devise-pwned_password 0.1.8 → 0.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be89bb3c81bab360c6d6037b19467554f64351de218448a82cd6b0b1b539b5ae
-  data.tar.gz: 4c53a8b3a1d26d3810b1a85af91c8aecc53f6d42f22c50ea7d29a6942e137cc7
+  metadata.gz: 366fc1a14fb5abd102a74ce7a814219815c3ab764ae7c2d3c14296fb72679f76
+  data.tar.gz: 682e24df4e1a6cbf674c58c34cac5a16f4a233d351f52f7400aa8f35a83e7f72
 SHA512:
-  metadata.gz: aebdde0d629534140a161ef2c0e5390aefd731253e0753ce833b616b89da8c0e74a1b0e8e7ecf02cd379460a3c856da1c922fbff057d347304ccbed1ad6c77e5
-  data.tar.gz: 384175a042d38bf567c27aec57563398f8b0f6768eb17e6dcddf208e26db19180cf72ee332f2cc1b0e005d44bf870f189264a85d84468c34c220fe42002b1eee
+  metadata.gz: 89f437434e88bc07874002f0baed66f210a15e4a7b9fa3d4377d4c9005c63d3b5a9f5476bf8ccb63ced1d34e81c1f8d3ab7d9f2137d332e6d3557fe4dad53456
+  data.tar.gz: de00ba890a8edad1bdac2281332f72570521794616666bd0efa1b50d0f138dbec1d852ba8de1639822caf7a8743130efe5318a8c94db57a2b48d97fac75e95aa

data/README.md

@@ -1,19 +1,23 @@
 # Devise::PwnedPassword
-Devise extension that checks user passwords against the PwnedPasswords dataset https://haveibeenpwned.com/Passwords
+Devise extension that checks user passwords against the PwnedPasswords dataset (https://haveibeenpwned.com/Passwords).
 
-Based on
+Checks for compromised ("pwned") passwords in 2 different places/ways:
+1. As a standard model validation using [pwned](https://github.com/philnash/pwned). This:
+   - prevents new users from being created (signing up) with a compromised password
+   - prevents existing users from changing their password to a password that is known to be compromised
+2. (Optionally) Whenever a user signs in, checks if their current password is compromised and shows a warning if it is.
 
-https://github.com/HCLarsen/devise-uncommon_password
+Based on [devise-uncommon_password](https://github.com/HCLarsen/devise-uncommon_password).
 
-Recently the HaveIBeenPwned API has moved to a authenticated/paid [model](https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/) , this does not effect the PwnedPasswords API, no payment or authentication is required.
+Recently the HaveIBeenPwned API has moved to an [authenticated/paid model](https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/), but this does not affect the PwnedPasswords API; no payment or authentication is required.
 
 
 ## Usage
-Add the :pwned_password module to your existing Devise model.
+Add the `:pwned_password` module to your existing Devise model.
 
 ```ruby
 class AdminUser < ApplicationRecord
-  devise :database_authenticatable, 
+  devise :database_authenticatable,
          :recoverable, :rememberable, :trackable, :validatable, :pwned_password
 end
 ```
@@ -25,6 +29,8 @@ PwnedPasswords dataset:
 Password has previously appeared in a data breach and should never be used. Please choose something harder to guess.
 ```
 
+## Configuration
+
 You can customize this error message by modifying the `devise` YAML file.
 
 ```yml
@@ -35,13 +41,71 @@ en:
       pwned_password: "has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!"
 ```
 
-You can optionally warn existing users when they sign in if they are using a password from the PwnedPasswords dataset. The default message is:
+By default passwords are rejected if they appear at all in the data set.
+Optionally, you can add the following snippet to `config/initializers/devise.rb`
+if you want the error message to be displayed only when the password is present
+a certain number of times in the data set:
+
+```ruby
+# Minimum number of times a pwned password must exist in the data set in order
+# to be reject.
+config.min_password_matches = 10
+```
+
+By default responses from the PwnedPasswords API are timed out after 5 seconds
+to reduce potential latency problems.
+Optionally, you can add the following snippet to `config/initializers/devise.rb`
+to control the timeout settings:
+
+```ruby
+config.pwned_password_open_timeout = 1
+config.pwned_password_read_timeout = 2
+```
+
+
+### How to warn existing users when they sign in
+
+You can optionally warn existing users when they sign in if they are using a password from the PwnedPasswords dataset.
+
+To enable this, you _must_ override `after_sign_in_path_for`, like this:
+
+```ruby
+# app/controllers/application_controller.rb
+
+  def after_sign_in_path_for(resource)
+    set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
+    super
+  end
+```
+
+For an [Active Admin](https://github.com/activeadmin/activeadmin) application the following monkey patch is needed:
+
+```ruby
+# config/initializers/active_admin_devise_sessions_controller.rb
+class ActiveAdmin::Devise::SessionsController
+  def after_sign_in_path_for(resource)
+    set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
+    super
+  end
+end
+```
+
+To prevent the default call to the HaveIBeenPwned API on user sign-in (only
+really useful if you're going to check `pwned?` after sign-in as used above),
+add the following to `config/initializers/devise.rb`:
+
+```ruby
+config.pwned_password_check_on_sign_in = false
+```
+
+#### Customize warning message
 
+The default message is:
 ```
 Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password.
 ```
 
-You can customize this message by modifying the `devise` YAML file.
+You can customize this message by modifying the `devise.en.yml` locale file.
 
 ```yml
 # config/locales/devise.en.yml
@@ -51,22 +115,15 @@ en:
       warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password everywhere you have used it."
 ```
 
-By default passwords are rejected if they appear at all in the data set.
-Optionally, you can add the following snippet to `config/initializers/devise.rb`
-if you want the error message to be displayed only when the password is present
-a certain number of times in the data set:
+#### Customize the warning threshold
 
-```ruby
-# Minimum number of times a pwned password must exist in the data set in order
-# to be reject.
-config.min_password_matches = 10
-```
+By default the same value, `config.min_password_matches` is used as the threshold for rejecting a passwords for _new_ user sign-ups and for warning existing users.
 
-By default the value set above is used to reject passwords and warn users.
-Optionally, you can add the following snippet to `config/initializers/devise.rb`
-if you want to use different thresholds for rejecting the password and warning
+If you want to use different thresholds for rejecting the password and warning
 the user (for example you may only want to reject passwords that are common but
-warn if the password occurs at all in the list):
+warn if the password occurs at all in the list), you can set a different value for each.
+
+To change the threshold used for the warning _only_, add to `config/initializers/devise.rb`
 
 ```ruby
 # Minimum number of times a pwned password must exist in the data set in order
@@ -74,15 +131,11 @@ warn if the password occurs at all in the list):
 config.min_password_matches_warn = 1
 ```
 
-By default responses from the PwnedPasswords API are timed out after 5 seconds
-to reduce potential latency problems.
-Optionally, you can add the following snippet to `config/initializers/devise.rb`
-to control the timeout settings:
-
-```ruby
-config.pwned_password_open_timeout = 1
-config.pwned_password_read_timeout = 2
-```
+Note: If you do have a different warning threshold, that threshold will also be used
+when a user changes their password (added as an _error_!) so that they don't
+continue to be warned if they choose another password that is in the pwned list
+but occurs with a frequency below the main threshold that is used for *new*
+user registrations (`config.min_password_matches`).
 
 ### Disabling in test environments
 
@@ -107,32 +160,6 @@ And then execute:
 $ bundle install
 ```
 
-Optionally, if you also want to warn existing users when they sign in, override `after_sign_in_path_for`
-```ruby
-def after_sign_in_path_for(resource)
-  set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
-  super
-end
-```
-
-This should generally be added in ```app/controllers/application_controller.rb``` for a rails app. For an Active Admin application the following monkey patch is needed.
-
-```ruby
-# config/initializers/active_admin_devise_sessions_controller.rb
-class ActiveAdmin::Devise::SessionsController
-  def after_sign_in_path_for(resource)
-      set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
-      super
-  end
-end
-```
-
-To prevent the default call to the HaveIBeenPwned API on user sign in, add the following to `config/initializers/devise.rb`:
-
-```ruby
-config.pwned_password_check_on_sign_in = false
-```
-
 ## Considerations
 
 A few things to consider/understand when using this gem:
@@ -144,18 +171,19 @@ A few things to consider/understand when using this gem:
   to a third party. More implementation details and important caveats can be
   found in https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
 
-* This puts an external API in the request path of users signing up to your
-  application. This could potentially add some latency to this operation. The
-  gem is designed to fail silently if the PwnedPasswords service is unavailable.
+* This puts an external API in the request path of users signing up to your application. This could
+  potentially add some latency to this operation. The gem is designed to silently swallows errors if
+  the PwnedPasswords service is unavailable, allowing users to use compromised passwords during the
+  time when it is unavailable.
 
 ## Contributing
 
-To contribute
+To contribute:
 
 * Check the [issue tracker](https://github.com/michaelbanfield/devise-pwned_password/issues) and [pull requests](https://github.com/michaelbanfield/devise-pwned_password/pulls) for anything similar
 * Fork the repository
 * Make your changes
-* Run bin/test to make sure the unit tests still run
+* Run `bin/test` to make sure the unit tests still run
 * Send a pull request
 
 ## License

data/lib/devise/pwned_password/model.rb

@@ -14,7 +14,8 @@ module Devise
       extend ActiveSupport::Concern
 
       included do
-        validate :not_pwned_password, if: :password_required?
+        validate :not_pwned_password,
+          if: Devise.activerecord51? ? :will_save_change_to_encrypted_password? : :encrypted_password_changed?
       end
 
       module ClassMethods
@@ -46,9 +47,20 @@ module Devise
         pwned_password = Pwned::Password.new(password.to_s, options)
         begin
           @pwned_count = pwned_password.pwned_count
-          @pwned = @pwned_count >= (persisted? ? self.class.min_password_matches_warn || self.class.min_password_matches : self.class.min_password_matches)
+          @pwned = @pwned_count >= (
+            if persisted?
+              # If you do have a different warning threshold, that threshold will also be used
+              # when a user changes their password so that they don't continue to be warned if they
+              # choose another password that is in the pwned list but occurs with a frequency below
+              # the main threshold that is used for *new* user registrations.
+              self.class.min_password_matches_warn || self.class.min_password_matches
+            else
+                                                      self.class.min_password_matches
+            end
+          )
           return @pwned
         rescue Pwned::Error
+          # This deliberately silently swallows errors and returns false (valid) if there was an error. Most apps won't want to tie the ability to sign up users to the availability of a third-party API.
           return false
         end
 
@@ -58,9 +70,8 @@ module Devise
       private
 
         def not_pwned_password
-          # This deliberately fails silently on 500's etc. Most apps wont want to tie the ability to sign up customers to the availability of a third party API
           if password_pwned?(password)
-            errors.add(:password, :pwned_password)
+            errors.add(:password, :pwned_password, count: @pwned_count)
           end
         end
     end

data/lib/devise/pwned_password/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module PwnedPassword
-    VERSION = "0.1.8"
+    VERSION = "0.1.9"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-pwned_password
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.1.9
 platform: ruby
 authors:
 - Michael Banfield
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-10 00:00:00.000000000 Z
+date: 2020-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -39,21 +39,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 2.0.0
 - !ruby/object:Gem::Dependency
-  name: rails
+  name: byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 5.1.2
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 5.1.2
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: sqlite3
+  name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -66,6 +66,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.2
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +94,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.52.1
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Devise extension that checks user passwords against the PwnedPasswords
   dataset https://haveibeenpwned.com/Passwords.
 email: