devise-pwned_password 0.1.4 → 0.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 9034d6a6d49339f92023d27ef40b8633a2332ded
-  data.tar.gz: 1e429adc52ffb2aff28985d9a1636aec657b686a
+SHA256:
+  metadata.gz: 366fc1a14fb5abd102a74ce7a814219815c3ab764ae7c2d3c14296fb72679f76
+  data.tar.gz: 682e24df4e1a6cbf674c58c34cac5a16f4a233d351f52f7400aa8f35a83e7f72
 SHA512:
-  metadata.gz: 75aede6ba1404dc2065db2d404467071d1d00397da09ad141f760edb8d74617e750d8707e287ab2ebf088bb85cc1038acb36c7b6099c5dc73bc8372ebb66b067
-  data.tar.gz: 0ca55ec7326ed19bde60f5bc4d5cc55ffaf09b68a65a7162372078641668f743134b1267940e5ecfe5a5263cbb3b39078f93a3a0b9fa912b4fee6dca8bceb4fc
+  metadata.gz: 89f437434e88bc07874002f0baed66f210a15e4a7b9fa3d4377d4c9005c63d3b5a9f5476bf8ccb63ced1d34e81c1f8d3ab7d9f2137d332e6d3557fe4dad53456
+  data.tar.gz: de00ba890a8edad1bdac2281332f72570521794616666bd0efa1b50d0f138dbec1d852ba8de1639822caf7a8743130efe5318a8c94db57a2b48d97fac75e95aa

data/README.md

@@ -1,17 +1,23 @@
 # Devise::PwnedPassword
-Devise extension that checks user passwords against the PwnedPasswords dataset https://haveibeenpwned.com/Passwords
+Devise extension that checks user passwords against the PwnedPasswords dataset (https://haveibeenpwned.com/Passwords).
 
-Based on
+Checks for compromised ("pwned") passwords in 2 different places/ways:
+1. As a standard model validation using [pwned](https://github.com/philnash/pwned). This:
+   - prevents new users from being created (signing up) with a compromised password
+   - prevents existing users from changing their password to a password that is known to be compromised
+2. (Optionally) Whenever a user signs in, checks if their current password is compromised and shows a warning if it is.
 
-https://github.com/HCLarsen/devise-uncommon_password
+Based on [devise-uncommon_password](https://github.com/HCLarsen/devise-uncommon_password).
+
+Recently the HaveIBeenPwned API has moved to an [authenticated/paid model](https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/), but this does not affect the PwnedPasswords API; no payment or authentication is required.
 
 
 ## Usage
-Add the :pwned_password module to your existing Devise model.
+Add the `:pwned_password` module to your existing Devise model.
 
 ```ruby
 class AdminUser < ApplicationRecord
-  devise :database_authenticatable, 
+  devise :database_authenticatable,
          :recoverable, :rememberable, :trackable, :validatable, :pwned_password
 end
 ```
@@ -23,6 +29,8 @@ PwnedPasswords dataset:
 Password has previously appeared in a data breach and should never be used. Please choose something harder to guess.
 ```
 
+## Configuration
+
 You can customize this error message by modifying the `devise` YAML file.
 
 ```yml
@@ -33,22 +41,6 @@ en:
       pwned_password: "has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!"
 ```
 
-You can optionally warn existing users when they sign in if they are using a password from the PwnedPasswords dataset. The default message is:
-
-```
-Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password.
-```
-
-You can customize this message by modifying the `devise` YAML file.
-
-```yml
-# config/locales/devise.en.yml
-en:
-  devise:
-    sessions:
-      warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password everywhere you have used it."
-```
-
 By default passwords are rejected if they appear at all in the data set.
 Optionally, you can add the following snippet to `config/initializers/devise.rb`
 if you want the error message to be displayed only when the password is present
@@ -70,38 +62,103 @@ config.pwned_password_open_timeout = 1
 config.pwned_password_read_timeout = 2
 ```
 
-## Installation
-Add this line to your application's Gemfile:
 
-```ruby
-gem 'devise-pwned_password'
-```
+### How to warn existing users when they sign in
 
-And then execute:
-```bash
-$ bundle install
-```
+You can optionally warn existing users when they sign in if they are using a password from the PwnedPasswords dataset.
+
+To enable this, you _must_ override `after_sign_in_path_for`, like this:
 
-Optionally, if you also want to warn existing users when they sign in, override `after_sign_in_path_for`
 ```ruby
-def after_sign_in_path_for(resource)
-  set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
-  super
-end
+# app/controllers/application_controller.rb
+
+  def after_sign_in_path_for(resource)
+    set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
+    super
+  end
 ```
 
-This should generally be added in ```app/controllers/application_controller.rb``` for a rails app. For an Active Admin application the following monkey patch is needed.
+For an [Active Admin](https://github.com/activeadmin/activeadmin) application the following monkey patch is needed:
 
 ```ruby
 # config/initializers/active_admin_devise_sessions_controller.rb
 class ActiveAdmin::Devise::SessionsController
   def after_sign_in_path_for(resource)
-      set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
-      super
+    set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
+    super
   end
 end
 ```
 
+To prevent the default call to the HaveIBeenPwned API on user sign-in (only
+really useful if you're going to check `pwned?` after sign-in as used above),
+add the following to `config/initializers/devise.rb`:
+
+```ruby
+config.pwned_password_check_on_sign_in = false
+```
+
+#### Customize warning message
+
+The default message is:
+```
+Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password.
+```
+
+You can customize this message by modifying the `devise.en.yml` locale file.
+
+```yml
+# config/locales/devise.en.yml
+en:
+  devise:
+    sessions:
+      warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password everywhere you have used it."
+```
+
+#### Customize the warning threshold
+
+By default the same value, `config.min_password_matches` is used as the threshold for rejecting a passwords for _new_ user sign-ups and for warning existing users.
+
+If you want to use different thresholds for rejecting the password and warning
+the user (for example you may only want to reject passwords that are common but
+warn if the password occurs at all in the list), you can set a different value for each.
+
+To change the threshold used for the warning _only_, add to `config/initializers/devise.rb`
+
+```ruby
+# Minimum number of times a pwned password must exist in the data set in order
+# to warn the user.
+config.min_password_matches_warn = 1
+```
+
+Note: If you do have a different warning threshold, that threshold will also be used
+when a user changes their password (added as an _error_!) so that they don't
+continue to be warned if they choose another password that is in the pwned list
+but occurs with a frequency below the main threshold that is used for *new*
+user registrations (`config.min_password_matches`).
+
+### Disabling in test environments
+
+Currently this module cannot be mocked out for test environments. Because an API call is made this can slow down tests, or make test fixtures needlessly complex (dynamically generated passwords). The module can be disabled in test environments like this.
+
+```ruby
+class User < ApplicationRecord
+  devise :invitable ...  :validatable, :lockable
+  devise :pwned_password unless Rails.env.test?
+end
+```
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'devise-pwned_password'
+```
+
+And then execute:
+```bash
+$ bundle install
+```
 
 ## Considerations
 
@@ -114,18 +171,19 @@ A few things to consider/understand when using this gem:
   to a third party. More implementation details and important caveats can be
   found in https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
 
-* This puts an external API in the request path of users signing up to your
-  application. This could potentially add some latency to this operation. The
-  gem is designed to fail silently if the PwnedPasswords service is unavailable.
+* This puts an external API in the request path of users signing up to your application. This could
+  potentially add some latency to this operation. The gem is designed to silently swallows errors if
+  the PwnedPasswords service is unavailable, allowing users to use compromised passwords during the
+  time when it is unavailable.
 
 ## Contributing
 
-To contribute
+To contribute:
 
 * Check the [issue tracker](https://github.com/michaelbanfield/devise-pwned_password/issues) and [pull requests](https://github.com/michaelbanfield/devise-pwned_password/pulls) for anything similar
 * Fork the repository
 * Make your changes
-* Run bin/test to make sure the unit tests still run
+* Run `bin/test` to make sure the unit tests still run
 * Send a pull request
 
 ## License

data/lib/devise/pwned_password.rb

@@ -4,8 +4,11 @@ require "devise"
 require "devise/pwned_password/model"
 
 module Devise
-  mattr_accessor :min_password_matches, :pwned_password_open_timeout, :pwned_password_read_timeout
+  mattr_accessor :min_password_matches, :min_password_matches_warn, :pwned_password_check_on_sign_in,
+                 :pwned_password_open_timeout, :pwned_password_read_timeout
   @@min_password_matches = 1
+  @@min_password_matches_warn = nil
+  @@pwned_password_check_on_sign_in = true
   @@pwned_password_open_timeout = 5
   @@pwned_password_read_timeout = 5
 

data/lib/devise/pwned_password/hooks/pwned_password.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
-  password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
-  password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
+  if user.class.respond_to?(:pwned_password_check_on_sign_in) && user.class.pwned_password_check_on_sign_in
+    password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
+    password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
+  end
 end

data/lib/devise/pwned_password/model.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "net/http"
+require "pwned"
 require "devise/pwned_password/hooks/pwned_password"
 
 module Devise
@@ -14,11 +14,14 @@ module Devise
       extend ActiveSupport::Concern
 
       included do
-        validate :not_pwned_password, if: :password_required?
+        validate :not_pwned_password,
+          if: Devise.activerecord51? ? :will_save_change_to_encrypted_password? : :encrypted_password_changed?
       end
 
       module ClassMethods
         Devise::Models.config(self, :min_password_matches)
+        Devise::Models.config(self, :min_password_matches_warn)
+        Devise::Models.config(self, :pwned_password_check_on_sign_in)
         Devise::Models.config(self, :pwned_password_open_timeout)
         Devise::Models.config(self, :pwned_password_read_timeout)
       end
@@ -27,26 +30,37 @@ module Devise
         @pwned ||= false
       end
 
+      def pwned_count
+        @pwned_count ||= 0
+      end
+
       # Returns true if password is present in the PwnedPasswords dataset
-      # Implement retry behaviour described here https://haveibeenpwned.com/API/v2#RateLimiting
       def password_pwned?(password)
         @pwned = false
-        hash = Digest::SHA1.hexdigest(password.to_s).upcase
-        prefix, suffix = hash.slice!(0..4), hash
-
-        userAgent = "devise_pwned_password"
-
-        uri = URI.parse("https://api.pwnedpasswords.com/range/#{prefix}")
+        @pwned_count = 0
 
+        options = {
+          headers: { "User-Agent" => "devise_pwned_password" },
+          read_timeout: self.class.pwned_password_read_timeout,
+          open_timeout: self.class.pwned_password_open_timeout
+        }
+        pwned_password = Pwned::Password.new(password.to_s, options)
         begin
-          Net::HTTP.start(uri.host, uri.port, use_ssl: true, open_timeout: self.class.pwned_password_open_timeout, read_timeout: self.class.pwned_password_read_timeout) do |http|
-            request = Net::HTTP::Get.new(uri.request_uri, "User-Agent" => userAgent)
-            response = http.request request
-            return false unless response.is_a?(Net::HTTPSuccess)
-            @pwned = usage_count(response.read_body, suffix) >= self.class.min_password_matches
-            return @pwned
-          end
-        rescue StandardError
+          @pwned_count = pwned_password.pwned_count
+          @pwned = @pwned_count >= (
+            if persisted?
+              # If you do have a different warning threshold, that threshold will also be used
+              # when a user changes their password so that they don't continue to be warned if they
+              # choose another password that is in the pwned list but occurs with a frequency below
+              # the main threshold that is used for *new* user registrations.
+              self.class.min_password_matches_warn || self.class.min_password_matches
+            else
+                                                      self.class.min_password_matches
+            end
+          )
+          return @pwned
+        rescue Pwned::Error
+          # This deliberately silently swallows errors and returns false (valid) if there was an error. Most apps won't want to tie the ability to sign up users to the availability of a third-party API.
           return false
         end
 
@@ -55,21 +69,9 @@ module Devise
 
       private
 
-        def usage_count(response, suffix)
-          count = 0
-          response.each_line do |line|
-            if line.start_with? suffix
-              count = line.strip.split(":").last.to_i
-              break
-            end
-          end
-          count
-        end
-
         def not_pwned_password
-          # This deliberately fails silently on 500's etc. Most apps wont want to tie the ability to sign up customers to the availability of a third party API
           if password_pwned?(password)
-            errors.add(:password, :pwned_password)
+            errors.add(:password, :pwned_password, count: @pwned_count)
           end
         end
     end

data/lib/devise/pwned_password/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module PwnedPassword
-    VERSION = "0.1.4"
+    VERSION = "0.1.9"
   end
 end

metadata

@@ -1,45 +1,59 @@
 --- !ruby/object:Gem::Specification
 name: devise-pwned_password
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.9
 platform: ruby
 authors:
 - Michael Banfield
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-12 00:00:00.000000000 Z
+date: 2020-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rails
+  name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.1.2
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.1.2
+        version: '4'
 - !ruby/object:Gem::Dependency
-  name: devise
+  name: pwned
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
-  name: sqlite3
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -52,6 +66,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.2
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -66,6 +94,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.52.1
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Devise extension that checks user passwords against the PwnedPasswords
   dataset https://haveibeenpwned.com/Passwords.
 email:
@@ -102,8 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Devise extension that checks user passwords against the PwnedPasswords dataset.