devise-pwned_password 0.1.7 → 0.1.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0fdfba1dbe52e83f4602f98e239ef62c6ad92a1346815029a2aec3bb2976eed6
-  data.tar.gz: c40237b9177787a83fb95f4518bf052cc6bb432f98b90bbd68da8a560dbb0c4a
+  metadata.gz: be89bb3c81bab360c6d6037b19467554f64351de218448a82cd6b0b1b539b5ae
+  data.tar.gz: 4c53a8b3a1d26d3810b1a85af91c8aecc53f6d42f22c50ea7d29a6942e137cc7
 SHA512:
-  metadata.gz: 8661a918985d645e5c72bc89d2c03ace4be72251148147b1b56f3efecdf8d91918747ac12f39d4a3da372a4689ff0c55d457f6b6514ce0fed97bed344678cebc
-  data.tar.gz: 3f464595848aa209b9b28ade9cfe7100ccb4854b1973b351b187c51416cf5a556a72feab3665f3467b35ae5d46b52428ea0884c6fee383901f34227cb5623dc7
+  metadata.gz: aebdde0d629534140a161ef2c0e5390aefd731253e0753ce833b616b89da8c0e74a1b0e8e7ecf02cd379460a3c856da1c922fbff057d347304ccbed1ad6c77e5
+  data.tar.gz: 384175a042d38bf567c27aec57563398f8b0f6768eb17e6dcddf208e26db19180cf72ee332f2cc1b0e005d44bf870f189264a85d84468c34c220fe42002b1eee

data/README.md

@@ -127,6 +127,11 @@ class ActiveAdmin::Devise::SessionsController
 end
 ```
 
+To prevent the default call to the HaveIBeenPwned API on user sign in, add the following to `config/initializers/devise.rb`:
+
+```ruby
+config.pwned_password_check_on_sign_in = false
+```
 
 ## Considerations
 

data/lib/devise/pwned_password.rb

@@ -4,9 +4,11 @@ require "devise"
 require "devise/pwned_password/model"
 
 module Devise
-  mattr_accessor :min_password_matches, :min_password_matches_warn, :pwned_password_open_timeout, :pwned_password_read_timeout
+  mattr_accessor :min_password_matches, :min_password_matches_warn, :pwned_password_check_on_sign_in,
+                 :pwned_password_open_timeout, :pwned_password_read_timeout
   @@min_password_matches = 1
   @@min_password_matches_warn = nil
+  @@pwned_password_check_on_sign_in = true
   @@pwned_password_open_timeout = 5
   @@pwned_password_read_timeout = 5
 

data/lib/devise/pwned_password/hooks/pwned_password.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
-  password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
-  password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
+  if user.class.respond_to?(:pwned_password_check_on_sign_in) && user.class.pwned_password_check_on_sign_in
+    password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
+    password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
+  end
 end

data/lib/devise/pwned_password/model.rb

@@ -20,6 +20,7 @@ module Devise
       module ClassMethods
         Devise::Models.config(self, :min_password_matches)
         Devise::Models.config(self, :min_password_matches_warn)
+        Devise::Models.config(self, :pwned_password_check_on_sign_in)
         Devise::Models.config(self, :pwned_password_open_timeout)
         Devise::Models.config(self, :pwned_password_read_timeout)
       end

data/lib/devise/pwned_password/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module PwnedPassword
-    VERSION = "0.1.7"
+    VERSION = "0.1.8"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-pwned_password
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.1.8
 platform: ruby
 authors:
 - Michael Banfield
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-24 00:00:00.000000000 Z
+date: 2020-01-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise