devise_zxcvbn 1.1.2 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1dae3acba04710e99c8a022e397283d0cd650ec0
-  data.tar.gz: 3be3d11c83669c805e1cb89bc454d1e61c370732
+  metadata.gz: 27e05473f188650ce1ca066798ea1e9e36de7c02
+  data.tar.gz: f818364bd7315028a02e6918ce155a716389534e
 SHA512:
-  metadata.gz: 3b16f5142230f80015bf5299ed620931fffff881eadae6e4891e3e80f1658e55b7d07ea3c5014a67b27f242f000cd4bb67d58921a4addeff581e4a8b52f4505b
-  data.tar.gz: d012890d4a2325e46ddacf65a69c7c210b7ff596a30fea98d9b5e8c0fbc117a2ff257527378dcf79595027b4a012f81f3e450f4c45b4d0a39f0bde79b867bddf
+  metadata.gz: 667fa1d6eb19a08e1af744f617750a0cc414c5101b731a7814d7f2c75a2c876fc5eb67a6ff6421177971f6033f9e171e9fa8816ce00cdcb1ee9d699ffec3c459
+  data.tar.gz: 73df73acc005b46d4d83c877a3125ceb18169ec03d64143f47755d5343dab08a1cff4ba24ac498f118586c20e1fa22e3e29a7c924d720fd5cb85faf4454f6e9e

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/README.md

@@ -1,9 +1,12 @@
 # devise_zxcvbn
 
 [![Gem Version](https://badge.fury.io/rb/devise_zxcvbn.png)](http://badge.fury.io/rb/devise_zxcvbn)
+[![Circle CI](https://circleci.com/gh/bitzesty/devise_zxcvbn.svg?style=svg)](https://circleci.com/gh/bitzesty/devise_zxcvbn)
+[![Code Climate](https://codeclimate.com/github/bitzesty/devise_zxcvbn/badges/gpa.svg)](https://codeclimate.com/github/bitzesty/devise_zxcvbn)
 
-Plugin for [devise](https://github.com/plataformatec/devise) to reject weak passwords, using [zxcvbn-ruby](https://github.com/envato/zxcvbn-ruby) which is a ruby port of [zxcvbn: realistic password strength estimation](https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/).
-The user's password will be rejected if the score is below 4 by default. It also uses the email as user input to zxcvbn, to downscore passwords containing the email.
+Plugin for [devise](https://github.com/plataformatec/devise) to reject weak passwords, using [zxcvbn-js](https://github.com/bitzesty/zxcvbn-js) which is a ruby port of [zxcvbn: realistic password strength estimation](https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/).
+
+The user's password will be rejected if the score is below 4 by default. It also uses the email as user input to zxcvbn, to reject passwords containing parts of the email (if using zxcvbn.js on the frontend you should also do this to get the same score).
 
 The scores 0, 1, 2, 3 or 4 are given when the estimated crack time (seconds) is less than `10**2`, `10**4`, `10**6`, `10**8`, Infinity.
 
@@ -14,15 +17,20 @@ Add this line to your application's Gemfile:
     gem 'devise_zxcvbn'
 
 
-## Devise Configuration
+## Configuration
 
     class User < ActiveRecord::Base
-      devise :database_authenticatable, :validatable, :zxcvbnable
+      devise :zxcvbnable
+
+      # Optionally add more weak words to check against:
+      def weak_words
+        ['mysitename', self.name, self.username]
+      end
     end
 
 ### Default parameters
 
-A score of less than 3 is not recommended.
+_A score of less than 3 is not recommended._
 
     # config/initializers/devise.rb
     Devise.setup do |config|
@@ -31,7 +39,13 @@ A score of less than 3 is not recommended.
 
 ### Error Message
 
-Example error message, the `score` and `min_password_score` variables are also passed through if you need them.
+The default error message:
+
+    "not strong enough. It scored %{score}. It must score at least %{min_password_score}."
+
+You can customize this error message modifying the `devise` YAML file.
+
+The `feedback`, `crack_time_display`, `score` and `min_password_score` variables are passed through if you need them.
 
     # config/locales/devise.en.yml
     en:

data/circle.yml

@@ -0,0 +1,9 @@
+## Customize machine
+machine:
+  ruby:
+    version:
+      2.2.3
+## Customize test commands
+test:
+  override:
+    - RAILS_ENV=test bundle exec rspec -r rspec_junit_formatter --format RspecJunitFormatter -o $CIRCLE_TEST_REPORTS/rspec/junit.xml

data/devise_zxcvbn.gemspec

@@ -6,9 +6,9 @@ require 'devise_zxcvbn/version'
 Gem::Specification.new do |spec|
   spec.name          = "devise_zxcvbn"
   spec.version       = DeviseZxcvbn::VERSION
-  spec.authors       = ["Matthew Ford"]
-  spec.email         = ["matt@bitzesty.com"]
-  spec.description   = %q{It adds password strength checking via ruby-zxcvbn to reject weak passwords }
+  spec.authors       = ["Bit Zesty"]
+  spec.email         = ["info@bitzesty.com"]
+  spec.description   = %q{This gems works with devise to provide backend password strength checking via zxcvbn-js to reject weak passwords }
   spec.summary       = %q{Devise plugin to reject weak passwords}
   spec.homepage      = "https://github.com/bitzesty/devise_zxcvbn"
   spec.license       = "MIT"
@@ -18,10 +18,12 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
+  spec.add_development_dependency "activemodel"
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency "rake"
-  spec.add_development_dependency "rspec", "~> 2.14"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "rspec_junit_formatter"
 
   spec.add_runtime_dependency "devise"
-  spec.add_runtime_dependency("zxcvbn-ruby", ">= 0.0.2")
+  spec.add_runtime_dependency("zxcvbn-js", "~> 4.2.0")
 end

data/lib/devise_zxcvbn.rb

@@ -4,22 +4,22 @@ require "zxcvbn"
 
 module Devise
 
+  # The minimun score for a password.
+  mattr_reader :min_password_score
   @@min_password_score = 4
 
-  def self.min_password_score
-    @@min_password_score
-  end
-    
   def self.min_password_score=(score)
-    if (0..4).include?(score)
-      if score < 3
-        ::Rails.logger.warn "[devise_zxcvbn] A score of less than 3 is not recommended." 
-      end
-      @@min_password_score = score
-    else
-      raise "The min_password_score must be an integer and between 0..4"
-    end
+    raise "The min_password_score must be an integer and between 0..4" unless (0..4).include?(score)
+    @@min_password_score = score
+  end
+
+  def self.zxcvbn_tester
+    @@zxcvbn_tester ||= ::Zxcvbn::Tester.new
   end
 end
 
-Devise.add_module :zxcvbnable, :model => "devise_zxcvbn/model"
+# Load default I18n
+#
+I18n.load_path.unshift File.join(File.dirname(__FILE__), *%w[devise_zxcvbn locales en.yml])
+
+Devise.add_module :zxcvbnable, model: "devise_zxcvbn/model"

data/lib/devise_zxcvbn/locales/en.yml

@@ -0,0 +1,4 @@
+en:
+  errors:
+    messages:
+      weak_password: "not strong enough. It scored %{score}. It must score at least %{min_password_score}."

data/lib/devise_zxcvbn/model.rb

@@ -6,41 +6,70 @@ module Devise
       extend ActiveSupport::Concern
 
       delegate :min_password_score, to: "self.class"
+      delegate :zxcvbn_tester, to: "self.class"
 
       included do
         validate :not_weak_password, if: :password_required?
       end
 
       def password_score
-        self.class.password_score(self)
+        @pass_score = self.class.password_score(self)
       end
 
       private
 
       def not_weak_password
-        if password_score < min_password_score
-          self.errors.add :password, :weak_password, score: password_score, min_password_score: min_password_score
-          return false
+        if password_score.score < min_password_score
+          errors.add :password, :weak_password, i18n_variables
         end
       end
 
+      def i18n_variables
+        {
+          feedback: zxcvbn_feedback,
+          crack_time_display: time_to_crack,
+          score: @pass_score.score,
+          min_password_score: min_password_score
+        }
+      end
+
+      def zxcvbn_feedback
+        feedback = @pass_score.feedback.values.flatten.reject(&:empty?)
+        return 'Add another word or two. Uncommon words are better.' if feedback.empty?
+
+        feedback.join('. ').gsub(/\.\s*\./, '.')
+      end
+
+      def time_to_crack
+        @pass_score.crack_times_display['offline_fast_hashing_1e10_per_second']
+      end
+
       module ClassMethods
         Devise::Models.config(self, :min_password_score)
+        Devise::Models.config(self, :zxcvbn_tester)
+
+        def password_score(user, arg_email=nil)
+          password = user.respond_to?(:password) ? user.password : user
 
-        def password_score(user, email=nil)
-          password = nil
-          weak_words = []
+          zxcvbn_weak_words = []
 
-          if user.is_a? String
-            password = user
-          else
-            password = user.password
-            email = user.email unless email
+          if arg_email
+            zxcvbn_weak_words += [arg_email, *DeviseZxcvbn::EmailTokeniser.split(arg_email)]
           end
 
-          weak_words = [email, *DeviseZxcvbn::EmailTokeniser.split(email)] if email
+          # User method results are saved locally to prevent repeat calls that might be expensive
+          if user.respond_to? :email
+            local_email = user.email
+            zxcvbn_weak_words += [local_email, *DeviseZxcvbn::EmailTokeniser.split(local_email)]
+          end
+
+          if user.respond_to? :weak_words
+            local_weak_words = user.weak_words
+            raise "weak_words must return an Array" unless (local_weak_words.is_a? Array)
+            zxcvbn_weak_words += local_weak_words
+          end
 
-          ::Zxcvbn.test(password, weak_words).score
+          zxcvbn_tester.test(password, zxcvbn_weak_words)
         end
       end
     end

data/lib/devise_zxcvbn/version.rb

@@ -1,3 +1,3 @@
 module DeviseZxcvbn
-  VERSION = "1.1.2"
+  VERSION = "2.1.0"
 end

data/spec/devise_zxcvbn/devise_zxcbn_spec.rb

@@ -0,0 +1,23 @@
+require "devise_zxcvbn"
+
+describe 'Devise zxcvbn' do
+
+  it "Returns the default value for min_password_score of 4" do
+    expect(Devise.min_password_score).to eq(4)
+  end
+
+  it "Raises an error if min_password_score value is out of range" do
+    expect { Devise.min_password_score = 8 }.to raise_error("The min_password_score must be an integer and between 0..4")
+  end
+
+  it "Sets the min_password_score value" do
+    Devise.min_password_score = 2
+    expect(Devise.min_password_score).to eq(2)
+    Devise.min_password_score = 4 # Restore default
+  end
+
+  it "returns a memoized instance of Zxcvbn::Tester" do
+    expect(::Zxcvbn::Tester).to receive(:new).once.and_call_original
+    2.times { Devise.zxcvbn_tester }
+  end
+end

data/spec/devise_zxcvbn/model_spec.rb

@@ -0,0 +1,43 @@
+require "devise"
+require "devise_zxcvbn"
+require "active_model"
+require "devise_zxcvbn/model"
+
+describe Devise::Models::Zxcvbnable do
+  describe "#password_score" do
+    it "returns the score from zxcvbn_tester" do
+      password_score = DummyClass.new("12345678").password_score
+      expect(password_score.score).to eq(0)
+      expect(password_score.crack_times_display['offline_fast_hashing_1e10_per_second']).to eq("less than a second")
+    end
+  end
+
+  describe "Password validation" do
+    it "Invalid if password score is less than the min_password_score" do
+      user = DummyClass.new("12345678")
+      expect(user).to_not be_valid
+      expect(user.errors[:password]).to eq(["not strong enough. It scored 0. It must score at least 4."])
+    end
+
+    it "Valid if password score is greater than the min_password_score" do
+      user = DummyClass.new("Jm1C4C3aaDzC")
+      expect(user).to be_valid
+      expect(user.errors[:password]).to be_empty
+    end
+  end
+
+  class DummyClass
+    include ActiveModel::Validations
+    include Devise::Models::Zxcvbnable
+
+    attr_accessor :password
+
+    def initialize(password)
+      @password = password
+    end
+
+    def password_required?
+      true
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,96 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: devise_zxcvbn
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 2.1.0
 platform: ruby
 authors:
-- Matthew Ford
+- Bit Zesty
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-11-27 00:00:00.000000000 Z
+date: 2016-02-11 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -42,24 +56,24 @@ dependencies:
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.14'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.14'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: devise
+  name: rspec_junit_formatter
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  type: :runtime
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -67,37 +81,58 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: zxcvbn-ruby
+  name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.2
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.0.2
-description: 'It adds password strength checking via ruby-zxcvbn to reject weak passwords '
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: zxcvbn-js
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.0
+description: 'This gems works with devise to provide backend password strength checking
+  via zxcvbn-js to reject weak passwords '
 email:
-- matt@bitzesty.com
+- info@bitzesty.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rspec"
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
+- circle.yml
 - devise_zxcvbn.gemspec
 - lib/devise_zxcvbn.rb
 - lib/devise_zxcvbn/email_tokeniser.rb
+- lib/devise_zxcvbn/locales/en.yml
 - lib/devise_zxcvbn/model.rb
 - lib/devise_zxcvbn/version.rb
+- spec/devise_zxcvbn/devise_zxcbn_spec.rb
 - spec/devise_zxcvbn/email_tokeniser_spec.rb
+- spec/devise_zxcvbn/model_spec.rb
+- spec/spec_helper.rb
 homepage: https://github.com/bitzesty/devise_zxcvbn
 licenses:
 - MIT
@@ -123,4 +158,7 @@ signing_key:
 specification_version: 4
 summary: Devise plugin to reject weak passwords
 test_files:
+- spec/devise_zxcvbn/devise_zxcbn_spec.rb
 - spec/devise_zxcvbn/email_tokeniser_spec.rb
+- spec/devise_zxcvbn/model_spec.rb
+- spec/spec_helper.rb