication mechanism 42 + # Configure which keys are used when authenticating a user. The default is 43 + # just :email. You can configure it to use [:username, :subdomain], so for 44 + # authenticating a user, both parameters are required. Remember that those 45 + # parameters are used only when authenticating and not when retrieving from 46 + # session. If you need permissions, you should implement that in a before filter. 47 + # You can also supply a hash where the value is a boolean determining whether 48 + # or not authentication should be aborted when the value is not present. 49 + # config.authentication_keys = [:email] 50 + 51 + # Configure parameters from the request object used for authentication. Each entry 52 + # given should be a request method and it will automatically be passed to the 53 + # find_for_authentication method and considered in your model lookup. For instance, 54 + # if you set :request_keys to [:subdomain], :subdomain will be used on authentication. 55 + # The same considerations mentioned for authentication_keys also apply to request_keys. 56 + # config.request_keys = [] 57 + 58 + # Configure which authentication keys should be case-insensitive. 59 + # These keys will be downcased upon creating or modifying a user and when used 60 + # to authenticate or find a user. Default is :email. 61 + config.case_insensitive_keys = [:email] 62 + 63 + # Configure which authentication keys should have whitespace stripped. 64 + # These keys will have whitespace before and after removed upon creating or 65 + # modifying a user and when used to authenticate or find a user. Default is :email. 66 + config.strip_whitespace_keys = [:email] 67 + 68 + # Tell if authentication through request.params is enabled. True by default. 69 + # It can be set to an array that will enable params authentication only for the 70 + # given strategies, for example, `config.params_authenticatable = [:database]` will 71 + # enable it only for database (email + password) authentication. 72 + # config.params_authenticatable = true 73 + 74 + # Tell if authentication through HTTP Auth is enabled. False by default. 75 + # It can be set to an array that will enable http authentication only for the 76 + # given strategies, for example, `config.http_authenticatable = [:database]` will 77 + # enable it only for database authentication. 78 + # For API-only applications to support authentication "out-of-the-box", you will likely want to 79 + # enable this with :database unless you are using a custom strategy. 80 + # The supported strategies are: 81 + # :database = Support basic authentication with authentication key + password 82 + # config.http_authenticatable = false 83 + 84 + # If 401 status code should be returned for AJAX requests. True by default. 85 + # config.http_authenticatable_on_xhr = true 86 + 87 + # The realm used in Http Basic Authentication. 'Application' by default. 88 + # config.http_authentication_realm = 'Application' 89 + 90 + # It will change confirmation, password recovery and other workflows 91 + # to behave the same regardless if the e-mail provided was right or wrong. 92 + # Does not affect registerable. 93 + # config.paranoid = true 94 + 95 + # By default Devise will store the user in session. You can skip storage for 96 + # particular strategies by setting this option. 97 + # Notice that if you are skipping storage for all authentication paths, you 98 + # may want to disable generating routes to Devise's sessions controller by 99 + # passing skip: :sessions to `devise_for` in your config/routes.rb 100 + config.skip_session_storage = [:http_auth] 101 + 102 + # By default, Devise cleans up the CSRF token on authentication to 103 + # avoid CSRF token fixation attacks. This means that, when using AJAX 104 + # requests for sign in and sign up, you need to get a new CSRF token 105 + # from the server. You can disable this option at your own risk. 106 + # config.clean_up_csrf_token_on_authentication = true 107 + 108 + # When false, Devise will not attempt to reload routes on eager load. 109 + # This can reduce the time taken to boot the app but if your application 110 + # requires the Devise mappings to be loaded during boot time the application 111 + # won't boot properly. 112 + # config.reload_routes = true 113 + 114 + # ==> Configuration for :database_authenticatable 115 + # For bcrypt, this is the cost for hashing the password and defaults to 12. If 116 + # using other algorithms, it sets how many times you want the password to be hashed. 117 + # The number of stretches used for generating the hashed password are stored 118 + # with the hashed password. This allows you to change the stretches without 119 + # invalidating existing passwords. 120 + # 121 + # Limiting the stretches to just one in testing will increase the performance of 122 + # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use 123 + # a value less than 10 in other environments. Note that, for bcrypt (the default 124 + # algorithm), the cost increases exponentially with the number of stretches (e.g. 125 + # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation). 126 + config.stretches = Rails.env.test? ? 1 : 12 127 + 128 + # Set up a pepper to generate the hashed password. 129 + # config.pepper = '<%= SecureRandom.hex(64) %>' 130 + 131 + # Send a notification to the original email when the user's email is changed. 132 + # config.send_email_changed_notification = false 133 + 134 + # Send a notification email when the user's password is changed. 135 + # config.send_password_change_notification = false 136 + 137 + # ==> Configuration for :confirmable 138 + # A period that the user is allowed to access the website even without 139 + # confirming their account. For instance, if set to 2.days, the user will be 140 + # able to access the website for two days without confirming their account, 141 + # access will be blocked just in the third day. 142 + # You can also set it to nil, which will allow the user to access the website 143 + # without confirming their account. 144 + # Default is 0.days, meaning the user cannot access the website without 145 + # confirming their account. 146 + # config.allow_unconfirmed_access_for = 2.days 147 + 148 + # A period that the user is allowed to confirm their account before their 149 + # token becomes invalid. For example, if set to 3.days, the user can confirm 150 + # their account within 3 days after the mail was sent, but on the fourth day 151 + # their account can't be confirmed with the token any more. 152 + # Default is nil, meaning there is no restriction on how long a user can take 153 + # before confirming their account. 154 + # config.confirm_within = 3.days 155 + 156 + # If true, requires any email changes to be confirmed (exactly the same way as 157 + # initial account confirmation) to be applied. Requires additional unconfirmed_email 158 + # db field (see migrations). Until confirmed, new email is stored in 159 + # unconfirmed_email column, and copied to email column on successful confirmation. 160 + config.reconfirmable = true 161 + 162 + # Defines which key will be used when confirming an account 163 + # config.confirmation_keys = [:email] 164 + 165 + # ==> Configuration for :rememberable 166 + # The time the user will be remembered without asking for credentials again. 167 + # config.remember_for = 2.weeks 168 + 169 + # Invalidates all the remember me tokens when the user signs out. 170 + config.expire_all_remember_me_on_sign_out = true 171 + 172 + # If true, extends the user's remember period when remembered via cookie. 173 + # config.extend_remember_period = false 174 + 175 + # Options to be passed to the created cookie. For instance, you can set 176 + # secure: true in order to force SSL only cookies. 177 + # config.rememberable_options = {} 178 + 179 + # ==> Configuration for :validatable 180 + # Range for password length. 181 + config.password_length = 6..128 182 + 183 + # Email regex used to validate email formats. It simply asserts that 184 + # one (and only one) @ exists in the given string. This is mainly 185 + # to give user feedback and not to assert the e-mail validity. 186 + config.email_regexp = /\A[^@\s]+@[^@\s]+\z/ 187 + 188 + # ==> Configuration for :timeoutable 189 + # The time you want to timeout the user session without activity. After this 190 + # time the user will be asked for credentials again. Default is 30 minutes. 191 + # config.timeout_in = 30.minutes 192 + 193 + # ==> Configuration for :lockable 194 + # Defines which strategy will be used to lock an account. 195 + # :failed_attempts = Locks an account after a number of failed attempts to sign in. 196 + # :none = No lock strategy. You should handle locking by yourself. 197 + # config.lock_strategy = :failed_attempts 198 + 199 + # Defines which key will be used when locking and unlocking an account 200 + # config.unlock_keys = [:email] 201 + 202 + # Defines which strategy will be used to unlock an account. 203 + # :email = Sends an unlock link to the user email 204 + # :time = Re-enables login after a certain amount of time (see :unlock_in below) 205 + # :both = Enables both strategies 206 + # :none = No unlock strategy. You should handle unlocking by yourself. 207 + # config.unlock_strategy = :both 208 + 209 + # Number of authentication tries before locking an account if lock_strategy 210 + # is failed attempts. 211 + # config.maximum_attempts = 20 212 + 213 + # Time interval to unlock the account if :time is enabled as unlock_strategy. 214 + # config.unlock_in = 1.hour 215 + 216 + # Warn on the last attempt before the account is locked. 217 + # config.last_attempt_warning = true 218 + 219 + # ==> Configuration for :recoverable 220 + # 221 + # Defines which key will be used when recovering the password for an account 222 + # config.reset_password_keys = [:email] 223 + 224 + # Time interval you can reset your password with a reset password key. 225 + # Don't put a too small interval or your users won't have the time to 226 + # change their passwords. 227 + config.reset_password_within = 6.hours 228 + 229 + # When set to false, does not sign a user in automatically after their password is 230 + # reset. Defaults to true, so a user is signed in automatically after a reset. 231 + # config.sign_in_after_reset_password = true 232 + 233 + # ==> Configuration for :encryptable 234 + # Allow you to use another hashing or encryption algorithm besides bcrypt (default). 235 + # You can use :sha1, :sha512 or algorithms from others authentication tools as 236 + # :clearance_sha1, :authlogic_sha512 (then you should set stretches above to 20 237 + # for default behavior) and :restful_authentication_sha1 (then you should set 238 + # stretches to 10, and copy REST_AUTH_SITE_KEY to pepper). 239 + # 240 + # Require the `devise-encryptable` gem when using anything other than bcrypt 241 + # config.encryptor = :sha512 242 + 243 + # ==> Scopes configuration 244 + # Turn scoped views on. Before rendering "sessions/new", it will first check for 245 + # "users/sessions/new". It's turned off by default because it's slower if you 246 + # are using only default views. 247 + # config.scoped_views = false 248 + 249 + # Configure the default scope given to Warden. By default it's the first 250 + # devise role declared in your routes (usually :user). 251 + # config.default_scope = :user 252 + 253 + # Set this configuration to false if you want /users/sign_out to sign out 254 + # only the current scope. By default, Devise signs out all scopes. 255 + # config.sign_out_all_scopes = true 256 + 257 + # ==> Navigation configuration 258 + # Lists the formats that should be treated as navigational. Formats like 259 + # :html, should redirect to the sign in page when the user does not have 260 + # access, but formats like :xml or :json, should return 401. 261 + # 262 + # If you have any extra navigational formats, like :iphone or :mobile, you 263 + # should add them to the navigational formats lists. 264 + # 265 + # The "*/*" below is required to match Internet Explorer requests. 266 + # config.navigational_formats = ['*/*', :html] 267 + 268 + # The default HTTP method used to sign out a resource. Default is :delete. 269 + config.sign_out_via = :delete 270 + 271 + # ==> OmniAuth 272 + # Add a new OmniAuth provider. Check the wiki for more information on setting 273 + # up on your models and hooks. 274 + # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo' 275 + 276 + # ==> Warden configuration 277 + # If you want to use other strategies, that are not supported by Devise, or 278 + # change the failure app, you can configure them inside the config.warden block. 279 + # 280 + # config.warden do |manager| 281 + # manager.intercept_401 = false 282 + # manager.default_strategies(scope: :user).unshift :some_external_strategy 283 + # end 284 + 285 + # ==> Mountable engine configurations 286 + # When using Devise inside an engine, let's call it `MyEngine`, and this engine 287 + # is mountable, there are some extra configurations to be taken into account. 288 + # The following options are available, assuming the engine is mounted as: 289 + # 290 + # mount MyEngine, at: '/my_engine' 291 + # 292 + # The router that invoked `devise_for`, in the example above, would be: 293 + # config.router_name = :my_engine 294 + # 295 + # When using OmniAuth, Devise cannot automatically set OmniAuth path, 296 + # so you need to do it manually. For the users scope, it would be: 297 + # config.omniauth_path_prefix = '/my_engine/users/auth' 298 + 299 + # ==> Turbolinks configuration 300 + # If your app is using Turbolinks, Turbolinks::Controller needs to be included to make redirection work correctly: 301 + # 302 + # ActiveSupport.on_load(:devise_failure_app) do 303 + # include Turbolinks::Controller 304 + # end 305 + 306 + # ==> Configuration for :registerable 307 + 308 + # When set to false, does not sign a user in automatically after their password is 309 + # changed. Defaults to true, so a user is signed in automatically after changing a password. 310 + # config.sign_in_after_change_password = true 311 + end