devise-pwned_password 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 33a24728b4d0e4bd0f038f228419b1be59ed1f37
-  data.tar.gz: 48256086d719c039ebe89b0015b3eb5ef0c7e2d6
+  metadata.gz: 9034d6a6d49339f92023d27ef40b8633a2332ded
+  data.tar.gz: 1e429adc52ffb2aff28985d9a1636aec657b686a
 SHA512:
-  metadata.gz: e59fdefbc4f327c4cc93bb84532b67e57af8c59bb78270d3c9ec805bdd8319cb19b4a8241506c84daa04413abc5387c0e1ce2de78ee4a986f10fce1b889d1718
-  data.tar.gz: a9731a85f5d23f3c4ba0d67b6928719daa72623d51ae79fee1bd88c895bd638e18247c570e9ff2fcdffc601bb2bc15a985b8f80cb42c91250e921a20b3ff79b5
+  metadata.gz: 75aede6ba1404dc2065db2d404467071d1d00397da09ad141f760edb8d74617e750d8707e287ab2ebf088bb85cc1038acb36c7b6099c5dc73bc8372ebb66b067
+  data.tar.gz: 0ca55ec7326ed19bde60f5bc4d5cc55ffaf09b68a65a7162372078641668f743134b1267940e5ecfe5a5263cbb3b39078f93a3a0b9fa912b4fee6dca8bceb4fc

data/README.md

@@ -33,6 +33,22 @@ en:
       pwned_password: "has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!"
 ```
 
+You can optionally warn existing users when they sign in if they are using a password from the PwnedPasswords dataset. The default message is:
+
+```
+Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password.
+```
+
+You can customize this message by modifying the `devise` YAML file.
+
+```yml
+# config/locales/devise.en.yml
+en:
+  devise:
+    sessions:
+      warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password everywhere you have used it."
+```
+
 By default passwords are rejected if they appear at all in the data set.
 Optionally, you can add the following snippet to `config/initializers/devise.rb`
 if you want the error message to be displayed only when the password is present
@@ -66,6 +82,26 @@ And then execute:
 $ bundle install
 ```
 
+Optionally, if you also want to warn existing users when they sign in, override `after_sign_in_path_for`
+```ruby
+def after_sign_in_path_for(resource)
+  set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
+  super
+end
+```
+
+This should generally be added in ```app/controllers/application_controller.rb``` for a rails app. For an Active Admin application the following monkey patch is needed.
+
+```ruby
+# config/initializers/active_admin_devise_sessions_controller.rb
+class ActiveAdmin::Devise::SessionsController
+  def after_sign_in_path_for(resource)
+      set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
+      super
+  end
+end
+```
+
 
 ## Considerations
 
@@ -90,7 +126,7 @@ To contribute
 * Fork the repository
 * Make your changes
 * Run bin/test to make sure the unit tests still run
-* Send a pull requests
+* Send a pull request
 
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/lib/devise/pwned_password/hooks/pwned_password.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
+  password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
+  password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
+end

data/lib/devise/pwned_password/locales/en.yml

@@ -1,4 +1,7 @@
 en:
+  devise:
+    sessions:
+      warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password."
   errors:
     messages:
       pwned_password: "has previously appeared in a data breach and should never be used. Please choose something harder to guess."

data/lib/devise/pwned_password/model.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "net/http"
+require "devise/pwned_password/hooks/pwned_password"
 
 module Devise
   module Models
@@ -22,6 +23,36 @@ module Devise
         Devise::Models.config(self, :pwned_password_read_timeout)
       end
 
+      def pwned?
+        @pwned ||= false
+      end
+
+      # Returns true if password is present in the PwnedPasswords dataset
+      # Implement retry behaviour described here https://haveibeenpwned.com/API/v2#RateLimiting
+      def password_pwned?(password)
+        @pwned = false
+        hash = Digest::SHA1.hexdigest(password.to_s).upcase
+        prefix, suffix = hash.slice!(0..4), hash
+
+        userAgent = "devise_pwned_password"
+
+        uri = URI.parse("https://api.pwnedpasswords.com/range/#{prefix}")
+
+        begin
+          Net::HTTP.start(uri.host, uri.port, use_ssl: true, open_timeout: self.class.pwned_password_open_timeout, read_timeout: self.class.pwned_password_read_timeout) do |http|
+            request = Net::HTTP::Get.new(uri.request_uri, "User-Agent" => userAgent)
+            response = http.request request
+            return false unless response.is_a?(Net::HTTPSuccess)
+            @pwned = usage_count(response.read_body, suffix) >= self.class.min_password_matches
+            return @pwned
+          end
+        rescue StandardError
+          return false
+        end
+
+        false
+      end
+
       private
 
         def usage_count(response, suffix)
@@ -35,30 +66,6 @@ module Devise
           count
         end
 
-        # Returns true if password is present in the PwnedPasswords dataset
-        # Implement retry behaviour described here https://haveibeenpwned.com/API/v2#RateLimiting
-        def password_pwned?(password)
-          hash = Digest::SHA1.hexdigest(password).upcase
-          prefix, suffix = hash.slice!(0..4), hash
-
-          userAgent = "devise_pwned_password"
-
-          uri = URI.parse("https://api.pwnedpasswords.com/range/#{prefix}")
-
-          begin
-            Net::HTTP.start(uri.host, uri.port, use_ssl: true, open_timeout: self.class.pwned_password_open_timeout, read_timeout: self.class.pwned_password_read_timeout) do |http|
-              request = Net::HTTP::Get.new(uri.request_uri, "User-Agent" => userAgent)
-              response = http.request request
-              return false unless response.is_a?(Net::HTTPSuccess)
-              return usage_count(response.read_body, suffix) >= self.class.min_password_matches
-            end
-          rescue StandardError
-            return false
-          end
-
-          false
-        end
-
         def not_pwned_password
           # This deliberately fails silently on 500's etc. Most apps wont want to tie the ability to sign up customers to the availability of a third party API
           if password_pwned?(password)

data/lib/devise/pwned_password/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module PwnedPassword
-    VERSION = "0.1.3"
+    VERSION = "0.1.4"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-pwned_password
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Michael Banfield
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-06 00:00:00.000000000 Z
+date: 2018-03-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -78,6 +78,7 @@ files:
 - README.md
 - Rakefile
 - lib/devise/pwned_password.rb
+- lib/devise/pwned_password/hooks/pwned_password.rb
 - lib/devise/pwned_password/locales/en.yml
 - lib/devise/pwned_password/model.rb
 - lib/devise/pwned_password/version.rb