devise-unpwn 0.9

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ad6db676f32e9c18ae0589c9d774ebfd8bb17c456f1f65bf7ec715d090127ceb
+  data.tar.gz: de2f820bc97b83efaed6d5a9e59e319c3cf9b85a2762735e49f71b9c98421620
+SHA512:
+  metadata.gz: a70ad60f8892de118e70f45eb52fc8a568b21c835a1fdccbf1a5106fad80db998d02a8c4eabff879a2e86704116ac7e5e39a002af0b875ea1915d830443bb67e
+  data.tar.gz: 81d0c716c7e3238a5eb1d57ed8b4d580e8baa1da19d7eab76c7c1e8328ebd2390d3af6001d917ca5e1e61a95098a492b27549a7613bbfb52de786de5f1bfbb47

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2017 Michael
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,125 @@
+# Devise::Unpwn
+Devise extension that checks user passwords against the HaveIBeenPwned dataset https://haveibeenpwned.com/Passwords
+
+Based on
+
+https://github.com/michaelbanfield/devise-pwned_password
+
+
+## Usage
+Add the :unpwned module to your existing Devise model.
+
+```ruby
+class AdminUser < ApplicationRecord
+  devise :database_authenticatable, 
+         :recoverable, :rememberable, :trackable, :validatable, :unpwned
+end
+```
+
+Users will receive the following error message if they use a password from the
+HaveIBeenPwned dataset:
+
+```
+Password has previously appeared in a data breach and should never be used. Please choose something harder to guess.
+```
+
+You can customize this error message by modifying the `devise` YAML file.
+
+```yml
+# config/locales/devise.en.yml
+en:
+  errors:
+    messages:
+      pwned_password: "has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it immediately!"
+```
+
+You can optionally warn existing users when they sign in if they are using a password from the HaveIBeenPwned dataset. The default message is:
+
+```
+Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password.
+```
+
+You can customize this message by modifying the `devise` YAML file.
+
+```yml
+# config/locales/devise.en.yml
+en:
+  devise:
+    sessions:
+      warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password everywhere you have used it."
+```
+
+By default passwords are rejected if they appear at all in the data set.
+Optionally, you can add the following snippet to `config/initializers/devise.rb`
+if you want the error message to be displayed only when the password is present
+a certain number of times in the data set:
+
+```ruby
+# Minimum number of times a pwned password must exist in the data set in order
+# to be reject.
+config.min_password_matches = 10
+```
+
+By default responses from the HaveIBeenPwned API are timed out after 5 seconds
+to reduce potential latency problems.
+Optionally, you can add the following snippet to `config/initializers/devise.rb`
+to control the timeout settings:
+
+```ruby
+config.unpwn_open_timeout = 1
+config.unpwn_read_timeout = 2
+```
+
+## Installation
+
+```bash
+bundle add devise-unpwn
+```
+
+Optionally, if you also want to warn existing users when they sign in, override `after_sign_in_path_for`
+```ruby
+def after_sign_in_path_for(resource)
+  set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
+  super
+end
+```
+
+This should generally be added in `app/controllers/application_controller.rb` for a rails app. For an Active Admin application the following monkey patch is needed.
+
+```ruby
+# config/initializers/active_admin_devise_sessions_controller.rb
+class ActiveAdmin::Devise::SessionsController
+  def after_sign_in_path_for(resource)
+      set_flash_message! :alert, :warn_pwned if resource.respond_to?(:pwned?) && resource.pwned?
+      super
+  end
+end
+```
+
+
+## Considerations
+
+A few things to consider/understand when using this gem:
+
+* User passwords are hashed using SHA-1 and then truncated to 5 characters,
+  implementing the k-Anonymity model described in
+  https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
+  Neither the clear-text password nor the full password hash is ever transmitted
+  to a third party. More implementation details and important caveats can be
+  found in https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
+
+* This puts an external API in the request path of users signing up to your
+  application. This could potentially add some latency to this operation. The
+  gem is designed to fail silently if the HaveIBeenPwned service is unavailable.
+
+## Contributing
+
+To contribute
+
+* Fork the repository
+* Make your changes
+* Run bin/test to make sure the unit tests still run
+* Send a pull request
+
+## License
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+begin
+  require "bundler/setup"
+  require "bundler/gem_tasks"
+rescue LoadError
+  puts "You must `gem install bundler` and `bundle install` to run rake tasks"
+end
+
+require "rdoc/task"
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = "rdoc"
+  rdoc.title = "Devise::Unpwn"
+  rdoc.options << "--line-numbers"
+  rdoc.rdoc_files.include("README.md")
+  rdoc.rdoc_files.include("lib/**/*.rb")
+end
+
+require "bundler/gem_tasks"
+
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
+  t.verbose = false
+end
+
+task default: :test

data/lib/devise/unpwn/hooks/unpwn.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
+  password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
+  password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
+end

data/lib/devise/unpwn/locales/en.yml

@@ -0,0 +1,7 @@
+en:
+  devise:
+    sessions:
+      warn_pwned: "Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password."
+  errors:
+    messages:
+      pwned_password: "has previously appeared in a data breach and should never be used. Please choose something harder to guess."

data/lib/devise/unpwn/model.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "devise/unpwn/hooks/unpwn"
+
+module Devise
+  module Models
+    # The Unpwn module adds a new validation for Devise Models.
+    # No modifications to routes or controllers needed.
+    # Simply add :unpwned to the list of included modules in your
+    # devise module, and all new registrations will be blocked if they use
+    # a password in this dataset https://haveibeenpwned.com/Passwords.
+    module Unpwned
+      extend ActiveSupport::Concern
+
+      included do
+        validate :unpwned_password, if: :password_required?
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :min_password_matches)
+        Devise::Models.config(self, :unpwn_open_timeout)
+        Devise::Models.config(self, :unpwn_read_timeout)
+      end
+
+      def pwned?
+        @pwned ||= false
+      end
+
+      # Returns true if password is present in the HaveIBeenPwned dataset
+      # Implement retry behaviour described here https://haveibeenpwned.com/API/v2#RateLimiting
+      def password_pwned?(password)
+        @pwned = false
+        hash = Digest::SHA1.hexdigest(password.to_s).upcase
+        prefix, suffix = hash.slice!(0..4), hash
+
+        user_agent = "devise_unpwn"
+
+        uri = URI.parse("https://api.pwnedpasswords.com/range/#{prefix}")
+
+        begin
+          Net::HTTP.start(uri.host, uri.port, use_ssl: true, open_timeout: self.class.unpwn_open_timeout, read_timeout: self.class.unpwn_read_timeout) do |http|
+            request = Net::HTTP::Get.new(uri.request_uri, "User-Agent" => user_agent)
+            response = http.request request
+            return false unless response.is_a?(Net::HTTPSuccess)
+            @pwned = usage_count(response.read_body, suffix) >= self.class.min_password_matches
+            return @pwned
+          end
+        rescue
+          return false
+        end
+
+        false
+      end
+
+      private
+
+      def usage_count(response, suffix)
+        count = 0
+        response.each_line do |line|
+          if line.start_with? suffix
+            count = line.strip.split(":").last.to_i
+            break
+          end
+        end
+        count
+      end
+
+      def unpwned_password
+        # This deliberately fails silently on 500's etc. Most apps wont want to tie the ability to sign up customers to the availability of a third party API
+        if password_pwned?(password)
+          errors.add(:password, :pwned_password)
+        end
+      end
+    end
+  end
+end

data/lib/devise/unpwn/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Devise
+  module Unpwn
+    VERSION = "0.9"
+  end
+end

data/lib/devise/unpwn.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "devise"
+require "devise/unpwn/model"
+
+module Devise
+  mattr_accessor :min_password_matches, :unpwn_open_timeout, :unpwn_read_timeout
+  @@min_password_matches = 1
+  @@unpwn_open_timeout = 5
+  @@unpwn_read_timeout = 5
+
+  module Unpwn
+  end
+end
+
+# Load default I18n
+#
+I18n.load_path.unshift File.join(File.dirname(__FILE__), *%w[unpwn locales en.yml])
+
+Devise.add_module :unpwn, model: "devise/unpwn/model"

metadata

@@ -0,0 +1,66 @@
+--- !ruby/object:Gem::Specification
+name: devise-unpwn
+version: !ruby/object:Gem::Version
+  version: '0.9'
+platform: ruby
+authors:
+- André Arko
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-11-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4'
+description: Devise extension that checks user passwords against the HaveIBeenPwned
+  dataset.
+email:
+- andre@arko.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/devise/unpwn.rb
+- lib/devise/unpwn/hooks/unpwn.rb
+- lib/devise/unpwn/locales/en.yml
+- lib/devise/unpwn/model.rb
+- lib/devise/unpwn/version.rb
+homepage: https://github.com/indirect/devise-unpwn
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key:
+specification_version: 4
+summary: Devise extension that checks user passwords against the HaveIBeenPwned dataset.
+test_files: []