devise-pwned_password 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4d25ddf45c7eddaf3e5334a1fc1dde9dfd0c1299
-  data.tar.gz: 105d467a316fd317e76abb0226b0debecac123cc
+  metadata.gz: 9ef262f2244c9c92bd96259982b7fdcdf9b69118
+  data.tar.gz: c409c259481057b56aea0773b49cbe4b192a8847
 SHA512:
-  metadata.gz: cdad317bb782d686f9f0734dd5d519b0d1b0329e89d272466fe57ea9737d890b58f8a2e99951fa1c55af34088697ee0a0bb54796e9eb60c646048fbb7f8821dc
-  data.tar.gz: 005647a67db66a184ca7c53280c1743b985b15ca3a4968700de3c7e8aa549767d4880462219d7c02624f09887d58a299956f088c9399584fe9808ccf80b3f9d1
+  metadata.gz: 927ccc527b90c8b04e84e4a0d727a83a06ac97b715390c80a12cd511fd9d3645be3aec4ddc7dcc8c2507503a0a9cef60ae9871cd5a4d408727bcc30eb41d7760
+  data.tar.gz: 4eafd2132c7ceb6727e0efd5d059ceb3640988749e11fc471490f4c97efb8bfea4951b2b04dada6c1734e3d1dc7e54790c647d78838fbea0c91df92880fb1e24

data/README.md

@@ -16,13 +16,24 @@ class AdminUser < ApplicationRecord
 end
 ```
 
-
-Users will receive the following error message if they use a password from the PwnedPasswords dataset
+Users will receive the following error message if they use a password from the
+PwnedPasswords dataset:
 
 ```
 This password has previously appeared in a data breach and should never be used. Please choose something harder to guess.
 ```
 
+By default passwords are rejected if they appear at all in the data set.
+Optionally, you can add the following snippet to `config/initializers/devise.rb`
+if you want the error message to be displayed only when the password is present
+a certain number of times in the data set:
+
+```ruby
+# Minimum number of times a pwned password must exist in the data set in order
+# to be reject.
+config.min_password_matches = 10
+```
+
 ## Installation
 Add this line to your application's Gemfile:
 
@@ -35,6 +46,22 @@ And then execute:
 $ bundle install
 ```
 
+
+## Considerations
+
+A few things to consider/understand when using this gem:
+
+* User passwords are hashed using SHA-1 and then truncated to 5 characters,
+  implementing the k-Anonymity model described in
+  https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
+  Neither the clear-text password nor the full password hash is ever transmitted
+  to a third party. More implementation details and important caveats can be
+  found in https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
+
+* This puts an external API in the request path of users signing up to your
+  application. This could potentially add some latency to this operation. The
+  gem is designed to fail silently if the PwnedPasswords service is unavailable.
+
 ## Contributing
 
 To contribute

data/Rakefile

@@ -1,17 +1,20 @@
+# frozen_string_literal: true
+
 begin
-  require 'bundler/setup'
+  require "bundler/setup"
+  require 'bundler/gem_tasks'
 rescue LoadError
-  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+  puts "You must `gem install bundler` and `bundle install` to run rake tasks"
 end
 
-require 'rdoc/task'
+require "rdoc/task"
 
 RDoc::Task.new(:rdoc) do |rdoc|
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'Devise::PwnedPassword'
-  rdoc.options << '--line-numbers'
-  rdoc.rdoc_files.include('README.md')
-  rdoc.rdoc_files.include('lib/**/*.rb')
+  rdoc.rdoc_dir = "rdoc"
+  rdoc.title    = "Devise::PwnedPassword"
+  rdoc.options << "--line-numbers"
+  rdoc.rdoc_files.include("README.md")
+  rdoc.rdoc_files.include("lib/**/*.rb")
 end
 
 
@@ -19,13 +22,13 @@ end
 
 
 
-require 'bundler/gem_tasks'
+require "bundler/gem_tasks"
 
-require 'rake/testtask'
+require "rake/testtask"
 
 Rake::TestTask.new(:test) do |t|
-  t.libs << 'test'
-  t.pattern = 'test/**/*_test.rb'
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
   t.verbose = false
 end
 

data/lib/devise/pwned_password/model.rb

@@ -1,4 +1,6 @@
-require 'net/http'
+# frozen_string_literal: true
+
+require "net/http"
 
 module Devise
   module Models
@@ -14,49 +16,49 @@ module Devise
         validate :not_pwned_password
       end
 
-      private
+      module ClassMethods
+        Devise::Models.config(self, :min_password_matches)
+      end
 
+      private
 
-      # Returns true if password is present in the PwnedPasswords dataset
-      # Implement retry behaviour described here https://haveibeenpwned.com/API/v2#RateLimiting
-      def is_password_pwned(password)
+        def usage_count(response, suffix)
+          count = 0
+          response.each_line do |line|
+            if line.start_with? suffix
+              count = line.strip.split(":").last.to_i
+              break
+            end
+          end
+          count
+        end
 
-        sha1Hash = Digest::SHA1.hexdigest password
+        # Returns true if password is present in the PwnedPasswords dataset
+        # Implement retry behaviour described here https://haveibeenpwned.com/API/v2#RateLimiting
+        def password_pwned?(password)
+          hash = Digest::SHA1.hexdigest(password).upcase
+          prefix, suffix = hash.slice!(0..4), hash
 
-        userAgent = "devise_pwned_password"
+          userAgent = "devise_pwned_password"
 
-        uri = URI.parse("https://haveibeenpwned.com/api/v2/pwnedpassword/#{sha1Hash}")
+          uri = URI.parse("https://api.pwnedpasswords.com/range/#{prefix}")
 
-        Net::HTTP.start(uri.host, uri.port, :use_ssl => true) do |http|
-          request = Net::HTTP::Get.new(uri.request_uri, {'User-Agent' => userAgent})
-          3.times {
+          Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
+            request = Net::HTTP::Get.new(uri.request_uri, "User-Agent" => userAgent)
             response = http.request request
-            if response.code != '429'
-              return response.code == '200'
-            end
+            return usage_count(response.read_body, suffix) >= self.class.min_password_matches
+          end
 
-            retryAfter = response.get_fields('Retry-After')[0].to_i
-
-            if retryAfter > 10
-              #Exit early if the throttling is too high
-              return false
-            end
-
-            sleep retryAfter
-          } 
+          false
         end
 
-        return false
-      end
-
-      def not_pwned_password
-        
-        #This deliberately fails silently on 500's etc. Most apps wont want to tie the ability to sign up customers to the availability of a third party API
-        if is_password_pwned(password)
-          # Error message taken from https://haveibeenpwned.com/Passwords
-          errors.add(:password, "This password has previously appeared in a data breach and should never be used. Please choose something harder to guess.")
+        def not_pwned_password
+          # This deliberately fails silently on 500's etc. Most apps wont want to tie the ability to sign up customers to the availability of a third party API
+          if password_pwned?(password)
+            # Error message taken from https://haveibeenpwned.com/Passwords
+            errors.add(:password, "This password has previously appeared in a data breach and should never be used. Please choose something harder to guess.")
+          end
         end
-      end
     end
   end
-end
+end

data/lib/devise/pwned_password/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Devise
   module PwnedPassword
-    VERSION = '0.1.1'
+    VERSION = "0.1.2"
   end
 end

data/lib/devise/pwned_password.rb

@@ -1,9 +1,14 @@
-require 'devise'
-require 'devise/pwned_password/model'
+# frozen_string_literal: true
+
+require "devise"
+require "devise/pwned_password/model"
 
 module Devise
+  mattr_accessor :min_password_matches
+  @@min_password_matches = 1
+
   module PwnedPassword
   end
 end
 
-Devise.add_module :pwned_password, model: "devise_pwned_password/model"
+Devise.add_module :pwned_password, model: "devise_pwned_password/model"

data/lib/tasks/devise/pwned_password_tasks.rake

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # desc "Explaining what the task does"
 # task :devise_pwned_password do
 #   # Task goes here

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-pwned_password
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Michael Banfield
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-05 00:00:00.000000000 Z
+date: 2018-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.52.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.52.1
 description: Devise extension that checks user passwords against the PwnedPasswords
   dataset https://haveibeenpwned.com/Passwords.
 email:
@@ -87,7 +101,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.12
+rubygems_version: 2.5.2
 signing_key: 
 specification_version: 4
 summary: Devise extension that checks user passwords against the PwnedPasswords dataset.