devise-pwned_password 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +21 -1
  3. data/Rakefile +1 -1
  4. data/lib/devise/pwned_password/locales/en.yml +4 -0
  5. data/lib/devise/pwned_password/model.rb +13 -7
  6. data/lib/devise/pwned_password/version.rb +1 -1
  7. data/lib/devise/pwned_password.rb +7 -1
  8. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 9ef262f2244c9c92bd96259982b7fdcdf9b69118
4
- data.tar.gz: c409c259481057b56aea0773b49cbe4b192a8847
3
+ metadata.gz: 33a24728b4d0e4bd0f038f228419b1be59ed1f37
4
+ data.tar.gz: 48256086d719c039ebe89b0015b3eb5ef0c7e2d6
5
5
  SHA512:
6
- metadata.gz: 927ccc527b90c8b04e84e4a0d727a83a06ac97b715390c80a12cd511fd9d3645be3aec4ddc7dcc8c2507503a0a9cef60ae9871cd5a4d408727bcc30eb41d7760
7
- data.tar.gz: 4eafd2132c7ceb6727e0efd5d059ceb3640988749e11fc471490f4c97efb8bfea4951b2b04dada6c1734e3d1dc7e54790c647d78838fbea0c91df92880fb1e24
6
+ metadata.gz: e59fdefbc4f327c4cc93bb84532b67e57af8c59bb78270d3c9ec805bdd8319cb19b4a8241506c84daa04413abc5387c0e1ce2de78ee4a986f10fce1b889d1718
7
+ data.tar.gz: a9731a85f5d23f3c4ba0d67b6928719daa72623d51ae79fee1bd88c895bd638e18247c570e9ff2fcdffc601bb2bc15a985b8f80cb42c91250e921a20b3ff79b5
data/README.md CHANGED
@@ -20,7 +20,17 @@ Users will receive the following error message if they use a password from the
20
20
  PwnedPasswords dataset:
21
21
 
22
22
  ```
23
- This password has previously appeared in a data breach and should never be used. Please choose something harder to guess.
23
+ Password has previously appeared in a data breach and should never be used. Please choose something harder to guess.
24
+ ```
25
+
26
+ You can customize this error message by modifying the `devise` YAML file.
27
+
28
+ ```yml
29
+ # config/locales/devise.en.yml
30
+ en:
31
+ errors:
32
+ messages:
33
+ pwned_password: "has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!"
24
34
  ```
25
35
 
26
36
  By default passwords are rejected if they appear at all in the data set.
@@ -34,6 +44,16 @@ a certain number of times in the data set:
34
44
  config.min_password_matches = 10
35
45
  ```
36
46
 
47
+ By default responses from the PwnedPasswords API are timed out after 5 seconds
48
+ to reduce potential latency problems.
49
+ Optionally, you can add the following snippet to `config/initializers/devise.rb`
50
+ to control the timeout settings:
51
+
52
+ ```ruby
53
+ config.pwned_password_open_timeout = 1
54
+ config.pwned_password_read_timeout = 2
55
+ ```
56
+
37
57
  ## Installation
38
58
  Add this line to your application's Gemfile:
39
59
 
data/Rakefile CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  begin
4
4
  require "bundler/setup"
5
- require 'bundler/gem_tasks'
5
+ require "bundler/gem_tasks"
6
6
  rescue LoadError
7
7
  puts "You must `gem install bundler` and `bundle install` to run rake tasks"
8
8
  end
data/lib/devise/pwned_password/locales/en.yml ADDED
@@ -0,0 +1,4 @@
1
+ en:
2
+ errors:
3
+ messages:
4
+ pwned_password: "has previously appeared in a data breach and should never be used. Please choose something harder to guess."
data/lib/devise/pwned_password/model.rb CHANGED
@@ -13,11 +13,13 @@ module Devise
13
13
  extend ActiveSupport::Concern
14
14
 
15
15
  included do
16
- validate :not_pwned_password
16
+ validate :not_pwned_password, if: :password_required?
17
17
  end
18
18
 
19
19
  module ClassMethods
20
20
  Devise::Models.config(self, :min_password_matches)
21
+ Devise::Models.config(self, :pwned_password_open_timeout)
22
+ Devise::Models.config(self, :pwned_password_read_timeout)
21
23
  end
22
24
 
23
25
  private
@@ -43,10 +45,15 @@ module Devise
43
45
 
44
46
  uri = URI.parse("https://api.pwnedpasswords.com/range/#{prefix}")
45
47
 
46
- Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
47
- request = Net::HTTP::Get.new(uri.request_uri, "User-Agent" => userAgent)
48
- response = http.request request
49
- return usage_count(response.read_body, suffix) >= self.class.min_password_matches
48
+ begin
49
+ Net::HTTP.start(uri.host, uri.port, use_ssl: true, open_timeout: self.class.pwned_password_open_timeout, read_timeout: self.class.pwned_password_read_timeout) do |http|
50
+ request = Net::HTTP::Get.new(uri.request_uri, "User-Agent" => userAgent)
51
+ response = http.request request
52
+ return false unless response.is_a?(Net::HTTPSuccess)
53
+ return usage_count(response.read_body, suffix) >= self.class.min_password_matches
54
+ end
55
+ rescue StandardError
56
+ return false
50
57
  end
51
58
 
52
59
  false
@@ -55,8 +62,7 @@ module Devise
55
62
  def not_pwned_password
56
63
  # This deliberately fails silently on 500's etc. Most apps wont want to tie the ability to sign up customers to the availability of a third party API
57
64
  if password_pwned?(password)
58
- # Error message taken from https://haveibeenpwned.com/Passwords
59
- errors.add(:password, "This password has previously appeared in a data breach and should never be used. Please choose something harder to guess.")
65
+ errors.add(:password, :pwned_password)
60
66
  end
61
67
  end
62
68
  end
data/lib/devise/pwned_password/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Devise
4
4
  module PwnedPassword
5
- VERSION = "0.1.2"
5
+ VERSION = "0.1.3"
6
6
  end
7
7
  end
data/lib/devise/pwned_password.rb CHANGED
@@ -4,11 +4,17 @@ require "devise"
4
4
  require "devise/pwned_password/model"
5
5
 
6
6
  module Devise
7
- mattr_accessor :min_password_matches
7
+ mattr_accessor :min_password_matches, :pwned_password_open_timeout, :pwned_password_read_timeout
8
8
  @@min_password_matches = 1
9
+ @@pwned_password_open_timeout = 5
10
+ @@pwned_password_read_timeout = 5
9
11
 
10
12
  module PwnedPassword
11
13
  end
12
14
  end
13
15
 
16
+ # Load default I18n
17
+ #
18
+ I18n.load_path.unshift File.join(File.dirname(__FILE__), *%w[pwned_password locales en.yml])
19
+
14
20
  Devise.add_module :pwned_password, model: "devise_pwned_password/model"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise-pwned_password
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.2
4
+ version: 0.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Michael Banfield
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-02-25 00:00:00.000000000 Z
11
+ date: 2018-03-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -78,6 +78,7 @@ files:
78
78
  - README.md
79
79
  - Rakefile
80
80
  - lib/devise/pwned_password.rb
81
+ - lib/devise/pwned_password/locales/en.yml
81
82
  - lib/devise/pwned_password/model.rb
82
83
  - lib/devise/pwned_password/version.rb
83
84
  - lib/tasks/devise/pwned_password_tasks.rake