Make the lock timeout configurable

Author: Philippe Hässig

app/helpers/casino/sessions_helper.rb

@@ -97,6 +97,7 @@ def handle_signed_in_with_service(tgt, options)
 
   def prevent_brute_force(user)
     return unless user.max_failed_logins_reached?(CASino.config.max_failed_login_attempts)
-    user.update locked_until: LOCK_TIMEOUT.from_now
+    lock_timeout_minutes = CASino.config.failed_login_lock_timeout.to_i.minutes
+    user.update locked_until: lock_timeout_minutes.from_now
   end
 end

config/cas.yml

@@ -1,5 +1,6 @@
 defaults: &defaults
   max_failed_login_attempts: -1 # disabled
+  failed_login_lock_timeout: 5 # minutes a user gets locked for when using max_failed_login_attempts
   service_ticket:
     lifetime_unconsumed: 299
   authenticators:

spec/dummy/config/cas.yml

@@ -1,4 +1,6 @@
 defaults: &defaults
+  max_failed_login_attempts: 5
+  failed_login_lock_timeout: 5
   login_ticket:
     lifetime: 600
   service_ticket: