devise-pwned_password 0.1.6 → 0.1.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +25 -0
- data/lib/devise/pwned_password.rb +2 -1
- data/lib/devise/pwned_password/model.rb +3 -3
- data/lib/devise/pwned_password/version.rb +1 -1
- metadata +5 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0fdfba1dbe52e83f4602f98e239ef62c6ad92a1346815029a2aec3bb2976eed6
|
4
|
+
data.tar.gz: c40237b9177787a83fb95f4518bf052cc6bb432f98b90bbd68da8a560dbb0c4a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8661a918985d645e5c72bc89d2c03ace4be72251148147b1b56f3efecdf8d91918747ac12f39d4a3da372a4689ff0c55d457f6b6514ce0fed97bed344678cebc
|
7
|
+
data.tar.gz: 3f464595848aa209b9b28ade9cfe7100ccb4854b1973b351b187c51416cf5a556a72feab3665f3467b35ae5d46b52428ea0884c6fee383901f34227cb5623dc7
|
data/README.md
CHANGED
@@ -5,6 +5,8 @@ Based on
|
|
5
5
|
|
6
6
|
https://github.com/HCLarsen/devise-uncommon_password
|
7
7
|
|
8
|
+
Recently the HaveIBeenPwned API has moved to a authenticated/paid [model](https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/) , this does not effect the PwnedPasswords API, no payment or authentication is required.
|
9
|
+
|
8
10
|
|
9
11
|
## Usage
|
10
12
|
Add the :pwned_password module to your existing Devise model.
|
@@ -60,6 +62,18 @@ a certain number of times in the data set:
|
|
60
62
|
config.min_password_matches = 10
|
61
63
|
```
|
62
64
|
|
65
|
+
By default the value set above is used to reject passwords and warn users.
|
66
|
+
Optionally, you can add the following snippet to `config/initializers/devise.rb`
|
67
|
+
if you want to use different thresholds for rejecting the password and warning
|
68
|
+
the user (for example you may only want to reject passwords that are common but
|
69
|
+
warn if the password occurs at all in the list):
|
70
|
+
|
71
|
+
```ruby
|
72
|
+
# Minimum number of times a pwned password must exist in the data set in order
|
73
|
+
# to warn the user.
|
74
|
+
config.min_password_matches_warn = 1
|
75
|
+
```
|
76
|
+
|
63
77
|
By default responses from the PwnedPasswords API are timed out after 5 seconds
|
64
78
|
to reduce potential latency problems.
|
65
79
|
Optionally, you can add the following snippet to `config/initializers/devise.rb`
|
@@ -70,6 +84,17 @@ config.pwned_password_open_timeout = 1
|
|
70
84
|
config.pwned_password_read_timeout = 2
|
71
85
|
```
|
72
86
|
|
87
|
+
### Disabling in test environments
|
88
|
+
|
89
|
+
Currently this module cannot be mocked out for test environments. Because an API call is made this can slow down tests, or make test fixtures needlessly complex (dynamically generated passwords). The module can be disabled in test environments like this.
|
90
|
+
|
91
|
+
```ruby
|
92
|
+
class User < ApplicationRecord
|
93
|
+
devise :invitable ... :validatable, :lockable
|
94
|
+
devise :pwned_password unless Rails.env.test?
|
95
|
+
end
|
96
|
+
```
|
97
|
+
|
73
98
|
## Installation
|
74
99
|
Add this line to your application's Gemfile:
|
75
100
|
|
@@ -4,8 +4,9 @@ require "devise"
|
|
4
4
|
require "devise/pwned_password/model"
|
5
5
|
|
6
6
|
module Devise
|
7
|
-
mattr_accessor :min_password_matches, :pwned_password_open_timeout, :pwned_password_read_timeout
|
7
|
+
mattr_accessor :min_password_matches, :min_password_matches_warn, :pwned_password_open_timeout, :pwned_password_read_timeout
|
8
8
|
@@min_password_matches = 1
|
9
|
+
@@min_password_matches_warn = nil
|
9
10
|
@@pwned_password_open_timeout = 5
|
10
11
|
@@pwned_password_read_timeout = 5
|
11
12
|
|
@@ -19,6 +19,7 @@ module Devise
|
|
19
19
|
|
20
20
|
module ClassMethods
|
21
21
|
Devise::Models.config(self, :min_password_matches)
|
22
|
+
Devise::Models.config(self, :min_password_matches_warn)
|
22
23
|
Devise::Models.config(self, :pwned_password_open_timeout)
|
23
24
|
Devise::Models.config(self, :pwned_password_read_timeout)
|
24
25
|
end
|
@@ -32,20 +33,19 @@ module Devise
|
|
32
33
|
end
|
33
34
|
|
34
35
|
# Returns true if password is present in the PwnedPasswords dataset
|
35
|
-
# Implement retry behaviour described here https://haveibeenpwned.com/API/v2#RateLimiting
|
36
36
|
def password_pwned?(password)
|
37
37
|
@pwned = false
|
38
38
|
@pwned_count = 0
|
39
39
|
|
40
40
|
options = {
|
41
|
-
"User-Agent" => "devise_pwned_password",
|
41
|
+
headers: { "User-Agent" => "devise_pwned_password" },
|
42
42
|
read_timeout: self.class.pwned_password_read_timeout,
|
43
43
|
open_timeout: self.class.pwned_password_open_timeout
|
44
44
|
}
|
45
45
|
pwned_password = Pwned::Password.new(password.to_s, options)
|
46
46
|
begin
|
47
47
|
@pwned_count = pwned_password.pwned_count
|
48
|
-
@pwned = @pwned_count >= self.class.min_password_matches
|
48
|
+
@pwned = @pwned_count >= (persisted? ? self.class.min_password_matches_warn || self.class.min_password_matches : self.class.min_password_matches)
|
49
49
|
return @pwned
|
50
50
|
rescue Pwned::Error
|
51
51
|
return false
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: devise-pwned_password
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.7
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Michael Banfield
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2019-12-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: devise
|
@@ -30,14 +30,14 @@ dependencies:
|
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version:
|
33
|
+
version: 2.0.0
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version:
|
40
|
+
version: 2.0.0
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: rails
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -116,8 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
116
116
|
- !ruby/object:Gem::Version
|
117
117
|
version: '0'
|
118
118
|
requirements: []
|
119
|
-
|
120
|
-
rubygems_version: 2.7.6
|
119
|
+
rubygems_version: 3.0.3
|
121
120
|
signing_key:
|
122
121
|
specification_version: 4
|
123
122
|
summary: Devise extension that checks user passwords against the PwnedPasswords dataset.
|