When using this gem with Devise.paranoid = true we are seeing an issue.

• When you get a password wrong, devise returns a 200 and the form again.

• When you get a username wrong (doesn't exist) in paranoid mode it also returns a 200 and the form. The user cannot enumerate known/unknown username lists.

• With authtrail 0.2.2 this worked fine.

• With authtrail 0.3.0 and higher, it will "Raise an exception instead of logging when auditing fails". This bubbles up to the front end and thus Devise now reveals the non-existence of a user.

Can we make come config to disable that change? Or, is there guidance on how to handle the exception and stay "paranoid"? Thanks!

Hey @hlascelles, what exception are you seeing?

Also, there are likely timing differences between tracking successful and failed login attempts, which could reveal the existence of a user to an attacker, so you'll probably want to avoid using this gem for that use case.

Edit: Nevermind, it'd be timing differences between different types of failed attempts you'd need to worry about. I'm not sure there are any right now, but it's not really a focus of the project.