devise-pwned_password 0.1.6 → 0.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 312151610ff6e4356a09f6221bb5006c8f8bdc50b10af1528441dc4c669f3ab1
-  data.tar.gz: 20000f8294c2b771cb593879462298cf86f56dcaef048e118efb90d1969fbef8
+  metadata.gz: 0fdfba1dbe52e83f4602f98e239ef62c6ad92a1346815029a2aec3bb2976eed6
+  data.tar.gz: c40237b9177787a83fb95f4518bf052cc6bb432f98b90bbd68da8a560dbb0c4a
 SHA512:
-  metadata.gz: a1489bdd8a923bf5d249869b0ac84e950174b409c1e265721aee3101c9cba2eb690a921d4891f885d2aba9ab542a91a0069797eaff86cc2ac2c7d5bcd0bae693
-  data.tar.gz: b9dd8b2c3dd4342f6a228b56ed1f83738beb61b93cf66f21e09fad54a37ba1673e45c6c89e74b4cbbaa3b445466a4ff6bc3a3ee5ec53fa17d8618206047f68ad
+  metadata.gz: 8661a918985d645e5c72bc89d2c03ace4be72251148147b1b56f3efecdf8d91918747ac12f39d4a3da372a4689ff0c55d457f6b6514ce0fed97bed344678cebc
+  data.tar.gz: 3f464595848aa209b9b28ade9cfe7100ccb4854b1973b351b187c51416cf5a556a72feab3665f3467b35ae5d46b52428ea0884c6fee383901f34227cb5623dc7

data/README.md

@@ -5,6 +5,8 @@ Based on
 
 https://github.com/HCLarsen/devise-uncommon_password
 
+Recently the HaveIBeenPwned API has moved to a authenticated/paid [model](https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/) , this does not effect the PwnedPasswords API, no payment or authentication is required.
+
 
 ## Usage
 Add the :pwned_password module to your existing Devise model.
@@ -60,6 +62,18 @@ a certain number of times in the data set:
 config.min_password_matches = 10
 ```
 
+By default the value set above is used to reject passwords and warn users.
+Optionally, you can add the following snippet to `config/initializers/devise.rb`
+if you want to use different thresholds for rejecting the password and warning
+the user (for example you may only want to reject passwords that are common but
+warn if the password occurs at all in the list):
+
+```ruby
+# Minimum number of times a pwned password must exist in the data set in order
+# to warn the user.
+config.min_password_matches_warn = 1
+```
+
 By default responses from the PwnedPasswords API are timed out after 5 seconds
 to reduce potential latency problems.
 Optionally, you can add the following snippet to `config/initializers/devise.rb`
@@ -70,6 +84,17 @@ config.pwned_password_open_timeout = 1
 config.pwned_password_read_timeout = 2
 ```
 
+### Disabling in test environments
+
+Currently this module cannot be mocked out for test environments. Because an API call is made this can slow down tests, or make test fixtures needlessly complex (dynamically generated passwords). The module can be disabled in test environments like this.
+
+```ruby
+class User < ApplicationRecord
+  devise :invitable ...  :validatable, :lockable
+  devise :pwned_password unless Rails.env.test?
+end
+```
+
 ## Installation
 Add this line to your application's Gemfile:
 

data/lib/devise/pwned_password.rb

@@ -4,8 +4,9 @@ require "devise"
 require "devise/pwned_password/model"
 
 module Devise
-  mattr_accessor :min_password_matches, :pwned_password_open_timeout, :pwned_password_read_timeout
+  mattr_accessor :min_password_matches, :min_password_matches_warn, :pwned_password_open_timeout, :pwned_password_read_timeout
   @@min_password_matches = 1
+  @@min_password_matches_warn = nil
   @@pwned_password_open_timeout = 5
   @@pwned_password_read_timeout = 5
 

data/lib/devise/pwned_password/model.rb

@@ -19,6 +19,7 @@ module Devise
 
       module ClassMethods
         Devise::Models.config(self, :min_password_matches)
+        Devise::Models.config(self, :min_password_matches_warn)
         Devise::Models.config(self, :pwned_password_open_timeout)
         Devise::Models.config(self, :pwned_password_read_timeout)
       end
@@ -32,20 +33,19 @@ module Devise
       end
 
       # Returns true if password is present in the PwnedPasswords dataset
-      # Implement retry behaviour described here https://haveibeenpwned.com/API/v2#RateLimiting
       def password_pwned?(password)
         @pwned = false
         @pwned_count = 0
 
         options = {
-          "User-Agent" => "devise_pwned_password",
+          headers: { "User-Agent" => "devise_pwned_password" },
           read_timeout: self.class.pwned_password_read_timeout,
           open_timeout: self.class.pwned_password_open_timeout
         }
         pwned_password = Pwned::Password.new(password.to_s, options)
         begin
           @pwned_count = pwned_password.pwned_count
-          @pwned = @pwned_count >= self.class.min_password_matches
+          @pwned = @pwned_count >= (persisted? ? self.class.min_password_matches_warn || self.class.min_password_matches : self.class.min_password_matches)
           return @pwned
         rescue Pwned::Error
           return false

data/lib/devise/pwned_password/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module PwnedPassword
-    VERSION = "0.1.6"
+    VERSION = "0.1.7"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-pwned_password
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.1.7
 platform: ruby
 authors:
 - Michael Banfield
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-07-05 00:00:00.000000000 Z
+date: 2019-12-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.1
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.1
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -116,8 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Devise extension that checks user passwords against the PwnedPasswords dataset.