devise-not_pwned 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/MIT-LICENSE +20 -0
- data/README.md +162 -0
- data/Rakefile +36 -0
- data/lib/devise/pwned_password.rb +23 -0
- data/lib/devise/pwned_password/hooks/pwned_password.rb +8 -0
- data/lib/devise/pwned_password/locales/en.yml +7 -0
- data/lib/devise/pwned_password/model.rb +64 -0
- data/lib/devise/pwned_password/version.rb +7 -0
- data/lib/tasks/devise/pwned_password_tasks.rake +5 -0
- metadata +137 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 818c8dc7f92fe00441bd5ed79ab064ab069f1033299665670058d30bad4292ff
|
4
|
+
data.tar.gz: 3d35ca004bcab6c1270bec80bca558108915a5c060fd80242ba6c445196c1710
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: cb56c187404caeb0c1d0a246436eab38d88e7826db4f3ee214ad0398916725fe27a292d5e23921d37508ba3eaf45a846af017172a55e4030a565c1d334145de7
|
7
|
+
data.tar.gz: bb1b3f94e1fa324fdc73add4c4372591a0ca10edf516c433467f370b67d54ccce4a40eff0060d35f0eae47500be7dbc5dd494d61de4e15396cc9b42283bafd6d
|
data/MIT-LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright 2017 Michael
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,162 @@
|
|
1
|
+
# Devise::PwnedPassword
|
2
|
+
Devise extension that checks user passwords against the PwnedPasswords dataset https://haveibeenpwned.com/Passwords
|
3
|
+
|
4
|
+
Based on
|
5
|
+
|
6
|
+
https://github.com/HCLarsen/devise-uncommon_password
|
7
|
+
|
8
|
+
Recently the HaveIBeenPwned API has moved to a authenticated/paid [model](https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/) , this does not effect the PwnedPasswords API, no payment or authentication is required.
|
9
|
+
|
10
|
+
|
11
|
+
## Usage
|
12
|
+
Add the :pwned_password module to your existing Devise model.
|
13
|
+
|
14
|
+
```ruby
|
15
|
+
class AdminUser < ApplicationRecord
|
16
|
+
devise :database_authenticatable,
|
17
|
+
:recoverable, :rememberable, :trackable, :validatable, :pwned_password
|
18
|
+
end
|
19
|
+
```
|
20
|
+
|
21
|
+
Users will receive the following error message if they use a password from the
|
22
|
+
PwnedPasswords dataset:
|
23
|
+
|
24
|
+
```
|
25
|
+
Password has previously appeared in a data breach and should never be used. Please choose something harder to guess.
|
26
|
+
```
|
27
|
+
|
28
|
+
You can customize this error message by modifying the `devise` YAML file.
|
29
|
+
|
30
|
+
```yml
|
31
|
+
# config/locales/devise.en.yml
|
32
|
+
en:
|
33
|
+
errors:
|
34
|
+
messages:
|
35
|
+
pwned_password: "has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!"
|
36
|
+
```
|
37
|
+
|
38
|
+
You can optionally warn existing users when they sign in if they are using a password from the PwnedPasswords dataset. The default message is:
|
39
|
+
|
40
|
+
```
|
41
|
+
Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password.
|
42
|
+
```
|
43
|
+
|
44
|
+
You can customize this message by modifying the `devise` YAML file.
|
45
|
+
|
46
|
+
```yml
|
47
|
+
# config/locales/devise.en.yml
|
48
|
+
en:
|
49
|
+
devise:
|
50
|
+
sessions:
|
51
|
+
warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password everywhere you have used it."
|
52
|
+
```
|
53
|
+
|
54
|
+
By default passwords are rejected if they appear at all in the data set.
|
55
|
+
Optionally, you can add the following snippet to `config/initializers/devise.rb`
|
56
|
+
if you want the error message to be displayed only when the password is present
|
57
|
+
a certain number of times in the data set:
|
58
|
+
|
59
|
+
```ruby
|
60
|
+
# Minimum number of times a pwned password must exist in the data set in order
|
61
|
+
# to be reject.
|
62
|
+
config.min_password_matches = 10
|
63
|
+
```
|
64
|
+
|
65
|
+
By default the value set above is used to reject passwords and warn users.
|
66
|
+
Optionally, you can add the following snippet to `config/initializers/devise.rb`
|
67
|
+
if you want to use different thresholds for rejecting the password and warning
|
68
|
+
the user (for example you may only want to reject passwords that are common but
|
69
|
+
warn if the password occurs at all in the list):
|
70
|
+
|
71
|
+
```ruby
|
72
|
+
# Minimum number of times a pwned password must exist in the data set in order
|
73
|
+
# to warn the user.
|
74
|
+
config.min_password_matches_warn = 1
|
75
|
+
```
|
76
|
+
|
77
|
+
By default responses from the PwnedPasswords API are timed out after 5 seconds
|
78
|
+
to reduce potential latency problems.
|
79
|
+
Optionally, you can add the following snippet to `config/initializers/devise.rb`
|
80
|
+
to control the timeout settings:
|
81
|
+
|
82
|
+
```ruby
|
83
|
+
config.pwned_password_open_timeout = 1
|
84
|
+
config.pwned_password_read_timeout = 2
|
85
|
+
```
|
86
|
+
|
87
|
+
### Disabling in test environments
|
88
|
+
|
89
|
+
Currently this module cannot be mocked out for test environments. Because an API call is made this can slow down tests, or make test fixtures needlessly complex (dynamically generated passwords). The module can be disabled in test environments like this.
|
90
|
+
|
91
|
+
```ruby
|
92
|
+
class User < ApplicationRecord
|
93
|
+
devise :invitable ... :validatable, :lockable
|
94
|
+
devise :pwned_password unless Rails.env.test?
|
95
|
+
end
|
96
|
+
```
|
97
|
+
|
98
|
+
## Installation
|
99
|
+
Add this line to your application's Gemfile:
|
100
|
+
|
101
|
+
```ruby
|
102
|
+
gem 'devise-pwned_password'
|
103
|
+
```
|
104
|
+
|
105
|
+
And then execute:
|
106
|
+
```bash
|
107
|
+
$ bundle install
|
108
|
+
```
|
109
|
+
|
110
|
+
Optionally, if you also want to warn existing users when they sign in, override `after_sign_in_path_for`
|
111
|
+
```ruby
|
112
|
+
def after_sign_in_path_for(resource)
|
113
|
+
set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
|
114
|
+
super
|
115
|
+
end
|
116
|
+
```
|
117
|
+
|
118
|
+
This should generally be added in ```app/controllers/application_controller.rb``` for a rails app. For an Active Admin application the following monkey patch is needed.
|
119
|
+
|
120
|
+
```ruby
|
121
|
+
# config/initializers/active_admin_devise_sessions_controller.rb
|
122
|
+
class ActiveAdmin::Devise::SessionsController
|
123
|
+
def after_sign_in_path_for(resource)
|
124
|
+
set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
|
125
|
+
super
|
126
|
+
end
|
127
|
+
end
|
128
|
+
```
|
129
|
+
|
130
|
+
To prevent the default call to the HaveIBeenPwned API on user sign in, add the following to `config/initializers/devise.rb`:
|
131
|
+
|
132
|
+
```ruby
|
133
|
+
config.pwned_password_check_on_sign_in = false
|
134
|
+
```
|
135
|
+
|
136
|
+
## Considerations
|
137
|
+
|
138
|
+
A few things to consider/understand when using this gem:
|
139
|
+
|
140
|
+
* User passwords are hashed using SHA-1 and then truncated to 5 characters,
|
141
|
+
implementing the k-Anonymity model described in
|
142
|
+
https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
|
143
|
+
Neither the clear-text password nor the full password hash is ever transmitted
|
144
|
+
to a third party. More implementation details and important caveats can be
|
145
|
+
found in https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
|
146
|
+
|
147
|
+
* This puts an external API in the request path of users signing up to your
|
148
|
+
application. This could potentially add some latency to this operation. The
|
149
|
+
gem is designed to fail silently if the PwnedPasswords service is unavailable.
|
150
|
+
|
151
|
+
## Contributing
|
152
|
+
|
153
|
+
To contribute
|
154
|
+
|
155
|
+
* Check the [issue tracker](https://github.com/michaelbanfield/devise-pwned_password/issues) and [pull requests](https://github.com/michaelbanfield/devise-pwned_password/pulls) for anything similar
|
156
|
+
* Fork the repository
|
157
|
+
* Make your changes
|
158
|
+
* Run bin/test to make sure the unit tests still run
|
159
|
+
* Send a pull request
|
160
|
+
|
161
|
+
## License
|
162
|
+
The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
|
data/Rakefile
ADDED
@@ -0,0 +1,36 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
begin
|
4
|
+
require "bundler/setup"
|
5
|
+
require "bundler/gem_tasks"
|
6
|
+
rescue LoadError
|
7
|
+
puts "You must `gem install bundler` and `bundle install` to run rake tasks"
|
8
|
+
end
|
9
|
+
|
10
|
+
require "rdoc/task"
|
11
|
+
|
12
|
+
RDoc::Task.new(:rdoc) do |rdoc|
|
13
|
+
rdoc.rdoc_dir = "rdoc"
|
14
|
+
rdoc.title = "Devise::PwnedPassword"
|
15
|
+
rdoc.options << "--line-numbers"
|
16
|
+
rdoc.rdoc_files.include("README.md")
|
17
|
+
rdoc.rdoc_files.include("lib/**/*.rb")
|
18
|
+
end
|
19
|
+
|
20
|
+
|
21
|
+
|
22
|
+
|
23
|
+
|
24
|
+
|
25
|
+
require "bundler/gem_tasks"
|
26
|
+
|
27
|
+
require "rake/testtask"
|
28
|
+
|
29
|
+
Rake::TestTask.new(:test) do |t|
|
30
|
+
t.libs << "test"
|
31
|
+
t.pattern = "test/**/*_test.rb"
|
32
|
+
t.verbose = false
|
33
|
+
end
|
34
|
+
|
35
|
+
|
36
|
+
task default: :test
|
@@ -0,0 +1,23 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "devise"
|
4
|
+
require "devise/pwned_password/model"
|
5
|
+
|
6
|
+
module Devise
|
7
|
+
mattr_accessor :min_password_matches, :min_password_matches_warn, :pwned_password_check_on_sign_in,
|
8
|
+
:pwned_password_open_timeout, :pwned_password_read_timeout
|
9
|
+
@@min_password_matches = 1
|
10
|
+
@@min_password_matches_warn = nil
|
11
|
+
@@pwned_password_check_on_sign_in = true
|
12
|
+
@@pwned_password_open_timeout = 5
|
13
|
+
@@pwned_password_read_timeout = 5
|
14
|
+
|
15
|
+
module PwnedPassword
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
# Load default I18n
|
20
|
+
#
|
21
|
+
I18n.load_path.unshift File.join(File.dirname(__FILE__), *%w[pwned_password locales en.yml])
|
22
|
+
|
23
|
+
Devise.add_module :pwned_password, model: "devise_pwned_password/model"
|
@@ -0,0 +1,8 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
|
4
|
+
if user.class.respond_to?(:pwned_password_check_on_sign_in) && user.class.pwned_password_check_on_sign_in
|
5
|
+
password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
|
6
|
+
password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
|
7
|
+
end
|
8
|
+
end
|
@@ -0,0 +1,7 @@
|
|
1
|
+
en:
|
2
|
+
devise:
|
3
|
+
sessions:
|
4
|
+
warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password."
|
5
|
+
errors:
|
6
|
+
messages:
|
7
|
+
pwned_password: "has previously appeared in a data breach and should never be used. Please choose something harder to guess."
|
@@ -0,0 +1,64 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "pwned"
|
4
|
+
require "devise/pwned_password/hooks/pwned_password"
|
5
|
+
|
6
|
+
module Devise
|
7
|
+
module Models
|
8
|
+
# The PwnedPassword module adds a new validation for Devise Models.
|
9
|
+
# No modifications to routes or controllers needed.
|
10
|
+
# Simply add :pwned_password to the list of included modules in your
|
11
|
+
# devise module, and all new registrations will be blocked if they use
|
12
|
+
# a password in this dataset https://haveibeenpwned.com/Passwords.
|
13
|
+
module PwnedPassword
|
14
|
+
extend ActiveSupport::Concern
|
15
|
+
|
16
|
+
module ClassMethods
|
17
|
+
Devise::Models.config(self, :min_password_matches)
|
18
|
+
Devise::Models.config(self, :min_password_matches_warn)
|
19
|
+
Devise::Models.config(self, :pwned_password_check_on_sign_in)
|
20
|
+
Devise::Models.config(self, :pwned_password_open_timeout)
|
21
|
+
Devise::Models.config(self, :pwned_password_read_timeout)
|
22
|
+
end
|
23
|
+
|
24
|
+
included do
|
25
|
+
validates :password, not_pwned: {
|
26
|
+
threshold: min_password_matches,
|
27
|
+
request_options: {
|
28
|
+
open_timeout: pwned_password_open_timeout,
|
29
|
+
read_timeout: pwned_password_read_timeout,
|
30
|
+
headers: { "User-Agent" => "devise_pwned_password" }
|
31
|
+
}
|
32
|
+
}
|
33
|
+
validate :not_pwned_password_warn
|
34
|
+
end
|
35
|
+
|
36
|
+
def pwned?
|
37
|
+
@pwned ||= false
|
38
|
+
end
|
39
|
+
|
40
|
+
def pwned_count
|
41
|
+
@pwned_count ||= 0
|
42
|
+
end
|
43
|
+
attr_writer :pwned_count
|
44
|
+
|
45
|
+
# Returns true if password is present in the PwnedPasswords dataset
|
46
|
+
def password_pwned?(password)
|
47
|
+
puts %(pwned_count=#{(pwned_count).inspect})
|
48
|
+
puts %(persisted?=#{(persisted?).inspect})
|
49
|
+
puts %(self.class.min_password_matches_warn=#{(self.class.min_password_matches_warn).inspect})
|
50
|
+
@pwned = @pwned_count >= (persisted? ? self.class.min_password_matches_warn || self.class.min_password_matches : self.class.min_password_matches)
|
51
|
+
return @pwned
|
52
|
+
end
|
53
|
+
|
54
|
+
private
|
55
|
+
|
56
|
+
def not_pwned_password_warn
|
57
|
+
# This deliberately fails silently on 500's etc. Most apps won't want to tie the ability to sign up users to the availability of a third-party API.
|
58
|
+
if password_pwned?(password)
|
59
|
+
errors.add(:password, :pwned_password, count: @pwned_count)
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
metadata
ADDED
@@ -0,0 +1,137 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: devise-not_pwned
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.0.1
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Michael Banfield
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2020-04-27 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: devise
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - "~>"
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '4'
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - "~>"
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '4'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: pwned
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - "~>"
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: 2.0.0
|
34
|
+
type: :runtime
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - "~>"
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: 2.0.0
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: rails
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: 5.1.2
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: 5.1.2
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: sqlite3
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - ">="
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '0'
|
62
|
+
type: :development
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - ">="
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: '0'
|
69
|
+
- !ruby/object:Gem::Dependency
|
70
|
+
name: rubocop
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
72
|
+
requirements:
|
73
|
+
- - "~>"
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
version: 0.52.1
|
76
|
+
type: :development
|
77
|
+
prerelease: false
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
79
|
+
requirements:
|
80
|
+
- - "~>"
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: 0.52.1
|
83
|
+
- !ruby/object:Gem::Dependency
|
84
|
+
name: byebug
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - ">="
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: '0'
|
90
|
+
type: :development
|
91
|
+
prerelease: false
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - ">="
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: '0'
|
97
|
+
description: Devise extension that checks user passwords against the PwnedPasswords
|
98
|
+
dataset https://haveibeenpwned.com/Passwords.
|
99
|
+
email:
|
100
|
+
- michael@michaelbanfield.com
|
101
|
+
executables: []
|
102
|
+
extensions: []
|
103
|
+
extra_rdoc_files: []
|
104
|
+
files:
|
105
|
+
- MIT-LICENSE
|
106
|
+
- README.md
|
107
|
+
- Rakefile
|
108
|
+
- lib/devise/pwned_password.rb
|
109
|
+
- lib/devise/pwned_password/hooks/pwned_password.rb
|
110
|
+
- lib/devise/pwned_password/locales/en.yml
|
111
|
+
- lib/devise/pwned_password/model.rb
|
112
|
+
- lib/devise/pwned_password/version.rb
|
113
|
+
- lib/tasks/devise/pwned_password_tasks.rake
|
114
|
+
homepage: https://github.com/michaelbanfield/devise-pwned_password
|
115
|
+
licenses:
|
116
|
+
- MIT
|
117
|
+
metadata: {}
|
118
|
+
post_install_message:
|
119
|
+
rdoc_options: []
|
120
|
+
require_paths:
|
121
|
+
- lib
|
122
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
123
|
+
requirements:
|
124
|
+
- - ">="
|
125
|
+
- !ruby/object:Gem::Version
|
126
|
+
version: '0'
|
127
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
128
|
+
requirements:
|
129
|
+
- - ">="
|
130
|
+
- !ruby/object:Gem::Version
|
131
|
+
version: '0'
|
132
|
+
requirements: []
|
133
|
+
rubygems_version: 3.0.3
|
134
|
+
signing_key:
|
135
|
+
specification_version: 4
|
136
|
+
summary: Devise extension that checks user passwords against the PwnedPasswords dataset.
|
137
|
+
test_files: []
|