password_breach_alert 0.1.0

data/lib/devise/password_breach_alert.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'devise'
+require 'zxcvbn_password/devise'
+require 'common_password/devise'
+require 'pwned_password/devise'
+require 'devise/password_breach_alert/model'
+require 'password_breach_alert/breaches_policies'
+require 'password_breach_alert/breaches_filters'
+
+module Devise
+  extend ZxcvbnPassword::Devise
+  extend CommonPassword::Devise
+  extend PwnedPassword::Devise
+  mattr_accessor :pwned_active, :common_active, :zxcvbn_active
+  @@pwned_active = true
+  @@common_active = true
+  @@zxcvbn_active = true
+
+  mattr_accessor :breaches_policy, :breaches_filter, :breaches_filter_options
+  @@breaches_policy = 'PasswordBreachAlert::BreachesPolicies::SendDeviseNotification'
+  @@breaches_filter = 'PasswordBreachAlert::BreachesFilters::NewWithUser'
+  @@breaches_filter_options = -> { {} }
+
+  module PasswordBreachAlert
+  end
+end
+
+# Load default I18n
+#
+I18n.load_path.unshift File.join(File.dirname(__FILE__), 'password_breach_alert', 'locales', 'en.yml')
+I18n.load_path.unshift File.join(File.dirname(__FILE__), 'password_breach_alert', 'locales', 'it.yml')

data/lib/devise/password_breach_alert/locales/en.yml

@@ -0,0 +1,34 @@
+en:
+  activerecord:
+    attributes:
+      password_breach_alert/models/breach:
+        name: Name
+        title: Title
+        domain: Domain
+        breach_date: "Date of the breach"
+        added_date: "Date of the publication of the breach"
+        pwn_count: "Password count"
+        description: "Description"
+        logo_path: "Logo"
+        data_classes: "Classes of data breached"
+  devise:
+    mailer:
+      password_breach_alert:
+        subject: "Password breach alert"
+        hello: "Hello %{email},"
+        there_was_some_breach:
+          one: "We did some routine checks, and found out that an external service had a leak of sensitive data. It is possibile that amongs the violated credentials also those of your account are present. This is the info we recovered:"
+          other: "We did some routine checks, and found out that some external services had a leak of sensitive data. It is possibile that amongs the violated credentials also those of your account are present. This is the info we recovered:"
+        this_site_is_secure: "%{domain} is secure and we proactively work to avoid that other sites breaches could compromise users registered on %{domain}."
+        please_change_password: "For this reason, we suggest you to change your password, just as a precaution. It is possible that this is not necessary, but we'd rather bother you five minutes than risk that your account on %{domain} gets violated too."
+  errors:
+    messages:
+      common:
+        top100: 'The password you choose is extremely common: it appears in the list of the 100 most used password. To choose a secure password, you could compose togheter different words, possibly not too common. For example, "pepperoni" is easy too, but "pepperonipeskystaple" is easy to remember and hard to guess'
+        top1000: 'The password you choose is very common: it appears in the list of the 1000 most used password. To choose a more secure password, you could add a word or two. For example, "pepperoni" is too easy, but "pepperonipeskystaple" is easy to remember and hard to guess'
+        top10000: 'The password you choose is quite common. To choose a more secure password, you could add a word or two. For example, "pepperoni" is too easy, but "pepperonipeskystaple" is easy to remember and hard to guess'
+      pwned: "The password you choose has previously appeared in a data breach: this means that is insecure and should never be used. Please choose something harder to guess. For example, you can combine togheter different uncommon words."
+      zxcvbn: 'The password you choose is too easy to guess. In a scale from 0 to 4 it scores %{score}: an algorithm could guess it in %{crack_time_display}. To choose a more secure password, you could add a word or two. For example, "pepperoni" is too easy, but "pepperonipeskystaple" is easy to remember and hard to guess.'
+  time:
+    formats:
+      date_only: '%-d %b %Y'

data/lib/devise/password_breach_alert/locales/it.yml

@@ -0,0 +1,34 @@
+it:
+  activerecord:
+    attributes:
+      password_breach_alert/models/breach:
+        name: Nome
+        title: Titolo
+        domain: Domino
+        breach_date: "Data dell'intrusione"
+        added_date: "Data dell'aggiunta"
+        pwn_count: "Numero di password"
+        description: "Descrizione"
+        logo_path: "Logo"
+        data_classes: "Tipo di dati trapelati"
+  devise:
+    mailer:
+      password_breach_alert:
+        subject: "Password breach alert"
+        hello: "Caro %{email},"
+        there_was_some_breach:
+          one: "Abbiamo fatto alcuni controlli di routine, e scoperto che un servizio esterno ha avuto una perdita di dati sensibili. Da un primo controllo, è possibile che tra le credenziali violate siano presenti anche quelle del tuo account. Ecco l'informazione che abbiamo recuperato:"
+          other: "Abbiamo fatto alcuni controlli di routine, e scoperto che alcuni servizi esterni hanno avuto una perdita di dati sensibili. Da un primo controllo, è possibile che tra le credenziali violate siano presenti anche quelle del tuo account. Ecco l'informazione che abbiamo recuperato:"
+        this_site_is_secure: "%{domain} è sicuro e ci attiviamo proattivamente per evitare che le brecce di altri siti possano compromettere gli account registrati su %{domain}."
+        please_change_password: "Per questo motivo ti suggeriamo di cambiare la tua password, per precauzione. E' possibile che non sia necessario, ma preferiamo disturbarti cinque minuti piuttosto che rischiare che anche il tuo account su %{domain} venga violato."
+  errors:
+    messages:
+      common:
+        top100: 'La password che hai scelto è estremamente comune: compare nella lista delle 100 password più usate al mondo. Per scegliere una buona password potresti comporre insieme diverse parole, se possibili non troppo comuni. Ad esempio, anche "ananas" è una password troppo semplice, mentre "pizzamozzarellaananas" è facile da ricordare e difficile da indovinare'
+        top1000: 'La password che hai scelto è molto comune: compare nella lista delle 1000 password più usate al mondo. Per renderla più sicura, potresti aggiungere una o due parole. Ad esempio, "ananas" è una password troppo semplice, mentre "pizzamozzarellaananas" è facile da ricordare e difficile da indovinare'
+        top10000: 'La password che hai scelto è abbastanza comune. Per renderla più sicura, potresti aggiungere una o due parole. Ad esempio, "ananas" è una password troppo semplice, mentre "pizzamozzarellaananas" è facile da ricordare e difficile da indovinare'
+      pwned: "La password che hai scelto è presente in un database di password violate: questo significa che è insicura e non dovrebbe essere usata. Per favore, scegli una password più difficile da indovinare. Ad esempio, potresti combinare insieme alcune parole poco comuni."
+      zxcvbn: 'La password che hai scelto è troppo facile. In una scala da 0 a 4 la sua difficoltà è %{score}: un algoritmo la potrebbe indovinare in %{crack_time_display}. Per renderla più sicura, potresti aggiungere una o due parole. Ad esempio, "ananas" è una password troppo semplice, mentre "pizzamozzarellaananas" è facile da ricordare e difficile da indovinare.'
+  time:
+    formats:
+      date_only: '%-d %b %Y'

data/lib/devise/password_breach_alert/model.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'zxcvbn_password/model'
+require 'common_password/model'
+require 'pwned_password/model'
+
+module Devise
+  module Models
+    module PasswordBreachAlert
+      extend ActiveSupport::Concern
+      include ZxcvbnPassword::Model
+      include CommonPassword::Model
+      include PwnedPassword::Model
+
+      module ClassMethods
+        ::Devise::Models.config(self, :pwned_active)
+        ::Devise::Models.config(self, :common_active)
+        ::Devise::Models.config(self, :zxcvbn_active)
+        ::Devise::Models.config(self, :breaches_policy)
+        ::Devise::Models.config(self, :breaches_filter)
+        ::Devise::Models.config(self, :breaches_filter_options)
+      end
+    end
+  end
+end

data/lib/generators/password_breach_alert_generator.rb

@@ -0,0 +1,13 @@
+class PasswordBreachAlertGenerator < Rails::Generators::Base
+  include Rails::Generators::Migration
+
+  source_root File.expand_path('templates', __dir__)
+
+  def create_breaches_migration
+    time_now = Time.current.strftime('%Y%m%d%H%M%S')
+    template_name = 'create_breaches'
+    migration_file = "#{time_now}_#{template_name}"
+
+    copy_file "#{template_name}.rb", File.join('db', 'migrate', "#{migration_file}.rb")
+  end
+end

data/lib/generators/templates/create_breaches.rb

@@ -0,0 +1,19 @@
+class CreateBreaches < ActiveRecord::Migration[5.2]
+  def change
+    create_table :breaches do |t|
+      t.string :name
+      t.string :title
+      t.string :domain
+      t.datetime :breach_date
+      t.datetime :added_date
+      t.integer :pwn_count
+      t.string :description
+      t.string :logo_path
+      t.text :data_classes
+
+      t.timestamps
+    end
+
+    add_index :breaches, :added_date
+  end
+end

data/lib/password_breach_alert.rb

@@ -0,0 +1,9 @@
+module PasswordBreachAlert
+  autoload :Mailer, 'password_breach_alert/mailer'
+end
+
+require 'password_breach_alert/railtie'
+require 'password_breach_alert/rails'
+require 'password_breach_alert/checker'
+require 'password_breach_alert/models/breach'
+require 'devise/password_breach_alert'

data/lib/password_breach_alert/api/base.rb

@@ -0,0 +1,39 @@
+module PasswordBreachAlert
+  module Api
+    # TODO: add some lock
+
+    module LastCalledAt
+      mattr_accessor :last_called_at
+    end
+
+    SLEEP_DURATION = 1.6.seconds
+
+    class Base
+      include LastCalledAt
+
+      DEFAULT_REQUEST_OPTIONS = {
+        'User-Agent' => 'PasswordBreachAlert'
+      }.freeze
+
+      def initialize(request_options = {})
+        @request_options = DEFAULT_REQUEST_OPTIONS.merge(request_options)
+      end
+
+      def with_wait
+        return enum_for :with_wait unless block_given?
+
+        # TODO: with_advisory_lock('PasswordBreachAlert::Api') do
+        if last_called_at && last_called_at > SLEEP_DURATION.ago
+          sleep(last_called_at - SLEEP_DURATION.ago)
+        end
+
+        result = yield
+
+        self.last_called_at = Time.current
+        # TODO: end
+
+        result
+      end
+    end
+  end
+end

data/lib/password_breach_alert/api/breach.rb

@@ -0,0 +1,15 @@
+require 'password_breach_alert/api/base'
+
+module PasswordBreachAlert
+  module Api
+    class Breach < PasswordBreachAlert::Api::Base
+      API_URL = 'https://haveibeenpwned.com/api/v2/breaches'.freeze
+
+      def call
+        with_wait do
+          JSON.parse(URI.parse(API_URL).open(@request_options).read)
+        end
+      end
+    end
+  end
+end

data/lib/password_breach_alert/api/breachedaccount.rb

@@ -0,0 +1,18 @@
+require 'password_breach_alert/api/base'
+
+module PasswordBreachAlert
+  module Api
+    class Breachedaccount < PasswordBreachAlert::Api::Base
+      API_URL = 'https://haveibeenpwned.com/api/v2/breachedaccount/'.freeze
+
+      def call(account, params = nil)
+        query = (params || {}).reverse_merge('truncateResponse': true).to_query
+        endpoint = "#{API_URL}#{account}?#{query}"
+
+        with_wait do
+          JSON.parse(URI.parse(endpoint).open(@request_options).read)
+        end
+      end
+    end
+  end
+end

data/lib/password_breach_alert/breaches_filters.rb

@@ -0,0 +1,8 @@
+require 'password_breach_alert/breaches_filters/after_user_last_checked_at'
+require 'password_breach_alert/breaches_filters/all_with_user'
+require 'password_breach_alert/breaches_filters/new_with_user'
+
+module PasswordBreachAlert
+  module BreachesFilters
+  end
+end

data/lib/password_breach_alert/breaches_filters/after_user_last_checked_at.rb

@@ -0,0 +1,34 @@
+require 'password_breach_alert/api/breachedaccount'
+
+module PasswordBreachAlert
+  module BreachesFilters
+    # returns the breaches with breach_date later then checked, then updates the date on user
+    class AfterUserLastCheckedAt
+      attr_reader :api, :field
+
+      def initialize(api: PasswordBreachAlert::Api::Breachedaccount.new, field: :password_breach_alert_checked_at)
+        @api = api
+        @field = field
+      end
+
+      def call(user, _new_breaches, breaches)
+        unless user.respond_to?(field)
+          raise NotImplementedError.new("please add the column of method #{field} to #{user.class}")
+        end
+
+        unless user[field].nil? || user[field].is_a?(Time)
+          raise NotImplementedError.new("#{user.class}.#{field} should be a time")
+        end
+
+        api_breaches = api.call(user.email)
+        api_breaches_names = api_breaches.map { |api_breach| api_breach['Name'] }
+
+        scope = { name: api_breaches_names }
+        scope[:breach_date] = user[field]..Time.current if user[field]
+
+        user.update field => Time.current
+        breaches.where(scope)
+      end
+    end
+  end
+end

data/lib/password_breach_alert/breaches_filters/all_with_user.rb

@@ -0,0 +1,21 @@
+require 'password_breach_alert/api/breachedaccount'
+
+module PasswordBreachAlert
+  module BreachesFilters
+    # returns the breaches where the user appears
+    class AllWithUser
+      attr_reader :api
+
+      def initialize(api: PasswordBreachAlert::Api::Breachedaccount.new)
+        @api = api
+      end
+
+      def call(user, _new_breaches, breaches)
+        api_breaches = api.call(user.email)
+        api_breaches_names = api_breaches.map { |api_breach| api_breach['Name'] }
+
+        breaches.where(name: api_breaches_names)
+      end
+    end
+  end
+end

data/lib/password_breach_alert/breaches_filters/new_with_user.rb

@@ -0,0 +1,21 @@
+require 'password_breach_alert/api/breachedaccount'
+
+module PasswordBreachAlert
+  module BreachesFilters
+    # returns the new_breaches where the user appears
+    class NewWithUser
+      attr_reader :api
+
+      def initialize(api: PasswordBreachAlert::Api::Breachedaccount.new)
+        @api = api
+      end
+
+      def call(user, new_breaches, _breaches)
+        api_breaches = api.call(user.email)
+        api_breaches_names = api_breaches.map { |api_breach| api_breach['Name'] }
+
+        new_breaches.where(name: api_breaches_names)
+      end
+    end
+  end
+end

data/lib/password_breach_alert/breaches_policies.rb

@@ -0,0 +1,6 @@
+require 'password_breach_alert/breaches_policies/send_devise_notification'
+
+module PasswordBreachAlert
+  module BreachesPolicies
+  end
+end

data/lib/password_breach_alert/breaches_policies/send_devise_notification.rb

@@ -0,0 +1,12 @@
+module PasswordBreachAlert
+  module BreachesPolicies
+    # notify the user with an email if there are any breaches
+    class SendDeviseNotification
+      def call(user, breaches)
+        return if breaches.none?
+
+        user.send(:send_devise_notification, :password_breach_alert, breaches)
+      end
+    end
+  end
+end

data/lib/password_breach_alert/checker.rb

@@ -0,0 +1,45 @@
+require 'password_breach_alert/api/breach'
+require 'password_breach_alert/api/breachedaccount'
+
+module PasswordBreachAlert
+  class Checker
+    attr_reader :breaches_filter, :breaches_policy
+
+    def self.default_breaches_filter
+      options = Devise.breaches_filter_options.call.reverse_merge(api: PasswordBreachAlert::Api::Breachedaccount.new)
+      Devise.breaches_filter.constantize.new(options)
+    end
+
+    def self.default_breaches_policy
+      Devise.breaches_policy.constantize.new
+    end
+
+    def initialize(breaches_filter: self.class.default_breaches_filter, breaches_policy: self.class.default_breaches_policy)
+      @breaches_filter = breaches_filter
+      @breaches_policy = breaches_policy
+    end
+
+    def call(users)
+      new_breaches = fetch_and_create_new_breaches
+      breaches = all_breaches
+
+      users.each do |user|
+        user_breaches = breaches_filter.call(user, new_breaches, breaches)
+
+        breaches_policy.call(user, user_breaches)
+      end
+    end
+
+    private
+
+      def fetch_and_create_new_breaches
+        api_breaches = PasswordBreachAlert::Api::Breach.new.call
+
+        PasswordBreachAlert::Models::Breach.create_new_from_api(api_breaches)
+      end
+
+      def all_breaches
+        PasswordBreachAlert::Models::Breach.all
+      end
+  end
+end

data/lib/password_breach_alert/mailer.rb

@@ -0,0 +1,9 @@
+module PasswordBreachAlert
+  module Mailer
+    # Deliver a password breach alert email
+    def password_breach_alert(record, breaches, opts = {})
+      @breaches = breaches
+      devise_mail(record, :password_breach_alert, opts)
+    end
+  end
+end

data/lib/password_breach_alert/models/breach.rb

@@ -0,0 +1,55 @@
+# == Schema Information
+#
+# Table name: breaches
+#
+#  id           :integer          not null, primary key
+#  name         :string
+#  title        :string
+#  domain       :string
+#  breach_date  :datetime
+#  added_date   :datetime
+#  pwn_count    :integer
+#  description  :string
+#  logo_path    :string
+#  data_classes :text
+#  created_at   :datetime         not null
+#  updated_at   :datetime         not null
+#
+
+module PasswordBreachAlert
+  # rails generate password_breach_alert
+  module Models
+    class Breach < ActiveRecord::Base # rubocop:disable ApplicationRecord
+      serialize :data_classes, Array
+
+      validates :name, presence: true
+
+      scope :sorted, -> { order('added_date DESC') }
+
+      def self.create_new_from_api(api_breaches)
+        created_ids = []
+        present_names = Breach.pluck(:name)
+
+        api_breaches.each do |api_breach|
+          next if api_breach['Name'].in?(present_names)
+
+          breach = Breach.create(
+            name: api_breach['Name'],
+            title: api_breach['Title'],
+            domain: api_breach['Domain'],
+            breach_date: api_breach['BreachDate'],
+            added_date: api_breach['AddedDate'],
+            pwn_count: api_breach['PwnCount'],
+            description: api_breach['Description'],
+            logo_path: api_breach['LogoPath'],
+            data_classes: api_breach['DataClasses']
+          )
+
+          created_ids << breach.id
+        end
+
+        Breach.where(id: created_ids).sorted
+      end
+    end
+  end
+end