devise-not_pwned 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 818c8dc7f92fe00441bd5ed79ab064ab069f1033299665670058d30bad4292ff
4
+ data.tar.gz: 3d35ca004bcab6c1270bec80bca558108915a5c060fd80242ba6c445196c1710
5
+ SHA512:
6
+ metadata.gz: cb56c187404caeb0c1d0a246436eab38d88e7826db4f3ee214ad0398916725fe27a292d5e23921d37508ba3eaf45a846af017172a55e4030a565c1d334145de7
7
+ data.tar.gz: bb1b3f94e1fa324fdc73add4c4372591a0ca10edf516c433467f370b67d54ccce4a40eff0060d35f0eae47500be7dbc5dd494d61de4e15396cc9b42283bafd6d
@@ -0,0 +1,20 @@
1
+ Copyright 2017 Michael
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,162 @@
1
+ # Devise::PwnedPassword
2
+ Devise extension that checks user passwords against the PwnedPasswords dataset https://haveibeenpwned.com/Passwords
3
+
4
+ Based on
5
+
6
+ https://github.com/HCLarsen/devise-uncommon_password
7
+
8
+ Recently the HaveIBeenPwned API has moved to a authenticated/paid [model](https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/) , this does not effect the PwnedPasswords API, no payment or authentication is required.
9
+
10
+
11
+ ## Usage
12
+ Add the :pwned_password module to your existing Devise model.
13
+
14
+ ```ruby
15
+ class AdminUser < ApplicationRecord
16
+ devise :database_authenticatable,
17
+ :recoverable, :rememberable, :trackable, :validatable, :pwned_password
18
+ end
19
+ ```
20
+
21
+ Users will receive the following error message if they use a password from the
22
+ PwnedPasswords dataset:
23
+
24
+ ```
25
+ Password has previously appeared in a data breach and should never be used. Please choose something harder to guess.
26
+ ```
27
+
28
+ You can customize this error message by modifying the `devise` YAML file.
29
+
30
+ ```yml
31
+ # config/locales/devise.en.yml
32
+ en:
33
+ errors:
34
+ messages:
35
+ pwned_password: "has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!"
36
+ ```
37
+
38
+ You can optionally warn existing users when they sign in if they are using a password from the PwnedPasswords dataset. The default message is:
39
+
40
+ ```
41
+ Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password.
42
+ ```
43
+
44
+ You can customize this message by modifying the `devise` YAML file.
45
+
46
+ ```yml
47
+ # config/locales/devise.en.yml
48
+ en:
49
+ devise:
50
+ sessions:
51
+ warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password everywhere you have used it."
52
+ ```
53
+
54
+ By default passwords are rejected if they appear at all in the data set.
55
+ Optionally, you can add the following snippet to `config/initializers/devise.rb`
56
+ if you want the error message to be displayed only when the password is present
57
+ a certain number of times in the data set:
58
+
59
+ ```ruby
60
+ # Minimum number of times a pwned password must exist in the data set in order
61
+ # to be reject.
62
+ config.min_password_matches = 10
63
+ ```
64
+
65
+ By default the value set above is used to reject passwords and warn users.
66
+ Optionally, you can add the following snippet to `config/initializers/devise.rb`
67
+ if you want to use different thresholds for rejecting the password and warning
68
+ the user (for example you may only want to reject passwords that are common but
69
+ warn if the password occurs at all in the list):
70
+
71
+ ```ruby
72
+ # Minimum number of times a pwned password must exist in the data set in order
73
+ # to warn the user.
74
+ config.min_password_matches_warn = 1
75
+ ```
76
+
77
+ By default responses from the PwnedPasswords API are timed out after 5 seconds
78
+ to reduce potential latency problems.
79
+ Optionally, you can add the following snippet to `config/initializers/devise.rb`
80
+ to control the timeout settings:
81
+
82
+ ```ruby
83
+ config.pwned_password_open_timeout = 1
84
+ config.pwned_password_read_timeout = 2
85
+ ```
86
+
87
+ ### Disabling in test environments
88
+
89
+ Currently this module cannot be mocked out for test environments. Because an API call is made this can slow down tests, or make test fixtures needlessly complex (dynamically generated passwords). The module can be disabled in test environments like this.
90
+
91
+ ```ruby
92
+ class User < ApplicationRecord
93
+ devise :invitable ... :validatable, :lockable
94
+ devise :pwned_password unless Rails.env.test?
95
+ end
96
+ ```
97
+
98
+ ## Installation
99
+ Add this line to your application's Gemfile:
100
+
101
+ ```ruby
102
+ gem 'devise-pwned_password'
103
+ ```
104
+
105
+ And then execute:
106
+ ```bash
107
+ $ bundle install
108
+ ```
109
+
110
+ Optionally, if you also want to warn existing users when they sign in, override `after_sign_in_path_for`
111
+ ```ruby
112
+ def after_sign_in_path_for(resource)
113
+ set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
114
+ super
115
+ end
116
+ ```
117
+
118
+ This should generally be added in ```app/controllers/application_controller.rb``` for a rails app. For an Active Admin application the following monkey patch is needed.
119
+
120
+ ```ruby
121
+ # config/initializers/active_admin_devise_sessions_controller.rb
122
+ class ActiveAdmin::Devise::SessionsController
123
+ def after_sign_in_path_for(resource)
124
+ set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
125
+ super
126
+ end
127
+ end
128
+ ```
129
+
130
+ To prevent the default call to the HaveIBeenPwned API on user sign in, add the following to `config/initializers/devise.rb`:
131
+
132
+ ```ruby
133
+ config.pwned_password_check_on_sign_in = false
134
+ ```
135
+
136
+ ## Considerations
137
+
138
+ A few things to consider/understand when using this gem:
139
+
140
+ * User passwords are hashed using SHA-1 and then truncated to 5 characters,
141
+ implementing the k-Anonymity model described in
142
+ https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
143
+ Neither the clear-text password nor the full password hash is ever transmitted
144
+ to a third party. More implementation details and important caveats can be
145
+ found in https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
146
+
147
+ * This puts an external API in the request path of users signing up to your
148
+ application. This could potentially add some latency to this operation. The
149
+ gem is designed to fail silently if the PwnedPasswords service is unavailable.
150
+
151
+ ## Contributing
152
+
153
+ To contribute
154
+
155
+ * Check the [issue tracker](https://github.com/michaelbanfield/devise-pwned_password/issues) and [pull requests](https://github.com/michaelbanfield/devise-pwned_password/pulls) for anything similar
156
+ * Fork the repository
157
+ * Make your changes
158
+ * Run bin/test to make sure the unit tests still run
159
+ * Send a pull request
160
+
161
+ ## License
162
+ The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
@@ -0,0 +1,36 @@
1
+ # frozen_string_literal: true
2
+
3
+ begin
4
+ require "bundler/setup"
5
+ require "bundler/gem_tasks"
6
+ rescue LoadError
7
+ puts "You must `gem install bundler` and `bundle install` to run rake tasks"
8
+ end
9
+
10
+ require "rdoc/task"
11
+
12
+ RDoc::Task.new(:rdoc) do |rdoc|
13
+ rdoc.rdoc_dir = "rdoc"
14
+ rdoc.title = "Devise::PwnedPassword"
15
+ rdoc.options << "--line-numbers"
16
+ rdoc.rdoc_files.include("README.md")
17
+ rdoc.rdoc_files.include("lib/**/*.rb")
18
+ end
19
+
20
+
21
+
22
+
23
+
24
+
25
+ require "bundler/gem_tasks"
26
+
27
+ require "rake/testtask"
28
+
29
+ Rake::TestTask.new(:test) do |t|
30
+ t.libs << "test"
31
+ t.pattern = "test/**/*_test.rb"
32
+ t.verbose = false
33
+ end
34
+
35
+
36
+ task default: :test
@@ -0,0 +1,23 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "devise"
4
+ require "devise/pwned_password/model"
5
+
6
+ module Devise
7
+ mattr_accessor :min_password_matches, :min_password_matches_warn, :pwned_password_check_on_sign_in,
8
+ :pwned_password_open_timeout, :pwned_password_read_timeout
9
+ @@min_password_matches = 1
10
+ @@min_password_matches_warn = nil
11
+ @@pwned_password_check_on_sign_in = true
12
+ @@pwned_password_open_timeout = 5
13
+ @@pwned_password_read_timeout = 5
14
+
15
+ module PwnedPassword
16
+ end
17
+ end
18
+
19
+ # Load default I18n
20
+ #
21
+ I18n.load_path.unshift File.join(File.dirname(__FILE__), *%w[pwned_password locales en.yml])
22
+
23
+ Devise.add_module :pwned_password, model: "devise_pwned_password/model"
@@ -0,0 +1,8 @@
1
+ # frozen_string_literal: true
2
+
3
+ Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
4
+ if user.class.respond_to?(:pwned_password_check_on_sign_in) && user.class.pwned_password_check_on_sign_in
5
+ password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
6
+ password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
7
+ end
8
+ end
@@ -0,0 +1,7 @@
1
+ en:
2
+ devise:
3
+ sessions:
4
+ warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password."
5
+ errors:
6
+ messages:
7
+ pwned_password: "has previously appeared in a data breach and should never be used. Please choose something harder to guess."
@@ -0,0 +1,64 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "pwned"
4
+ require "devise/pwned_password/hooks/pwned_password"
5
+
6
+ module Devise
7
+ module Models
8
+ # The PwnedPassword module adds a new validation for Devise Models.
9
+ # No modifications to routes or controllers needed.
10
+ # Simply add :pwned_password to the list of included modules in your
11
+ # devise module, and all new registrations will be blocked if they use
12
+ # a password in this dataset https://haveibeenpwned.com/Passwords.
13
+ module PwnedPassword
14
+ extend ActiveSupport::Concern
15
+
16
+ module ClassMethods
17
+ Devise::Models.config(self, :min_password_matches)
18
+ Devise::Models.config(self, :min_password_matches_warn)
19
+ Devise::Models.config(self, :pwned_password_check_on_sign_in)
20
+ Devise::Models.config(self, :pwned_password_open_timeout)
21
+ Devise::Models.config(self, :pwned_password_read_timeout)
22
+ end
23
+
24
+ included do
25
+ validates :password, not_pwned: {
26
+ threshold: min_password_matches,
27
+ request_options: {
28
+ open_timeout: pwned_password_open_timeout,
29
+ read_timeout: pwned_password_read_timeout,
30
+ headers: { "User-Agent" => "devise_pwned_password" }
31
+ }
32
+ }
33
+ validate :not_pwned_password_warn
34
+ end
35
+
36
+ def pwned?
37
+ @pwned ||= false
38
+ end
39
+
40
+ def pwned_count
41
+ @pwned_count ||= 0
42
+ end
43
+ attr_writer :pwned_count
44
+
45
+ # Returns true if password is present in the PwnedPasswords dataset
46
+ def password_pwned?(password)
47
+ puts %(pwned_count=#{(pwned_count).inspect})
48
+ puts %(persisted?=#{(persisted?).inspect})
49
+ puts %(self.class.min_password_matches_warn=#{(self.class.min_password_matches_warn).inspect})
50
+ @pwned = @pwned_count >= (persisted? ? self.class.min_password_matches_warn || self.class.min_password_matches : self.class.min_password_matches)
51
+ return @pwned
52
+ end
53
+
54
+ private
55
+
56
+ def not_pwned_password_warn
57
+ # This deliberately fails silently on 500's etc. Most apps won't want to tie the ability to sign up users to the availability of a third-party API.
58
+ if password_pwned?(password)
59
+ errors.add(:password, :pwned_password, count: @pwned_count)
60
+ end
61
+ end
62
+ end
63
+ end
64
+ end
@@ -0,0 +1,7 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Devise
4
+ module PwnedPassword
5
+ VERSION = "0.0.1"
6
+ end
7
+ end
@@ -0,0 +1,5 @@
1
+ # frozen_string_literal: true
2
+ # desc "Explaining what the task does"
3
+ # task :devise_pwned_password do
4
+ # # Task goes here
5
+ # end
metadata ADDED
@@ -0,0 +1,137 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: devise-not_pwned
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ platform: ruby
6
+ authors:
7
+ - Michael Banfield
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2020-04-27 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: devise
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '4'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '4'
27
+ - !ruby/object:Gem::Dependency
28
+ name: pwned
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: 2.0.0
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: 2.0.0
41
+ - !ruby/object:Gem::Dependency
42
+ name: rails
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: 5.1.2
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: 5.1.2
55
+ - !ruby/object:Gem::Dependency
56
+ name: sqlite3
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: rubocop
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - "~>"
74
+ - !ruby/object:Gem::Version
75
+ version: 0.52.1
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - "~>"
81
+ - !ruby/object:Gem::Version
82
+ version: 0.52.1
83
+ - !ruby/object:Gem::Dependency
84
+ name: byebug
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - ">="
88
+ - !ruby/object:Gem::Version
89
+ version: '0'
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - ">="
95
+ - !ruby/object:Gem::Version
96
+ version: '0'
97
+ description: Devise extension that checks user passwords against the PwnedPasswords
98
+ dataset https://haveibeenpwned.com/Passwords.
99
+ email:
100
+ - michael@michaelbanfield.com
101
+ executables: []
102
+ extensions: []
103
+ extra_rdoc_files: []
104
+ files:
105
+ - MIT-LICENSE
106
+ - README.md
107
+ - Rakefile
108
+ - lib/devise/pwned_password.rb
109
+ - lib/devise/pwned_password/hooks/pwned_password.rb
110
+ - lib/devise/pwned_password/locales/en.yml
111
+ - lib/devise/pwned_password/model.rb
112
+ - lib/devise/pwned_password/version.rb
113
+ - lib/tasks/devise/pwned_password_tasks.rake
114
+ homepage: https://github.com/michaelbanfield/devise-pwned_password
115
+ licenses:
116
+ - MIT
117
+ metadata: {}
118
+ post_install_message:
119
+ rdoc_options: []
120
+ require_paths:
121
+ - lib
122
+ required_ruby_version: !ruby/object:Gem::Requirement
123
+ requirements:
124
+ - - ">="
125
+ - !ruby/object:Gem::Version
126
+ version: '0'
127
+ required_rubygems_version: !ruby/object:Gem::Requirement
128
+ requirements:
129
+ - - ">="
130
+ - !ruby/object:Gem::Version
131
+ version: '0'
132
+ requirements: []
133
+ rubygems_version: 3.0.3
134
+ signing_key:
135
+ specification_version: 4
136
+ summary: Devise extension that checks user passwords against the PwnedPasswords dataset.
137
+ test_files: []