devise_zxcvbn 4.4.1 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 9cdd3611652924ce1a2ff81a832d5bc6a8f0ea61
-  data.tar.gz: c8fef0f8d2ba13d3eabce3fa5088531b715dd39b
+SHA256:
+  metadata.gz: ff8317142cd17809de1fe6825970d106063f6c1413ef86d24be86b1c5b4dcc51
+  data.tar.gz: 569c6ab6a45ffca59600a36a18c079d4924361680a22663872a2618fac99031e
 SHA512:
-  metadata.gz: 896fa3543e049ea4d8bd2230ae6a5ce2bbe3bdec4b53482b21c62d912e37ce3ec05f30ac839169a197f0ba195b787e38ee2129413c1ba8424cbe848001676dfd
-  data.tar.gz: c33446dd6366fbc6f9f857ffd8a14f284e0a58aba6c0e05ab3a780d718752bc3f61d2425a0d14ecc4a4635576756f146be27c63c3c48eca8d5f5b3be5ceac6e2
+  metadata.gz: 696f4916cc7e45b7f88fd7af2e972ce53185e294b07fd4a766106a6e5a9ae5ad545f71165d05d9341381eed31d9e4d9e35db8e16554500b464327979055b33f7
+  data.tar.gz: 58c4048efc829042e0bfb27c28614891e81bc853d65e5742592f19f99039723d786cffd5f29282674e29a04035642d4abdae5911500fc93b7b802ee58592f637

data/.gitignore

@@ -15,3 +15,4 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+.byebug_history

data/README.md

@@ -1,6 +1,6 @@
 # devise_zxcvbn
 
-[![Gem Version](https://badge.fury.io/rb/devise_zxcvbn.png)](http://badge.fury.io/rb/devise_zxcvbn)
+[![Gem Version](https://badge.fury.io/rb/devise_zxcvbn.svg)](http://badge.fury.io/rb/devise_zxcvbn)
 [![Circle CI](https://circleci.com/gh/bitzesty/devise_zxcvbn.svg?style=svg)](https://circleci.com/gh/bitzesty/devise_zxcvbn)
 [![Code Climate](https://codeclimate.com/github/bitzesty/devise_zxcvbn/badges/gpa.svg)](https://codeclimate.com/github/bitzesty/devise_zxcvbn)
 
@@ -14,50 +14,87 @@ The scores 0, 1, 2, 3 or 4 are given when the estimated crack time (seconds) is
 
 Add this line to your application's Gemfile:
 
-    gem 'devise_zxcvbn'
-
+```ruby
+gem 'devise_zxcvbn'
+```
 
 ## Configuration
 
-    class User < ActiveRecord::Base
-      devise :zxcvbnable
+```ruby
+class User < ActiveRecord::Base
+  devise :zxcvbnable
+
+  # Optionally add more weak words to check against:
+  def weak_words
+    ['mysitename', self.name, self.username]
+  end
+end
+```
+
+## Available methods for devise resources
+
+```ruby
+class User < ApplicationRecord
+  devise :zxcvbnable
+end
 
-      # Optionally add more weak words to check against:
-      def weak_words
-        ['mysitename', self.name, self.username]
-      end
-    end
+user = User.new.tap do |user|
+  user.email = "example@example.com"
+  user.password = "123456789"
+end
+
+user.password_score => #<OpenStruct password="123456789", guesses=6, guesses_log10=0.7781512503836435, sequence=[{"pattern"=>"dictionary", "i"=>0, "j"=>8, "token"=>"123456789", "matched_word"=>"123456789", "rank"=>5, "dictionary_name"=>"passwords", "reversed"=>false, "l33t"=>false, "base_guesses"=>5, "uppercase_variations"=>1, "l33t_variations"=>1, "guesses"=>5, "guesses_log10"=>0.6989700043360187}], calc_time=15, crack_times_seconds={"online_throttling_100_per_hour"=>216, "online_no_throttling_10_per_second"=>0.6, "offline_slow_hashing_1e4_per_second"=>0.0006, "offline_fast_hashing_1e10_per_second"=>6.0e-10}, crack_times_display={"online_throttling_100_per_hour"=>"4 minutes", "online_no_throttling_10_per_second"=>"less than a second", "offline_slow_hashing_1e4_per_second"=>"less than a second", "offline_fast_hashing_1e10_per_second"=>"less than a second"}, score=0, feedback={"warning"=>"This is a top-10 common password", "suggestions"=>["Add another word or two. Uncommon words are better."]}>
+# returns a simple OpenStruct object so than you could send another messages to get more info
+
+user.password_weak? => true/false # returns a boolean result of checking of weakness of your set password
+```
 
 ### Default parameters
 
 _A score of less than 3 is not recommended._
 
-    # config/initializers/devise.rb
-    Devise.setup do |config|
-      config.min_password_score = 4
-    end
+```ruby
+# config/initializers/devise.rb
+Devise.setup do |config|
+  config.min_password_score = 4
+end
+```
 
 ### Error Message
 
 The default error message:
 
-    "not strong enough. It scored %{score}. It must score at least %{min_password_score}."
+```yml
+"not strong enough. It scored %{score}. It must score at least %{min_password_score}."
+```
 
 You can customize this error message modifying the `devise` YAML file.
 
-The `feedback`, `crack_time_display`, `score` and `min_password_score` variables are passed through if you need them.
+The `crack_time_display`, `password_sample`, `score` and `min_password_score` variables are passed through if you need them.
+
+```yml
+# config/locales/devise.en.yml
+en:
+  errors:
+    messages:
+      weak_password: "not strong enough. Consider adding a number, symbols or more letters to make it stronger."
+```
+
+### Skipping password complexity validation
 
-    # config/locales/devise.en.yml
-    en:
-      errors:
-        messages:
-          weak_password: "not strong enough. Consider adding a number, symbols or more letters to make it stronger."
+To turn off password complexity validation for certain conditions, you could implement a concern (or similar) that overloads `skip_password_complexity?`:
 
+```ruby
+def skip_password_complexity?
+  true
+end
+```
 
 ## Contributing
 
 1. Fork it
 2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+3. Add test coverage for the feature, We use rspec for this purpose
+4. Commit your changes (`git commit -am 'Add some feature'`)
+5. Push to the branch (`git push origin my-new-feature`)
+6. Create new Pull Request

data/devise_zxcvbn.gemspec

@@ -23,6 +23,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rake"
   spec.add_development_dependency "rspec"
   spec.add_development_dependency "rspec_junit_formatter"
+  spec.add_development_dependency "byebug"
 
   spec.add_runtime_dependency "devise"
   spec.add_runtime_dependency("zxcvbn-js", "~> 4.4.1")

data/lib/devise_zxcvbn/errors/devise_zxcvbn_error.rb

@@ -0,0 +1,2 @@
+class DeviseZxcvbnError < StandardError # TODO: we need own hierarchy
+end

data/lib/devise_zxcvbn/model.rb

@@ -1,4 +1,6 @@
-require 'devise_zxcvbn/email_tokeniser'
+require "devise_zxcvbn/email_tokeniser"
+require "devise_zxcvbn/errors/devise_zxcvbn_error"
+require "ostruct"
 
 module Devise
   module Models
@@ -9,17 +11,21 @@ module Devise
       delegate :zxcvbn_tester, to: "self.class"
 
       included do
-        validate :not_weak_password, if: :password_required?
+        validate :strong_password, unless: :skip_password_complexity?
       end
 
       def password_score
-        @pass_score = self.class.password_score(self)
+        @password_score = self.class.password_score(self)
+      end
+
+      def password_weak?
+        password_score.score < min_password_score
       end
 
       private
 
-      def not_weak_password
-        if errors.messages.blank? && password_score.score < min_password_score
+      def strong_password
+        if errors.messages.blank? && password_weak?
           errors.add :password, :weak_password, i18n_variables
         end
       end
@@ -28,28 +34,30 @@ module Devise
         {
           feedback: zxcvbn_feedback,
           crack_time_display: time_to_crack,
-          score: @pass_score.score,
+          score: password_score.score,
           min_password_score: min_password_score
         }
       end
 
       def zxcvbn_feedback
-        feedback = @pass_score.feedback.values.flatten.reject(&:empty?)
-        return 'Add another word or two. Uncommon words are better.' if feedback.empty?
+        feedback = password_score.feedback.values.flatten.reject(&:empty?)
+        return "Add another word or two. Uncommon words are better." if feedback.empty?
 
-        feedback.join('. ').gsub(/\.\s*\./, '.')
+        feedback.join(". ").gsub(/\.\s*\./, ".")
       end
 
       def time_to_crack
-        @pass_score.crack_times_display['offline_fast_hashing_1e10_per_second']
+        password_score.crack_times_display["offline_fast_hashing_1e10_per_second"]
       end
 
-      module ClassMethods
+      class_methods do
         Devise::Models.config(self, :min_password_score)
         Devise::Models.config(self, :zxcvbn_tester)
 
-        def password_score(user, arg_email=nil)
-          password = user.respond_to?(:password) ? user.password.to_s : user
+        def password_score(user, arg_email = nil)
+          return raise DeviseZxcvbnError, "the object must respond to password" unless user.respond_to?(:password)
+
+          password = user.password.to_s
 
           zxcvbn_weak_words = []
 
@@ -58,14 +66,15 @@ module Devise
           end
 
           # User method results are saved locally to prevent repeat calls that might be expensive
-          if user.respond_to? :email
+          if user.respond_to?(:email)
             local_email = user.email
             zxcvbn_weak_words += [local_email, *DeviseZxcvbn::EmailTokeniser.split(local_email)]
           end
 
-          if user.respond_to? :weak_words
+          if user.respond_to?(:weak_words)
+            return raise DeviseZxcvbnError, "weak_words must return an Array" unless user.weak_words.is_a?(Array)
+
             local_weak_words = user.weak_words
-            raise "weak_words must return an Array" unless (local_weak_words.is_a? Array)
             zxcvbn_weak_words += local_weak_words
           end
 

data/lib/devise_zxcvbn/version.rb

@@ -1,3 +1,3 @@
 module DeviseZxcvbn
-  VERSION = "4.4.1"
+  VERSION = "5.0.0"
 end

data/spec/devise_zxcvbn/devise_zxcbn_spec.rb

@@ -1,7 +1,6 @@
 require "devise_zxcvbn"
 
 describe 'Devise zxcvbn' do
-
   it "Returns the default value for min_password_score of 4" do
     expect(Devise.min_password_score).to eq(4)
   end

data/spec/devise_zxcvbn/errors/devise_zxcvbn_error.rb

@@ -0,0 +1,2 @@
+class DeviseZxcvbnError < StandardError # TODO: we need own hierarchy
+end

data/spec/devise_zxcvbn/model_spec.rb

@@ -1,43 +1,130 @@
-require "devise"
-require "devise_zxcvbn"
-require "active_model"
-require "devise_zxcvbn/model"
+require 'active_model'
+require 'devise'
+require 'devise_zxcvbn'
+require 'devise_zxcvbn/model'
 
 describe Devise::Models::Zxcvbnable do
-  describe "#password_score" do
-    it "returns the score from zxcvbn_tester" do
-      password_score = DummyClass.new("12345678").password_score
-      expect(password_score.score).to eq(0)
-      expect(password_score.crack_times_display['offline_fast_hashing_1e10_per_second']).to eq("less than a second")
+  ValidDummyClass = Struct.new(:password, :skip_password_complexity, keyword_init: true) do
+    include ActiveModel::Validations
+    include Devise::Models::Zxcvbnable
+
+    def skip_password_complexity?
+      skip_password_complexity
     end
   end
 
-  describe "Password validation" do
-    it "Invalid if password score is less than the min_password_score" do
-      user = DummyClass.new("12345678")
-      expect(user).to_not be_valid
-      expect(user.errors[:password]).to eq(["not strong enough. It scored 0. It must score at least 4."])
+  let(:skip_password_complexity) { false }
+
+  describe '#password_score' do
+    context 'when password is strong' do
+      let(:user) { ValidDummyClass.new(password: 'Jm1C4C3aaDzC1aRW', skip_password_complexity: skip_password_complexity) }
+
+      it 'returns the score equal 4' do
+        password_score = user.password_score
+
+        expect(password_score.score).to eq(4)
+        expect(password_score.crack_times_display['offline_fast_hashing_1e10_per_second']).to eq('12 days')
+      end
+    end
+
+    context 'when password is weak' do
+      let(:user) { ValidDummyClass.new(password: '12345678', skip_password_complexity: skip_password_complexity) }
+
+      it 'returns the weak score' do
+        password_score = user.password_score
+
+        expect(password_score.score).to eq(0)
+        expect(password_score.crack_times_display['offline_fast_hashing_1e10_per_second']).to eq('less than a second')
+      end
     end
+  end
+
+  describe '#password_weak?' do
+    let(:user) { ValidDummyClass.new(password: 'Jm1C4C3aaDzC1aRW', skip_password_complexity: skip_password_complexity) }
 
-    it "Valid if password score is greater than the min_password_score" do
-      user = DummyClass.new("Jm1C4C3aaDzC")
-      expect(user).to be_valid
-      expect(user.errors[:password]).to be_empty
+    it 'returns false for the call of the method' do
+      expect(user.password_weak?).to be_falsey
     end
   end
 
-  class DummyClass
-    include ActiveModel::Validations
-    include Devise::Models::Zxcvbnable
+  describe 'validations' do
+    subject { resource.validate; resource }
+
+    let(:resource) { ValidDummyClass.new(password: password, skip_password_complexity: skip_password_complexity) }
+
+    context 'when password complexity check is required' do
+      context 'when password is strong' do
+        let(:password) { 'Jm1C4C3aaDzC1aRW' }
 
-    attr_accessor :password
+        it 'expects the model to be valid' do
+          expect(subject).to be_valid
+        end
 
-    def initialize(password)
-      @password = password
+        it 'returns empty validation messages' do
+          expect(subject.errors[:password]).to be_empty
+        end
+      end
+
+      context 'when password is weak' do
+        let(:password) { '12345678' }
+
+        it 'expects the model to be invalid' do
+          expect(subject).to be_invalid
+        end
+
+        it 'returns validation message' do
+          expect(subject.errors[:password])
+            .to eq(['not strong enough. It scored 0. It must score at least 4.'])
+        end
+      end
+    end
+
+    context 'when password complexity check is not required' do
+      let(:skip_password_complexity) { true }
+
+      context 'when password score is strong' do
+        let(:password) { 'Jm1C4C3aaDzC1aRW' }
+
+        it 'expects the model to be valid' do
+          expect(subject).to be_valid
+        end
+      end
+
+      context 'when password score is weak' do
+        let(:password) { '12345678' }
+
+        it 'expects the model to be valid' do
+          expect(subject).to be_valid
+        end
+      end
+    end
+  end
+
+  describe 'exceptions raises' do
+    context 'when password method is not given for instance' do
+      class InvalidPasswordDummyClass < ValidDummyClass
+        undef_method :password
+      end
+
+      let(:user) { InvalidPasswordDummyClass.new }
+
+      it 'raises exception regarding absence password method' do
+        expect { user.password_score }.to raise_error(DeviseZxcvbnError, 'the object must respond to password')
+      end
     end
 
-    def password_required?
-      true
+    context 'when weak_words method returns not Array' do
+      class InvalidWeakWordsDummyClass < ValidDummyClass
+        def weak_words
+          String.new()
+        end
+      end
+
+      let(:user) { InvalidWeakWordsDummyClass.new }
+
+      it 'raises exception regarding type of weak_words method' do
+        expect { user.password_score }.to raise_error(DeviseZxcvbnError, 'weak_words must return an Array')
+      end
     end
   end
 end

data/spec/spec_helper.rb

@@ -1,96 +1,11 @@
-# This file was generated by the `rspec --init` command. Conventionally, all
-# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
-# The generated `.rspec` file contains `--require spec_helper` which will cause
-# this file to always be loaded, without a need to explicitly require it in any
-# files.
-#
-# Given that it is always loaded, you are encouraged to keep this file as
-# light-weight as possible. Requiring heavyweight dependencies from this file
-# will add to the boot time of your test suite on EVERY test run, even for an
-# individual file that may not need all of that loaded. Instead, consider making
-# a separate helper file that requires the additional dependencies and performs
-# the additional setup, and require it from the spec files that actually need
-# it.
-#
-# The `.rspec` file also contains a few flags that are not defaults but that
-# users commonly want.
-#
-# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+require 'byebug'
+
 RSpec.configure do |config|
-  # rspec-expectations config goes here. You can use an alternate
-  # assertion/expectation library such as wrong or the stdlib/minitest
-  # assertions if you prefer.
   config.expect_with :rspec do |expectations|
-    # This option will default to `true` in RSpec 4. It makes the `description`
-    # and `failure_message` of custom matchers include text for helper methods
-    # defined using `chain`, e.g.:
-    #     be_bigger_than(2).and_smaller_than(4).description
-    #     # => "be bigger than 2 and smaller than 4"
-    # ...rather than:
-    #     # => "be bigger than 2"
     expectations.include_chain_clauses_in_custom_matcher_descriptions = true
   end
 
-  # rspec-mocks config goes here. You can use an alternate test double
-  # library (such as bogus or mocha) by changing the `mock_with` option here.
   config.mock_with :rspec do |mocks|
-    # Prevents you from mocking or stubbing a method that does not exist on
-    # a real object. This is generally recommended, and will default to
-    # `true` in RSpec 4.
     mocks.verify_partial_doubles = true
   end
-
-# The settings below are suggested to provide a good initial experience
-# with RSpec, but feel free to customize to your heart's content.
-=begin
-  # These two settings work together to allow you to limit a spec run
-  # to individual examples or groups you care about by tagging them with
-  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
-  # get run.
-  config.filter_run :focus
-  config.run_all_when_everything_filtered = true
-
-  # Allows RSpec to persist some state between runs in order to support
-  # the `--only-failures` and `--next-failure` CLI options. We recommend
-  # you configure your source control system to ignore this file.
-  config.example_status_persistence_file_path = "spec/examples.txt"
-
-  # Limits the available syntax to the non-monkey patched syntax that is
-  # recommended. For more details, see:
-  #   - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
-  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
-  #   - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
-  config.disable_monkey_patching!
-
-  # This setting enables warnings. It's recommended, but in some cases may
-  # be too noisy due to issues in dependencies.
-  config.warnings = true
-
-  # Many RSpec users commonly either run the entire suite or an individual
-  # file, and it's useful to allow more verbose output when running an
-  # individual spec file.
-  if config.files_to_run.one?
-    # Use the documentation formatter for detailed output,
-    # unless a formatter has already been configured
-    # (e.g. via a command-line flag).
-    config.default_formatter = 'doc'
-  end
-
-  # Print the 10 slowest examples and example groups at the
-  # end of the spec run, to help surface which specs are running
-  # particularly slow.
-  config.profile_examples = 10
-
-  # Run specs in random order to surface order dependencies. If you find an
-  # order dependency and want to debug it, you can fix the order by providing
-  # the seed, which is printed after each run.
-  #     --seed 1234
-  config.order = :random
-
-  # Seed global randomization in this process using the `--seed` CLI option.
-  # Setting this allows you to use `--seed` to deterministically reproduce
-  # test failures related to randomization by passing the same `--seed` value
-  # as the one that triggered the failure.
-  Kernel.srand config.seed
-=end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_zxcvbn
 version: !ruby/object:Gem::Version
-  version: 4.4.1
+  version: 5.0.0
 platform: ruby
 authors:
 - Bit Zesty
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-27 00:00:00.000000000 Z
+date: 2019-11-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -80,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
@@ -126,11 +140,13 @@ files:
 - devise_zxcvbn.gemspec
 - lib/devise_zxcvbn.rb
 - lib/devise_zxcvbn/email_tokeniser.rb
+- lib/devise_zxcvbn/errors/devise_zxcvbn_error.rb
 - lib/devise_zxcvbn/locales/en.yml
 - lib/devise_zxcvbn/model.rb
 - lib/devise_zxcvbn/version.rb
 - spec/devise_zxcvbn/devise_zxcbn_spec.rb
 - spec/devise_zxcvbn/email_tokeniser_spec.rb
+- spec/devise_zxcvbn/errors/devise_zxcvbn_error.rb
 - spec/devise_zxcvbn/model_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/bitzesty/devise_zxcvbn
@@ -152,13 +168,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Devise plugin to reject weak passwords
 test_files:
 - spec/devise_zxcvbn/devise_zxcbn_spec.rb
 - spec/devise_zxcvbn/email_tokeniser_spec.rb
+- spec/devise_zxcvbn/errors/devise_zxcvbn_error.rb
 - spec/devise_zxcvbn/model_spec.rb
 - spec/spec_helper.rb