devise-pwned_password 0.1.2 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +21 -1
- data/Rakefile +1 -1
- data/lib/devise/pwned_password/locales/en.yml +4 -0
- data/lib/devise/pwned_password/model.rb +13 -7
- data/lib/devise/pwned_password/version.rb +1 -1
- data/lib/devise/pwned_password.rb +7 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 33a24728b4d0e4bd0f038f228419b1be59ed1f37
|
4
|
+
data.tar.gz: 48256086d719c039ebe89b0015b3eb5ef0c7e2d6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e59fdefbc4f327c4cc93bb84532b67e57af8c59bb78270d3c9ec805bdd8319cb19b4a8241506c84daa04413abc5387c0e1ce2de78ee4a986f10fce1b889d1718
|
7
|
+
data.tar.gz: a9731a85f5d23f3c4ba0d67b6928719daa72623d51ae79fee1bd88c895bd638e18247c570e9ff2fcdffc601bb2bc15a985b8f80cb42c91250e921a20b3ff79b5
|
data/README.md
CHANGED
@@ -20,7 +20,17 @@ Users will receive the following error message if they use a password from the
|
|
20
20
|
PwnedPasswords dataset:
|
21
21
|
|
22
22
|
```
|
23
|
-
|
23
|
+
Password has previously appeared in a data breach and should never be used. Please choose something harder to guess.
|
24
|
+
```
|
25
|
+
|
26
|
+
You can customize this error message by modifying the `devise` YAML file.
|
27
|
+
|
28
|
+
```yml
|
29
|
+
# config/locales/devise.en.yml
|
30
|
+
en:
|
31
|
+
errors:
|
32
|
+
messages:
|
33
|
+
pwned_password: "has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!"
|
24
34
|
```
|
25
35
|
|
26
36
|
By default passwords are rejected if they appear at all in the data set.
|
@@ -34,6 +44,16 @@ a certain number of times in the data set:
|
|
34
44
|
config.min_password_matches = 10
|
35
45
|
```
|
36
46
|
|
47
|
+
By default responses from the PwnedPasswords API are timed out after 5 seconds
|
48
|
+
to reduce potential latency problems.
|
49
|
+
Optionally, you can add the following snippet to `config/initializers/devise.rb`
|
50
|
+
to control the timeout settings:
|
51
|
+
|
52
|
+
```ruby
|
53
|
+
config.pwned_password_open_timeout = 1
|
54
|
+
config.pwned_password_read_timeout = 2
|
55
|
+
```
|
56
|
+
|
37
57
|
## Installation
|
38
58
|
Add this line to your application's Gemfile:
|
39
59
|
|
data/Rakefile
CHANGED
@@ -13,11 +13,13 @@ module Devise
|
|
13
13
|
extend ActiveSupport::Concern
|
14
14
|
|
15
15
|
included do
|
16
|
-
validate :not_pwned_password
|
16
|
+
validate :not_pwned_password, if: :password_required?
|
17
17
|
end
|
18
18
|
|
19
19
|
module ClassMethods
|
20
20
|
Devise::Models.config(self, :min_password_matches)
|
21
|
+
Devise::Models.config(self, :pwned_password_open_timeout)
|
22
|
+
Devise::Models.config(self, :pwned_password_read_timeout)
|
21
23
|
end
|
22
24
|
|
23
25
|
private
|
@@ -43,10 +45,15 @@ module Devise
|
|
43
45
|
|
44
46
|
uri = URI.parse("https://api.pwnedpasswords.com/range/#{prefix}")
|
45
47
|
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
48
|
+
begin
|
49
|
+
Net::HTTP.start(uri.host, uri.port, use_ssl: true, open_timeout: self.class.pwned_password_open_timeout, read_timeout: self.class.pwned_password_read_timeout) do |http|
|
50
|
+
request = Net::HTTP::Get.new(uri.request_uri, "User-Agent" => userAgent)
|
51
|
+
response = http.request request
|
52
|
+
return false unless response.is_a?(Net::HTTPSuccess)
|
53
|
+
return usage_count(response.read_body, suffix) >= self.class.min_password_matches
|
54
|
+
end
|
55
|
+
rescue StandardError
|
56
|
+
return false
|
50
57
|
end
|
51
58
|
|
52
59
|
false
|
@@ -55,8 +62,7 @@ module Devise
|
|
55
62
|
def not_pwned_password
|
56
63
|
# This deliberately fails silently on 500's etc. Most apps wont want to tie the ability to sign up customers to the availability of a third party API
|
57
64
|
if password_pwned?(password)
|
58
|
-
|
59
|
-
errors.add(:password, "This password has previously appeared in a data breach and should never be used. Please choose something harder to guess.")
|
65
|
+
errors.add(:password, :pwned_password)
|
60
66
|
end
|
61
67
|
end
|
62
68
|
end
|
@@ -4,11 +4,17 @@ require "devise"
|
|
4
4
|
require "devise/pwned_password/model"
|
5
5
|
|
6
6
|
module Devise
|
7
|
-
mattr_accessor :min_password_matches
|
7
|
+
mattr_accessor :min_password_matches, :pwned_password_open_timeout, :pwned_password_read_timeout
|
8
8
|
@@min_password_matches = 1
|
9
|
+
@@pwned_password_open_timeout = 5
|
10
|
+
@@pwned_password_read_timeout = 5
|
9
11
|
|
10
12
|
module PwnedPassword
|
11
13
|
end
|
12
14
|
end
|
13
15
|
|
16
|
+
# Load default I18n
|
17
|
+
#
|
18
|
+
I18n.load_path.unshift File.join(File.dirname(__FILE__), *%w[pwned_password locales en.yml])
|
19
|
+
|
14
20
|
Devise.add_module :pwned_password, model: "devise_pwned_password/model"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: devise-pwned_password
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Michael Banfield
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-03-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|
@@ -78,6 +78,7 @@ files:
|
|
78
78
|
- README.md
|
79
79
|
- Rakefile
|
80
80
|
- lib/devise/pwned_password.rb
|
81
|
+
- lib/devise/pwned_password/locales/en.yml
|
81
82
|
- lib/devise/pwned_password/model.rb
|
82
83
|
- lib/devise/pwned_password/version.rb
|
83
84
|
- lib/tasks/devise/pwned_password_tasks.rake
|