pwned 1.2.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b6891bb23ef6923eaad6c5af0b4fa2d36471c9a6903fbb66940720c6a5a69c2b
-  data.tar.gz: d138630dcac1204a01adfa731cce9a52ca984b67544f4c0beabe3e51f56d28ed
+  metadata.gz: b87c90a53cd7928bf07c03d2d068e0cf2b723a183a4b57fa45bf3baafe1ba892
+  data.tar.gz: 6febde4b74e7c054bd15f2038873b0339b31ee7ec1dddb653c8e5d597594a33a
 SHA512:
-  metadata.gz: a89fca08322c92a4866d774dd5d2bce8d495326a99d7dfa8b2e8fe12b43ab3d57c0ed29f9aa8dab5d94ed5c002127701cd57daa43f9a621804232c02a4122d15
-  data.tar.gz: 67a0aaf46f9d84ee81b36e39e72d761aa7b08293246d7fec3abb35bb122d38cf2cd17519850b97573d16bbe346680de6478b1a569c47a1600085b4167e7faa51
+  metadata.gz: 171cfd15438c070259d83291d529ae2c935e7ebbf2f639a75d8b9a0428e8be02cdbf14b7150501824233a0b71638cc2aebe9835b0b565348ac6e51da62848772
+  data.tar.gz: af7cc5a7a0d1300874b996d2b1838264d9d9eb968b16142234bf624551c193b8a8e9975d744a71498f04ebd33b387c67abb638ea8c9a672463a6cfa4aac8d789

data/.travis.yml

@@ -3,21 +3,27 @@ language: ruby
 
 env:
   matrix:
-    - RAILS_VERSION=4.2.0
-    - RAILS_VERSION=5.0.0
-    - RAILS_VERSION=5.1.0
-    - RAILS_VERSION=5.2.0.rc1
+    - RAILS_VERSION=4.2.11.1
+    - RAILS_VERSION=5.0.7.2
+    - RAILS_VERSION=5.1.7
+    - RAILS_VERSION=5.2.3
+    - RAILS_VERSION=6.0.0
 
 rvm:
-  - 2.5.0
-  - 2.4.0
-  - 2.3.0
+  - 2.6
+  - 2.5
+  - 2.4
+  - 2.3
   - jruby
   - ruby-head
 
-before_install: gem install bundler -v 1.16.1
+before_install: gem install bundler
 
 matrix:
   allow_failures:
     - rvm: ruby-head
-    - env: RAILS_VERSION=5.2.0.rc1
+  exclude:
+    - rvm: 2.4
+      env: RAILS_VERSION=6.0.0
+    - rvm: 2.3
+      env: RAILS_VERSION=6.0.0

data/CHANGELOG.md

@@ -2,30 +2,57 @@
 
 ## Ongoing [☰](https://github.com/philnash/pwned/compare/v1.2.1...master)
 
-...
+## 2.0.0 (October 1, 2019) [☰](https://github.com/philnash/pwned/compare/v1.2.1...v2.0.0)
 
-## 1.2.1 (March 17, 2018) [☰](https://github.com/philnash/pwned/commits/v1.2.1)
+- Major updates
 
-* Minor updates
-  * Validator no longer raises `TypeError` when password is `nil`
+  - Switches from `open-uri` to `Net::HTTP`. This is a potentially breaking change.
+  - `request_options` are now used to configure `Net::HTTP.start`.
+  - Rather than using all string keys from `request_options`, HTTP headers are now
+    specified in their own `headers` hash. To upgrade, any options intended as
+    headers need to be extracted into a `headers` hash, e.g.
 
-## 1.2.0 (March 15, 2018) [☰](https://github.com/philnash/pwned/commits/v1.2.0)
+    ```diff
+      validates :password, not_pwned: {
+    -    request_options: { read_timeout: 5, open_timeout: 1, "User-Agent" => "Super fun user agent" }
+    +    request_options: { read_timeout: 5, open_timeout: 1, headers: { "User-Agent" => "Super fun user agent" } }
+      }
 
-* Major updates
-  * Changes `PwnedValidator` to `NotPwnedValidator`, so that the validation looks like `validates :password, not_pwned: true`. `PwnedValidator` now subclasses `NotPwnedValidator` for backwards compatibility with version 1.1.0 but is deprecated.
+    -  password = Pwned::Password.new("password", 'User-Agent' => 'Super fun new user agent')
+    +  password = Pwned::Password.new("password", headers: { 'User-Agent' => 'Super fun new user agent' }, read_timeout: 10)
+    ```
 
-## 1.1.0 (March 12, 2018) [☰](https://github.com/philnash/pwned/commits/v1.1.0)
+  - Adds a CLI to let you check passwords on the command line
 
-* Major updates
-  * Refactors exception handling with built in Ruby method ([PR #1](https://github.com/philnash/pwned/pull/1) thanks [@kpumuk](https://github.com/kpumuk))
-  * Passwords must be strings, the initializer will raise a `TypeError` unless `password.is_a? String`. ([dbf7697](https://github.com/philnash/pwned/commit/dbf7697e878d87ac74aed1e715cee19b73473369))
-  * Added Ruby on Rails validator ([PR #3](https://github.com/philnash/pwned/pull/3) & [PR #6](https://github.com/philnash/pwned/pull/6))
-  * Added simplified accessors `Pwned.pwned?` and `Pwned.pwned_count` ([PR #4](https://github.com/philnash/pwned/pull/4))
+    ```bash
+    $ pwned password
+    Pwned!
+    The password has been found in public breaches 3730471 times.
+    ```
 
-* Minor updates
-  * SHA1 is only calculated once
-  * Frozen string literal to make sure Ruby does not copy strings over and over again
-  * Removal of `@match_data`, since we only use it to retrieve the counter. Caching the counter instead (all [PR #2](https://github.com/philnash/pwned/pull/2) thanks [@kpumuk](https://github.com/kpumuk))
+## 1.2.1 (March 17, 2018) [☰](https://github.com/philnash/pwned/compare/v1.2.0...v1.2.1)
+
+- Minor updates
+  - Validator no longer raises `TypeError` when password is `nil`
+
+## 1.2.0 (March 15, 2018) [☰](https://github.com/philnash/pwned/compare/v1.1.0...v1.2.0)
+
+- Major updates
+  - Changes `PwnedValidator` to `NotPwnedValidator`, so that the validation looks like `validates :password, not_pwned: true`. `PwnedValidator` now subclasses `NotPwnedValidator` for backwards compatibility with version 1.1.0 but is deprecated.
+
+## 1.1.0 (March 12, 2018) [☰](https://github.com/philnash/pwned/compare/v1.0.0...v1.1.0)
+
+- Major updates
+
+  - Refactors exception handling with built in Ruby method ([PR #1](https://github.com/philnash/pwned/pull/1) thanks [@kpumuk](https://github.com/kpumuk))
+  - Passwords must be strings, the initializer will raise a `TypeError` unless `password.is_a? String`. ([dbf7697](https://github.com/philnash/pwned/commit/dbf7697e878d87ac74aed1e715cee19b73473369))
+  - Added Ruby on Rails validator ([PR #3](https://github.com/philnash/pwned/pull/3) & [PR #6](https://github.com/philnash/pwned/pull/6))
+  - Added simplified accessors `Pwned.pwned?` and `Pwned.pwned_count` ([PR #4](https://github.com/philnash/pwned/pull/4))
+
+- Minor updates
+  - SHA1 is only calculated once
+  - Frozen string literal to make sure Ruby does not copy strings over and over again
+  - Removal of `@match_data`, since we only use it to retrieve the counter. Caching the counter instead (all [PR #2](https://github.com/philnash/pwned/pull/2) thanks [@kpumuk](https://github.com/kpumuk))
 
 ## 1.0.0 (March 6, 2018) [☰](https://github.com/philnash/pwned/commits/v1.0.0)
 

data/README.md

@@ -6,6 +6,21 @@ An easy, Ruby way to use the Pwned Passwords API.
 
 [API docs](https://philnash.github.io/pwned/) | [GitHub repo](https://github.com/philnash/pwned)
 
+## Table of Contents
+
+* [About](#about)
+* [Installation](#installation)
+* [Usage](#usage)
+  * [Plain Ruby](#plain-ruby)
+  * [Rails (ActiveRecord)](#activerecord-validator)
+  * [Devise](#devise)
+  * [Command line](#command-line)
+* [How Pwned is Pi?](#how-pwned-is-pi)
+* [Development](#development)
+* [Contributing](#contributing)
+* [License](#license)
+* [Code of Conduct](#code-of-conduct)
+
 ## About
 
 Troy Hunt's [Pwned Passwords API V2](https://haveibeenpwned.com/API/v2#PwnedPasswords) allows you to check if a password has been found in any of the huge data breaches.
@@ -14,6 +29,8 @@ Troy Hunt's [Pwned Passwords API V2](https://haveibeenpwned.com/API/v2#PwnedPass
 
 The data from this API is provided by [Have I been pwned?](https://haveibeenpwned.com/). Before using the API, please check [the acceptable uses and license of the API](https://haveibeenpwned.com/API/v2#AcceptableUse).
 
+Here is a blog post I wrote on [how to use this gem in your Ruby applications to make your users' passwords better](https://www.twilio.com/blog/2018/03/better-passwords-in-ruby-applications-pwned-passwords-api.html).
+
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -32,6 +49,14 @@ Or install it yourself as:
 
 ## Usage
 
+There are a few ways you can use this gem:
+
+1. [Plain Ruby](#plain-ruby)
+2. [Rails](#activerecord-validator)
+3. [Rails and Devise](#devise)
+
+### Plain Ruby
+
 To test a password against the API, instantiate a `Pwned::Password` object and then ask if it is `pwned?`.
 
 ```ruby
@@ -72,10 +97,11 @@ Pwned.pwned_count("password")
 
 #### Advanced
 
-You can set options and headers to be used with `open-uri` when making the request to the API. HTTP headers must be string keys and the [other options are available in the `OpenURI::OpenRead` module](https://ruby-doc.org/stdlib-2.5.0/libdoc/open-uri/rdoc/OpenURI/OpenRead.html#method-i-open).
+You can set http request options to be used with `Net::HTTP.start` when making the request to the API. These options are
+documented in the [`Net::HTTP.start` documentation](http://ruby-doc.org/stdlib-2.6.3/libdoc/net/http/rdoc/Net/HTTP.html#method-c-start). The `:headers` option defines defines HTTP headers. These headers must be string keys.
 
 ```ruby
-password = Pwned::Password.new("password", { 'User-Agent' => 'Super fun new user agent' })
+password = Pwned::Password.new("password", headers: { 'User-Agent' => 'Super fun new user agent' }, read_timeout: 10)
 ```
 
 ### ActiveRecord Validator
@@ -113,7 +139,7 @@ class User < ApplicationRecord
 end
 ```
 
-#### Network Errors Handling
+#### Network Error Handling
 
 By default the record will be treated as valid when we cannot reach the [haveibeenpwned.com](https://haveibeenpwned.com/) servers. This can be changed with the `:on_error` validator parameter:
 
@@ -145,17 +171,101 @@ end
 
 #### Custom Request Options
 
-You can configure network requests made from the validator using `:request_options` (see [OpenURI::OpenRead#open](http://ruby-doc.org/stdlib-2.5.0/libdoc/open-uri/rdoc/OpenURI/OpenRead.html#method-i-open) for the list of available options, string keys represent custom network request headers, e.g. `"User-Agent"`):
+You can configure network requests made from the validator using `:request_options` (see [Net::HTTP.start](http://ruby-doc.org/stdlib-2.6.3/libdoc/net/http/rdoc/Net/HTTP.html#method-c-start) for the list of available options).
+In addition to these options, HTTP headers can be specified with the `:headers` key, e.g. `"User-Agent"`):
 
 ```ruby
   validates :password, not_pwned: {
-    request_options: { read_timeout: 5, open_timeout: 1, "User-Agent" => "Super fun user agent" }
+    request_options: { read_timeout: 5, open_timeout: 1, headers: { "User-Agent" => "Super fun user agent" } }
   }
 ```
 
-## TODO
+### Devise
+
+If you are using Devise I recommend you use the [devise-pwned_password extension](https://github.com/michaelbanfield/devise-pwned_password) which is now powered by this gem.
+
+### Command line
+
+The gem provides a command line utility for checking passwords. You can call it from your terminal application like this:
+
+```bash
+$ pwned password
+Pwned!
+The password has been found in public breaches 3645804 times.
+```
+
+If you don't want the password you are checking to be visible, call:
+
+```bash
+$ pwned --secret
+```
+
+You will be prompted for the password, but it won't be displayed.
+
+## How Pwned is Pi?
+
+[@daz](https://github.com/daz) [shared](https://twitter.com/dazonic/status/1074647842046660609) a fantastic example of using this gem to show how many times the digits of Pi have been used as passwords and leaked.
+
+```ruby
+require 'pwned'
+
+PI = '3.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111'
+
+for n in 1..40
+  password = Pwned::Password.new PI[0..(n + 1)]
+  str = [ n.to_s.rjust(2) ]
+  str << (password.pwned? ? '😡' : '😃')
+  str << password.pwned_count.to_s.rjust(4)
+  str << password.password
 
-- [ ] Devise plugin
+  puts str.join ' '
+end
+```
+
+The results may, or may not, surprise you.
+
+```
+ 1 😡   16 3.1
+ 2 😡  238 3.14
+ 3 😡   34 3.141
+ 4 😡 1345 3.1415
+ 5 😡 2552 3.14159
+ 6 😡  791 3.141592
+ 7 😡 9582 3.1415926
+ 8 😡 1591 3.14159265
+ 9 😡  637 3.141592653
+10 😡  873 3.1415926535
+11 😡  137 3.14159265358
+12 😡  103 3.141592653589
+13 😡   65 3.1415926535897
+14 😡  201 3.14159265358979
+15 😡   41 3.141592653589793
+16 😡   57 3.1415926535897932
+17 😡   28 3.14159265358979323
+18 😡   29 3.141592653589793238
+19 😡    1 3.1415926535897932384
+20 😡    7 3.14159265358979323846
+21 😡    5 3.141592653589793238462
+22 😡    2 3.1415926535897932384626
+23 😡    2 3.14159265358979323846264
+24 😃    0 3.141592653589793238462643
+25 😡    3 3.1415926535897932384626433
+26 😃    0 3.14159265358979323846264338
+27 😃    0 3.141592653589793238462643383
+28 😃    0 3.1415926535897932384626433832
+29 😃    0 3.14159265358979323846264338327
+30 😃    0 3.141592653589793238462643383279
+31 😃    0 3.1415926535897932384626433832795
+32 😃    0 3.14159265358979323846264338327950
+33 😃    0 3.141592653589793238462643383279502
+34 😃    0 3.1415926535897932384626433832795028
+35 😃    0 3.14159265358979323846264338327950288
+36 😃    0 3.141592653589793238462643383279502884
+37 😃    0 3.1415926535897932384626433832795028841
+38 😃    0 3.14159265358979323846264338327950288419
+39 😃    0 3.141592653589793238462643383279502884197
+40 😃    0 3.1415926535897932384626433832795028841971
+```
 
 ## Development
 

data/bin/pwned

@@ -0,0 +1,52 @@
+#!/usr/bin/env ruby
+
+require 'pwned'
+require 'optparse'
+require 'io/console'
+
+options = {}
+parser = OptionParser.new do |opts|
+  opts.banner = <<-USAGE
+Usage: pwned <password>
+
+Tests a password against the Pwned Passwords API using the k-anonymity model,
+which avoids sending the entire password to the service.opts
+
+If the password has been found in a publicly available breach then this tool
+will report how many times it has been seen. Otherwise the tool will report that
+the password has not been found in a public breach yet.
+
+USAGE
+
+  opts.version = Pwned::VERSION
+
+  opts.on("-s", "--secret", "Enter password without displaying characters.\n#{" "* 37}Overrides provided arguments.")
+  opts.on_tail("-h", "--help", "Show help.")
+  opts.on_tail("-v", "--version", "Show version number.\n\n")
+end
+
+parser.parse!(ARGV, into: options)
+
+if options[:help]
+  puts parser.help
+  exit
+end
+if options[:version]
+  puts parser.ver
+  exit
+end
+password_to_test = ARGV.first
+if options[:secret]
+  password_to_test = STDIN.getpass("Password: ")
+end
+if !password_to_test || password_to_test.strip == ""
+  puts parser.help
+  exit
+end
+password = Pwned::Password.new(password_to_test || ARGV.first)
+if password.pwned?
+  puts "Pwned!\nThe password has been found in public breaches #{password.pwned_count} times."
+else
+  puts "The password has not been found in a public breach."
+end
+

data/docs/NotPwnedValidator.html

@@ -6,7 +6,7 @@
 <title>
   Class: NotPwnedValidator
   
-    &mdash; Documentation by YARD 0.9.12
+    &mdash; Documentation by YARD 0.9.20
   
 </title>
 
@@ -194,11 +194,16 @@ various ways</p>
   <p class="children"><span class='object_link'><a href="PwnedValidator.html" title="PwnedValidator (class)">PwnedValidator</a></span></p>
 </div>
 
-  <h2>Constant Summary</h2>
-  <dl class="constants">
-    
-      <dt id="DEFAULT_ON_ERROR-constant" class="">DEFAULT_ON_ERROR =
-        <div class="docstring">
+  
+    <h2>
+      Constant Summary
+      <small><a href="#" class="constants_summary_toggle">collapse</a></small>
+    </h2>
+
+    <dl class="constants">
+      
+        <dt id="DEFAULT_ON_ERROR-constant" class="">DEFAULT_ON_ERROR =
+          <div class="docstring">
   <div class="discussion">
     
 <p>The default behaviour of this validator in the case of an API failure. The
@@ -228,11 +233,11 @@ invalid.</p>
 </ul>
 
 </div>
-      </dt>
-      <dd><pre class="code"><span class='symbol'>:valid</span></pre></dd>
-    
-      <dt id="DEFAULT_THRESHOLD-constant" class="">DEFAULT_THRESHOLD =
-        <div class="docstring">
+        </dt>
+        <dd><pre class="code"><span class='symbol'>:valid</span></pre></dd>
+      
+        <dt id="DEFAULT_THRESHOLD-constant" class="">DEFAULT_THRESHOLD =
+          <div class="docstring">
   <div class="discussion">
     
 <p>The default threshold for whether a breach is considered pwned. The default
@@ -262,10 +267,11 @@ invalid.</p>
 </ul>
 
 </div>
-      </dt>
-      <dd><pre class="code"><span class='int'>0</span></pre></dd>
-    
-  </dl>
+        </dt>
+        <dd><pre class="code"><span class='int'>0</span></pre></dd>
+      
+    </dl>
+  
 
 
 
@@ -478,9 +484,9 @@ validation</p>
 </div>
 
       <div id="footer">
-  Generated on Sat Mar 17 09:15:06 2018 by
+  Generated on Tue Oct  1 21:19:37 2019 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
-  0.9.12 (ruby-2.5.0).
+  0.9.20 (ruby-2.5.5).
 </div>
 
     </div>

data/docs/Pwned.html

@@ -6,7 +6,7 @@
 <title>
   Module: Pwned
   
-    &mdash; Documentation by YARD 0.9.12
+    &mdash; Documentation by YARD 0.9.20
   
 </title>
 
@@ -108,11 +108,16 @@ getting the results for a password.</p>
   
 </p>
 
-  <h2>Constant Summary</h2>
-  <dl class="constants">
-    
-      <dt id="VERSION-constant" class="">VERSION =
-        <div class="docstring">
+  
+    <h2>
+      Constant Summary
+      <small><a href="#" class="constants_summary_toggle">collapse</a></small>
+    </h2>
+
+    <dl class="constants">
+      
+        <dt id="VERSION-constant" class="">VERSION =
+          <div class="docstring">
   <div class="discussion">
     
 <p>The current version of the <code>pwned</code> gem.</p>
@@ -124,10 +129,11 @@ getting the results for a password.</p>
   
 
 </div>
-      </dt>
-      <dd><pre class="code"><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>1.2.1</span><span class='tstring_end'>&quot;</span></span></pre></dd>
-    
-  </dl>
+        </dt>
+        <dd><pre class="code"><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>2.0.0</span><span class='tstring_end'>&quot;</span></span></pre></dd>
+      
+    </dl>
+  
 
 
 
@@ -259,7 +265,8 @@ getting the results for a password.</p>
       
         &mdash;
         <div class='inline'>
-<p>Options that can be passed to <code>open</code> when calling the API</p>
+<p>Options that can be passed to <code>Net::HTTP.start</code> when calling the
+API</p>
 </div>
       
     </li>
@@ -275,17 +282,17 @@ getting the results for a password.</p>
     <ul class="option">
       
         <li>
-          <span class="name">'User-Agent'</span>
-          <span class="type">(<tt>String</tt>)</span>
+          <span class="name">:headers</span>
+          <span class="type">(<tt>Symbol</tt>)</span>
           <span class="default">
             
               &mdash; default:
-              <tt>&quot;Ruby Pwned::Password #{Pwned::VERSION}&quot;</tt>
+              <tt>{ &quot;User-Agent&quot; =&gt; &#39;&quot;Ruby Pwned::Password #{Pwned::VERSION}&quot; }</tt>
             
           </span>
           
             &mdash; <div class='inline'>
-<p>The user agent used when making an API request.</p>
+<p>HTTP headers to include in the request</p>
 </div>
           
         </li>
@@ -408,7 +415,8 @@ getting the results for a password.</p>
       
         &mdash;
         <div class='inline'>
-<p>Options that can be passed to <code>open</code> when calling the API</p>
+<p>Options that can be passed to <code>Net::HTTP.start</code> when calling the
+API</p>
 </div>
       
     </li>
@@ -424,17 +432,17 @@ getting the results for a password.</p>
     <ul class="option">
       
         <li>
-          <span class="name">'User-Agent'</span>
-          <span class="type">(<tt>String</tt>)</span>
+          <span class="name">:headers</span>
+          <span class="type">(<tt>Symbol</tt>)</span>
           <span class="default">
             
               &mdash; default:
-              <tt>&quot;Ruby Pwned::Password #{Pwned::VERSION}&quot;</tt>
+              <tt>{ &quot;User-Agent&quot; =&gt; &#39;&quot;Ruby Pwned::Password #{Pwned::VERSION}&quot; }</tt>
             
           </span>
           
             &mdash; <div class='inline'>
-<p>The user agent used when making an API request.</p>
+<p>HTTP headers to include in the request</p>
 </div>
           
         </li>
@@ -503,9 +511,9 @@ getting the results for a password.</p>
 </div>
 
       <div id="footer">
-  Generated on Sat Mar 17 09:15:06 2018 by
+  Generated on Tue Oct  1 21:19:37 2019 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
-  0.9.12 (ruby-2.5.0).
+  0.9.20 (ruby-2.5.5).
 </div>
 
     </div>