How do I model a 15-minute time-out with limited cron access (on Heroku)?

Question

My team is currently using Authlogic for user authentication, which disables a user's account after 6 failed_login_attempts. I want to re-enable such a user's account after a 15-minute time period. The problem is that we are deploying to the Rails cloud host, Heroku, which offers only a one-hour cron job and a daily cron job. I seem to need a cron job that increments in a matter of minutes, which I don't have, or I would have to freeze a thread to sit and wait the time out, which is not even going to be considered for obvious performance reasons.

Do I have any other options to implement this specific user experience?

Answer 1

If you already have the current_user loaded, you can just do this:

if current_user.failed_login_attempts >= 6 && current_user.failed_login_at < 15.minutes.ago
    current_user.update_attribute(:failed_login_attempts, 0)
end

Something along those lines.

Answer 2

There's actually a declarative way of doing this. In your UserSession class, among the options available is failed_login_ban_for, which checks the last updated_at (which is touched even for failed attempts) so a successful attempt 15 minutes after a bogus attempt, for example, will now succeed:

class UserSession < Authlogic::Session::Base
  logout_on_timeout true
  consecutive_failed_logins_limit 5
  failed_login_ban_for 15.minutes
end

See the rdoc for more info: http://rdoc.info/projects/binarylogic/authlogic