devise-pwned_password 0.1.1 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +29 -2
- data/Rakefile +15 -12
- data/lib/devise/pwned_password/model.rb +36 -34
- data/lib/devise/pwned_password/version.rb +3 -1
- data/lib/devise/pwned_password.rb +8 -3
- data/lib/tasks/devise/pwned_password_tasks.rake +1 -0
- metadata +17 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9ef262f2244c9c92bd96259982b7fdcdf9b69118
|
4
|
+
data.tar.gz: c409c259481057b56aea0773b49cbe4b192a8847
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 927ccc527b90c8b04e84e4a0d727a83a06ac97b715390c80a12cd511fd9d3645be3aec4ddc7dcc8c2507503a0a9cef60ae9871cd5a4d408727bcc30eb41d7760
|
7
|
+
data.tar.gz: 4eafd2132c7ceb6727e0efd5d059ceb3640988749e11fc471490f4c97efb8bfea4951b2b04dada6c1734e3d1dc7e54790c647d78838fbea0c91df92880fb1e24
|
data/README.md
CHANGED
@@ -16,13 +16,24 @@ class AdminUser < ApplicationRecord
|
|
16
16
|
end
|
17
17
|
```
|
18
18
|
|
19
|
-
|
20
|
-
|
19
|
+
Users will receive the following error message if they use a password from the
|
20
|
+
PwnedPasswords dataset:
|
21
21
|
|
22
22
|
```
|
23
23
|
This password has previously appeared in a data breach and should never be used. Please choose something harder to guess.
|
24
24
|
```
|
25
25
|
|
26
|
+
By default passwords are rejected if they appear at all in the data set.
|
27
|
+
Optionally, you can add the following snippet to `config/initializers/devise.rb`
|
28
|
+
if you want the error message to be displayed only when the password is present
|
29
|
+
a certain number of times in the data set:
|
30
|
+
|
31
|
+
```ruby
|
32
|
+
# Minimum number of times a pwned password must exist in the data set in order
|
33
|
+
# to be reject.
|
34
|
+
config.min_password_matches = 10
|
35
|
+
```
|
36
|
+
|
26
37
|
## Installation
|
27
38
|
Add this line to your application's Gemfile:
|
28
39
|
|
@@ -35,6 +46,22 @@ And then execute:
|
|
35
46
|
$ bundle install
|
36
47
|
```
|
37
48
|
|
49
|
+
|
50
|
+
## Considerations
|
51
|
+
|
52
|
+
A few things to consider/understand when using this gem:
|
53
|
+
|
54
|
+
* User passwords are hashed using SHA-1 and then truncated to 5 characters,
|
55
|
+
implementing the k-Anonymity model described in
|
56
|
+
https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
|
57
|
+
Neither the clear-text password nor the full password hash is ever transmitted
|
58
|
+
to a third party. More implementation details and important caveats can be
|
59
|
+
found in https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
|
60
|
+
|
61
|
+
* This puts an external API in the request path of users signing up to your
|
62
|
+
application. This could potentially add some latency to this operation. The
|
63
|
+
gem is designed to fail silently if the PwnedPasswords service is unavailable.
|
64
|
+
|
38
65
|
## Contributing
|
39
66
|
|
40
67
|
To contribute
|
data/Rakefile
CHANGED
@@ -1,17 +1,20 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
begin
|
2
|
-
require
|
4
|
+
require "bundler/setup"
|
5
|
+
require 'bundler/gem_tasks'
|
3
6
|
rescue LoadError
|
4
|
-
puts
|
7
|
+
puts "You must `gem install bundler` and `bundle install` to run rake tasks"
|
5
8
|
end
|
6
9
|
|
7
|
-
require
|
10
|
+
require "rdoc/task"
|
8
11
|
|
9
12
|
RDoc::Task.new(:rdoc) do |rdoc|
|
10
|
-
rdoc.rdoc_dir =
|
11
|
-
rdoc.title =
|
12
|
-
rdoc.options <<
|
13
|
-
rdoc.rdoc_files.include(
|
14
|
-
rdoc.rdoc_files.include(
|
13
|
+
rdoc.rdoc_dir = "rdoc"
|
14
|
+
rdoc.title = "Devise::PwnedPassword"
|
15
|
+
rdoc.options << "--line-numbers"
|
16
|
+
rdoc.rdoc_files.include("README.md")
|
17
|
+
rdoc.rdoc_files.include("lib/**/*.rb")
|
15
18
|
end
|
16
19
|
|
17
20
|
|
@@ -19,13 +22,13 @@ end
|
|
19
22
|
|
20
23
|
|
21
24
|
|
22
|
-
require
|
25
|
+
require "bundler/gem_tasks"
|
23
26
|
|
24
|
-
require
|
27
|
+
require "rake/testtask"
|
25
28
|
|
26
29
|
Rake::TestTask.new(:test) do |t|
|
27
|
-
t.libs <<
|
28
|
-
t.pattern =
|
30
|
+
t.libs << "test"
|
31
|
+
t.pattern = "test/**/*_test.rb"
|
29
32
|
t.verbose = false
|
30
33
|
end
|
31
34
|
|
@@ -1,4 +1,6 @@
|
|
1
|
-
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "net/http"
|
2
4
|
|
3
5
|
module Devise
|
4
6
|
module Models
|
@@ -14,49 +16,49 @@ module Devise
|
|
14
16
|
validate :not_pwned_password
|
15
17
|
end
|
16
18
|
|
17
|
-
|
19
|
+
module ClassMethods
|
20
|
+
Devise::Models.config(self, :min_password_matches)
|
21
|
+
end
|
18
22
|
|
23
|
+
private
|
19
24
|
|
20
|
-
|
21
|
-
|
22
|
-
|
25
|
+
def usage_count(response, suffix)
|
26
|
+
count = 0
|
27
|
+
response.each_line do |line|
|
28
|
+
if line.start_with? suffix
|
29
|
+
count = line.strip.split(":").last.to_i
|
30
|
+
break
|
31
|
+
end
|
32
|
+
end
|
33
|
+
count
|
34
|
+
end
|
23
35
|
|
24
|
-
|
36
|
+
# Returns true if password is present in the PwnedPasswords dataset
|
37
|
+
# Implement retry behaviour described here https://haveibeenpwned.com/API/v2#RateLimiting
|
38
|
+
def password_pwned?(password)
|
39
|
+
hash = Digest::SHA1.hexdigest(password).upcase
|
40
|
+
prefix, suffix = hash.slice!(0..4), hash
|
25
41
|
|
26
|
-
|
42
|
+
userAgent = "devise_pwned_password"
|
27
43
|
|
28
|
-
|
44
|
+
uri = URI.parse("https://api.pwnedpasswords.com/range/#{prefix}")
|
29
45
|
|
30
|
-
|
31
|
-
|
32
|
-
3.times {
|
46
|
+
Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
|
47
|
+
request = Net::HTTP::Get.new(uri.request_uri, "User-Agent" => userAgent)
|
33
48
|
response = http.request request
|
34
|
-
|
35
|
-
|
36
|
-
end
|
49
|
+
return usage_count(response.read_body, suffix) >= self.class.min_password_matches
|
50
|
+
end
|
37
51
|
|
38
|
-
|
39
|
-
|
40
|
-
if retryAfter > 10
|
41
|
-
#Exit early if the throttling is too high
|
42
|
-
return false
|
43
|
-
end
|
44
|
-
|
45
|
-
sleep retryAfter
|
46
|
-
}
|
52
|
+
false
|
47
53
|
end
|
48
54
|
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
if is_password_pwned(password)
|
56
|
-
# Error message taken from https://haveibeenpwned.com/Passwords
|
57
|
-
errors.add(:password, "This password has previously appeared in a data breach and should never be used. Please choose something harder to guess.")
|
55
|
+
def not_pwned_password
|
56
|
+
# This deliberately fails silently on 500's etc. Most apps wont want to tie the ability to sign up customers to the availability of a third party API
|
57
|
+
if password_pwned?(password)
|
58
|
+
# Error message taken from https://haveibeenpwned.com/Passwords
|
59
|
+
errors.add(:password, "This password has previously appeared in a data breach and should never be used. Please choose something harder to guess.")
|
60
|
+
end
|
58
61
|
end
|
59
|
-
end
|
60
62
|
end
|
61
63
|
end
|
62
|
-
end
|
64
|
+
end
|
@@ -1,9 +1,14 @@
|
|
1
|
-
|
2
|
-
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "devise"
|
4
|
+
require "devise/pwned_password/model"
|
3
5
|
|
4
6
|
module Devise
|
7
|
+
mattr_accessor :min_password_matches
|
8
|
+
@@min_password_matches = 1
|
9
|
+
|
5
10
|
module PwnedPassword
|
6
11
|
end
|
7
12
|
end
|
8
13
|
|
9
|
-
Devise.add_module :pwned_password, model: "devise_pwned_password/model"
|
14
|
+
Devise.add_module :pwned_password, model: "devise_pwned_password/model"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: devise-pwned_password
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Michael Banfield
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2018-02-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|
@@ -52,6 +52,20 @@ dependencies:
|
|
52
52
|
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: '0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: rubocop
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - "~>"
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: 0.52.1
|
62
|
+
type: :development
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - "~>"
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: 0.52.1
|
55
69
|
description: Devise extension that checks user passwords against the PwnedPasswords
|
56
70
|
dataset https://haveibeenpwned.com/Passwords.
|
57
71
|
email:
|
@@ -87,7 +101,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
87
101
|
version: '0'
|
88
102
|
requirements: []
|
89
103
|
rubyforge_project:
|
90
|
-
rubygems_version: 2.
|
104
|
+
rubygems_version: 2.5.2
|
91
105
|
signing_key:
|
92
106
|
specification_version: 4
|
93
107
|
summary: Devise extension that checks user passwords against the PwnedPasswords dataset.
|