password_breach_alert 0.1.0

data/lib/password_breach_alert/rails.rb

@@ -0,0 +1,10 @@
+module PasswordBreachAlert
+  class Engine < ::Rails::Engine
+    config.to_prepare do
+      Devise.mailer.send :include, PasswordBreachAlert::Mailer
+      unless Devise.mailer.ancestors.include?(Devise::Mailers::Helpers)
+        Devise.mailer.send :include, Devise::Mailers::Helpers
+      end
+    end
+  end
+end

data/lib/password_breach_alert/railtie.rb

@@ -0,0 +1,4 @@
+module PasswordBreachAlert
+  class Railtie < ::Rails::Railtie
+  end
+end

data/lib/password_breach_alert/version.rb

@@ -0,0 +1,3 @@
+module PasswordBreachAlert
+  VERSION = '0.1.0'.freeze
+end

data/lib/pwned_password/devise.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'devise'
+
+module PwnedPassword
+  module Devise
+    mattr_accessor :min_password_matches, :min_password_matches_warn, :pwned_password_open_timeout, :pwned_password_read_timeout
+    @@min_password_matches = 1
+    @@min_password_matches_warn = nil
+    @@pwned_password_open_timeout = 5
+    @@pwned_password_read_timeout = 5
+  end
+end

data/lib/pwned_password/hooks.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
+  password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
+  password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
+end

data/lib/pwned_password/model.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require 'pwned'
+require 'pwned_password/hooks'
+
+module PwnedPassword
+  # The PwnedPassword module adds a new validation for Devise Models.
+  # No modifications to routes or controllers needed.
+  # Simply add :pwned_password to the list of included modules in your
+  # devise module, and all new registrations will be blocked if they use
+  # a password in this dataset https://haveibeenpwned.com/Passwords.
+  module Model
+    extend ActiveSupport::Concern
+
+    included do
+      validate :not_pwned_password, if: proc { password_required? && self.class.pwned_active && !self.errors.include?(:password) }
+    end
+
+    module ClassMethods
+      ::Devise::Models.config(self, :min_password_matches)
+      ::Devise::Models.config(self, :min_password_matches_warn)
+      ::Devise::Models.config(self, :pwned_password_open_timeout)
+      ::Devise::Models.config(self, :pwned_password_read_timeout)
+    end
+
+    def pwned?
+      @pwned ||= false
+    end
+
+    def pwned_count
+      @pwned_count ||= 0
+    end
+
+    # Returns true if password is present in the PwnedPasswords dataset
+    # TODO: Implement retry behaviour described here https://haveibeenpwned.com/API/v2#RateLimiting
+    def password_pwned?(password)
+      @pwned = false
+      @pwned_count = 0
+
+      options = {
+        'User-Agent' => 'devise_pwned_password',
+        read_timeout: self.class.pwned_password_read_timeout,
+        open_timeout: self.class.pwned_password_open_timeout
+      }
+      pwned_password = Pwned::Password.new(password.to_s, options)
+      begin
+        @pwned_count = pwned_password.pwned_count
+        @pwned = @pwned_count >= (persisted? ? self.class.min_password_matches_warn || self.class.min_password_matches : self.class.min_password_matches)
+        return @pwned
+      rescue Pwned::Error
+        return false
+      end
+
+      false
+    end
+
+    private
+
+      def not_pwned_password
+        # This deliberately fails silently on 500's etc. Most apps wont want to tie the ability to sign up customers to the availability of a third party API
+        if password_pwned?(password)
+          errors.add(:password, :pwned)
+        end
+      end
+  end
+end

data/lib/tasks/password_breach_alert.rake

@@ -0,0 +1,15 @@
+namespace :password_breach_alert do
+  desc 'Fetch breaches from HIBP, check email and enforce policy'
+  task :checker, [:model_name] => [:environment] do |_task, args|
+    args.with_defaults(model_name: :user)
+    model_name = args[:model_name].to_sym
+    mapping = Devise.mappings[model_name]
+    if !mapping
+      puts "Could not find Devise mapping for #{model_name}"
+      next
+    end
+
+    model_class = mapping.class_name.constantize
+    PasswordBreachAlert::Checker.new.call(users: model_class.all)
+  end
+end

data/lib/zxcvbn_password/devise.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "devise"
+require "zxcvbn_password/tester"
+
+module ZxcvbnPassword
+  module Devise
+
+    # The minimun score for a password.
+    mattr_accessor :zxcvbn_min_password_score
+    mattr_accessor :zxcvbn_tester
+    @@zxcvbn_min_password_score = 4
+    @@zxcvbn_tester = Tester.new
+
+    def self.zxcvbn_min_password_score=(score)
+      raise "The zxcvbn_min_password_score must be an integer and between 0..4" unless (0..4).include?(score)
+      @@zxcvbn_min_password_score = score
+    end
+  end
+end

data/lib/zxcvbn_password/email_tokeniser.rb

@@ -0,0 +1,7 @@
+module ZxcvbnPassword
+  class EmailTokeniser
+    def self.split(email_address)
+      email_address.to_s.split(/[[:^word:]_]/)
+    end
+  end
+end

data/lib/zxcvbn_password/errors.rb

@@ -0,0 +1,2 @@
+class ZxcvbnPasswordError < StandardError
+end

data/lib/zxcvbn_password/model.rb

@@ -0,0 +1,84 @@
+require "zxcvbn_password/email_tokeniser"
+require "zxcvbn_password/errors"
+require "ostruct"
+
+module ZxcvbnPassword
+  module Model
+    extend ActiveSupport::Concern
+
+    # delegate :zxcvbn_min_password_score, to: "self.class"
+    # delegate :zxcvbn_tester, to: "self.class"
+
+    included do
+      validate :not_zxcvbn_password, if: proc { password_required? && self.class.zxcvbn_active && !self.errors.include?(:password) }
+    end
+
+    def zxcvbn_password_score
+      @zxcvbn_password_score = self.class.zxcvbn_password_score(self)
+    end
+
+    def zxcvbn_password_crack_time
+      zxcvbn_password_score.crack_times_display["offline_slow_hashing_1e4_per_second"]
+    end
+
+    def password_zxcvbn?
+      zxcvbn_password_score.score < ::Devise.zxcvbn_min_password_score
+    end
+
+    private
+
+    def not_zxcvbn_password
+      if password_zxcvbn?
+        errors.add :password, :zxcvbn, i18n_variables
+      end
+    end
+
+    def i18n_variables
+      {
+        # feedback: zxcvbn_feedback,
+        crack_time_display: zxcvbn_password_crack_time,
+        score: zxcvbn_password_score.score,
+        # zxcvbn_min_password_score: ::Devise.zxcvbn_min_password_score
+      }
+    end
+
+    def zxcvbn_feedback
+      feedback = zxcvbn_password_score.feedback.values.flatten.reject(&:empty?)
+      return "Add another word or two. Uncommon words are better." if feedback.empty?
+
+      feedback.join(". ").gsub(/\.\s*\./, ".")
+    end
+
+    class_methods do
+      ::Devise::Models.config(self, :zxcvbn_min_password_score)
+      ::Devise::Models.config(self, :zxcvbn_tester)
+
+      def zxcvbn_password_score(user, arg_email = nil)
+        return raise ZxcvbnPasswordError, "the object must respond to password" unless user.respond_to?(:password)
+
+        password = user.password.to_s
+
+        zxcvbn_weak_words = []
+
+        if arg_email
+          zxcvbn_weak_words += [arg_email, *ZxcvbnPassword::EmailTokeniser.split(arg_email)]
+        end
+
+        # User method results are saved locally to prevent repeat calls that might be expensive
+        if user.respond_to?(:email)
+          local_email = user.email
+          zxcvbn_weak_words += [local_email, *ZxcvbnPassword::EmailTokeniser.split(local_email)]
+        end
+
+        if user.respond_to?(:weak_words)
+          return raise ZxcvbnPasswordError, "weak_words must return an Array" unless user.weak_words.is_a?(Array)
+
+          local_weak_words = user.weak_words
+          zxcvbn_weak_words += local_weak_words
+        end
+
+        ::Devise.zxcvbn_tester.test(password, zxcvbn_weak_words)
+      end
+    end
+  end
+end

data/lib/zxcvbn_password/tester.rb

@@ -0,0 +1,36 @@
+require "zxcvbn"
+
+class Tester < Zxcvbn::Tester
+  IT = {
+    "less than a second" => "meno di un secondo",
+    "seconds" => "secondi",
+    "second" => "secondo",
+    "minutes" => "minuti",
+    "minute" => "minuto",
+    "hours" => "ore",
+    "hour" => "ora",
+    "days" => "giorni",
+    "day" => "giorno",
+    "months" => "mesi",
+    "month" => "mese",
+    "centuries" => "secoli"
+  }
+
+  def test(password, user_inputs = [])
+    result = super(password, user_inputs)
+    result.crack_times_display['offline_slow_hashing_1e4_per_second'] = localize(result.crack_times_display['offline_slow_hashing_1e4_per_second'])
+    result
+  end
+
+  private
+
+    def localize(string)
+      if I18n.locale == :it
+        IT.each_pair do |key, val|
+          return string.gsub(key, val) if string =~ /#{key}/i
+        end
+      end
+
+      string
+    end
+end

metadata

@@ -0,0 +1,261 @@
+--- !ruby/object:Gem::Specification
+name: password_breach_alert
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Carlo Martinucci
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-07-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionmailer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.2
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4'
+- !ruby/object:Gem::Dependency
+  name: pwned
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.1
+- !ruby/object:Gem::Dependency
+  name: zxcvbn-js
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.4.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.4.1
+- !ruby/object:Gem::Dependency
+  name: letter_opener
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: overcommit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.2
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.72'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.72'
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |2
+      Password Breach Alert is a Devise extension that adds 1) server-side check of password
+      strength before registration, using a list of common passwords, zxcvbn and haveibeenpwned;
+      2) a way to check users emails against recent verified security breaches, and implement
+      different customized policies.
+email:
+- carlo.martinucci@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/views/devise/mailer/password_breach_alert.html.erb
+- app/views/devise/mailer/password_breach_alert.text.erb
+- lib/common_password/devise.rb
+- lib/common_password/list.rb
+- lib/common_password/model.rb
+- lib/common_password/passwords.txt
+- lib/devise/password_breach_alert.rb
+- lib/devise/password_breach_alert/locales/en.yml
+- lib/devise/password_breach_alert/locales/it.yml
+- lib/devise/password_breach_alert/model.rb
+- lib/generators/password_breach_alert_generator.rb
+- lib/generators/templates/create_breaches.rb
+- lib/password_breach_alert.rb
+- lib/password_breach_alert/api/base.rb
+- lib/password_breach_alert/api/breach.rb
+- lib/password_breach_alert/api/breachedaccount.rb
+- lib/password_breach_alert/breaches_filters.rb
+- lib/password_breach_alert/breaches_filters/after_user_last_checked_at.rb
+- lib/password_breach_alert/breaches_filters/all_with_user.rb
+- lib/password_breach_alert/breaches_filters/new_with_user.rb
+- lib/password_breach_alert/breaches_policies.rb
+- lib/password_breach_alert/breaches_policies/send_devise_notification.rb
+- lib/password_breach_alert/checker.rb
+- lib/password_breach_alert/mailer.rb
+- lib/password_breach_alert/models/breach.rb
+- lib/password_breach_alert/rails.rb
+- lib/password_breach_alert/railtie.rb
+- lib/password_breach_alert/version.rb
+- lib/pwned_password/devise.rb
+- lib/pwned_password/hooks.rb
+- lib/pwned_password/model.rb
+- lib/tasks/password_breach_alert.rake
+- lib/zxcvbn_password/devise.rb
+- lib/zxcvbn_password/email_tokeniser.rb
+- lib/zxcvbn_password/errors.rb
+- lib/zxcvbn_password/model.rb
+- lib/zxcvbn_password/tester.rb
+homepage: https://github.com/Uqido/password_breach_alert
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/Uqido/password_breach_alert/issues
+  changelog_uri: https://github.com/Uqido/password_breach_alert/CHANGELOG.md
+  documentation_uri: https://github.com/Uqido/password_breach_alert/README.md
+  homepage_uri: https://github.com/Uqido/password_breach_alert
+  source_code_uri: https://github.com/Uqido/password_breach_alert
+  wiki_uri: https://github.com/Uqido/password_breach_alert/wiki
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.2
+signing_key: 
+specification_version: 4
+summary: Never let a user use a compromised password in your application again!
+test_files: []