pwned 2.1.0 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4661790082f543ba897baf211da660c7a4f654444121f4ff3ba08542c08c412b
-  data.tar.gz: f52a3f3cf36d461e8704a632f97829a5d9f871d9916a55687d4a0b2156b44b75
+  metadata.gz: f655789ebeb4d8fc8cdd1a105960358b8995ecb2d65d50542c124dd025add187
+  data.tar.gz: 32b7024253941258a9d93e3fd556c25d7dc5f1d91b55c414d547bce7cd81f042
 SHA512:
-  metadata.gz: c114c3ca6e7667d1760ad2ae5dabcc7bf8d14b91e42788f7e36bba716eecd9bef6e1847e93dd12df4f8afed19460d26a068dc22ffb2270ceef8dc342f81690e0
-  data.tar.gz: c19d20d765cd57e64468c27a3e8f134e53d8f6e9ae22497c2d94a315a584e2e19b1913d47b37e89c9525ce80d85d10d43437a623d211766aa7242dbe1144e906
+  metadata.gz: f298ab9734b71e795cb014986b93c37642539c45225add31f55a105a4238b0dcd57ae298682df0ad2ed69203d42f13181715dbcfeb1fe8f188a497e51f82cab9
+  data.tar.gz: c494a1fd491608e0bee4d47a97b356ae22887b2a041e33348a8784c14fbe68d5ab78451eb2b2e255e0b2f1702d41424b5a2e0b83549a93a3a9a2dd86abd1ad39

data/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: philnash

data/.github/workflows/tests.yml

@@ -0,0 +1,45 @@
+name: tests
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: [2.6, 2.7, 3.0, 3.1, head]
+        rails: [4.2.11.3, 5.0.7.2, 5.1.7, 5.2.4.4, 6.0.3.4, 6.1.0]
+        exclude:
+          # Ruby 3.0 and Rails 5 do not get along together.
+          - ruby: 3.0
+            rails: 5.0.7.2
+          - ruby: 3.0
+            rails: 5.1.7
+          - ruby: 3.0
+            rails: 5.2.4.4
+          - ruby: 3.1
+            rails: 5.0.7.2
+          - ruby: 3.1
+            rails: 5.1.7
+          - ruby: 3.1
+            rails: 5.2.4.4
+          - ruby: head
+            rails: 5.0.7.2
+          - ruby: head
+            rails: 5.1.7
+          - ruby: head
+            rails: 5.2.4.4
+    continue-on-error: ${{ endsWith(matrix.ruby, 'head') }}
+    env:
+      RAILS_VERSION: ${{ matrix.rails }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby ${{ matrix.ruby }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: "Install dependencies (rails: ${{matrix.rails}})"
+        run: bundle install
+      - name: Run tests
+        run: bundle exec rspec

data/CHANGELOG.md

@@ -1,6 +1,28 @@
 # Changelog for `Pwned`
 
-## Ongoing [☰](https://github.com/philnash/pwned/compare/v2.0.2...master)
+## Ongoing [☰](https://github.com/philnash/pwned/compare/v2.4.0...master)
+
+## 2.4.0 (February 23, 2022) [☰](https://github.com/philnash/pwned/compare/v2.3.0...v2.4.0)
+
+- Minor updates
+
+  - Adds `default_request_options` to set global defaults for the gem
+  - Adds Ruby 3.1 to the test matrix
+
+## 2.3.0 (August 30, 2021) [☰](https://github.com/philnash/pwned/compare/v2.2.0...v2.3.0)
+
+- Minor updates
+
+  - Restores `Net::HTTP` default behaviour to use environment supplied HTTP
+    proxy
+  - Adds `ignore_env_proxy` to ignore any proxies set in the environment
+
+## 2.2.0 (March 27, 2021) [☰](https://github.com/philnash/pwned/compare/v2.1.0...v2.2.0)
+
+- Minor updates
+
+  - Adds `:proxy` option to `request_options` to directly set a proxy on the
+    request. Fixes #21, thanks [dparpyani](https://github.com/dparpyani).
 
 ## 2.1.0 (July 8, 2020) [☰](https://github.com/philnash/pwned/compare/v2.0.2...v2.1.0)
 

data/README.md

@@ -2,32 +2,37 @@
 
 An easy, Ruby way to use the Pwned Passwords API.
 
-[![Gem Version](https://badge.fury.io/rb/pwned.svg)](https://rubygems.org/gems/pwned) [![Build Status](https://travis-ci.org/philnash/pwned.svg?branch=master)](https://travis-ci.org/philnash/pwned) [![Maintainability](https://codeclimate.com/github/philnash/pwned/badges/gpa.svg)](https://codeclimate.com/github/philnash/pwned/maintainability) [![Inline docs](https://inch-ci.org/github/philnash/pwned.svg?branch=master)](https://inch-ci.org/github/philnash/pwned)
+[![Gem Version](https://badge.fury.io/rb/pwned.svg)](https://rubygems.org/gems/pwned) ![Build Status](https://github.com/philnash/pwned/workflows/tests/badge.svg) [![Maintainability](https://codeclimate.com/github/philnash/pwned/badges/gpa.svg)](https://codeclimate.com/github/philnash/pwned/maintainability) [![Inline docs](https://inch-ci.org/github/philnash/pwned.svg?branch=master)](https://inch-ci.org/github/philnash/pwned)
 
 [API docs](https://www.rubydoc.info/gems/pwned) | [GitHub repo](https://github.com/philnash/pwned)
 
 ## Table of Contents
 
-- [Pwned](#pwned)
-  - [Table of Contents](#table-of-contents)
-  - [About](#about)
-  - [Installation](#installation)
-  - [Usage](#usage)
-    - [Plain Ruby](#plain-ruby)
-      - [Advanced](#advanced)
-    - [ActiveRecord Validator](#activerecord-validator)
-      - [I18n](#i18n)
-      - [Threshold](#threshold)
-      - [Network Error Handling](#network-error-handling)
-      - [Custom Request Options](#custom-request-options)
-    - [Using Asynchronously](#using-asynchronously)
-    - [Devise](#devise)
-    - [Command line](#command-line)
-  - [How Pwned is Pi?](#how-pwned-is-pi)
-  - [Development](#development)
-  - [Contributing](#contributing)
-  - [License](#license)
-  - [Code of Conduct](#code-of-conduct)
+* [Table of Contents](#table-of-contents)
+* [About](#about)
+* [Installation](#installation)
+* [Usage](#usage)
+  * [Plain Ruby](#plain-ruby)
+    * [Custom request options](#custom-request-options)
+      * [HTTP Headers](#http-headers)
+      * [HTTP Proxy](#http-proxy)
+  * [ActiveRecord Validator](#activerecord-validator)
+    * [I18n](#i18n)
+    * [Threshold](#threshold)
+    * [Network Error Handling](#network-error-handling)
+    * [Custom Request Options](#custom-request-options-1)
+      * [HTTP Headers](#http-headers-1)
+      * [HTTP Proxy](#http-proxy-1)
+  * [Using Asynchronously](#using-asynchronously)
+  * [Devise](#devise)
+  * [Rodauth](#rodauth)
+  * [Command line](#command-line)
+  * [Unpwn](#unpwn)
+* [How Pwned is Pi?](#how-pwned-is-pi)
+* [Development](#development)
+* [Contributing](#contributing)
+* [License](#license)
+* [Code of Conduct](#code-of-conduct)
 
 ## About
 
@@ -103,13 +108,57 @@ Pwned.pwned_count("password")
 #=> 3303003
 ```
 
-#### Advanced
+#### Custom request options
 
-You can set http request options to be used with `Net::HTTP.start` when making the request to the API. These options are
-documented in the [`Net::HTTP.start` documentation](http://ruby-doc.org/stdlib-2.6.3/libdoc/net/http/rdoc/Net/HTTP.html#method-c-start). The `:headers` option defines defines HTTP headers. These headers must be string keys.
+You can set HTTP request options to be used with `Net::HTTP.start` when making the request to the API. These options are documented in the [`Net::HTTP.start` documentation](https://ruby-doc.org/stdlib-3.0.0/libdoc/net/http/rdoc/Net/HTTP.html#method-c-start).
+
+You can pass the options to the constructor:
+
+```ruby
+password = Pwned::Password.new("password", read_timeout: 10)
+```
+
+You can also specify global defaults:
 
 ```ruby
-password = Pwned::Password.new("password", headers: { 'User-Agent' => 'Super fun new user agent' }, read_timeout: 10)
+Pwned.default_request_options = { read_timeout: 10 }
+```
+
+##### HTTP Headers
+
+The `:headers` option defines defines HTTP headers. These headers must be string keys.
+
+```ruby
+password = Pwned::Password.new("password", headers: {
+  'User-Agent' => 'Super fun new user agent'
+})
+```
+
+##### HTTP Proxy
+
+An HTTP proxy can be set using the `http_proxy` or `HTTP_PROXY` environment variable. This is the same way that `Net::HTTP` handles HTTP proxies if no proxy options are given. See [`URI::Generic#find_proxy`](https://ruby-doc.org/stdlib-3.0.1/libdoc/uri/rdoc/URI/Generic.html#method-i-find_proxy) for full details on how Ruby detects a proxy from the environment.
+
+```ruby
+# Set in the environment
+ENV["http_proxy"] = "https://username:password@example.com:12345"
+
+# Will use the above proxy
+password = Pwned::Password.new("password")
+```
+
+You can specify a custom HTTP proxy with the `:proxy` option:
+
+```ruby
+password = Pwned::Password.new(
+  "password",
+  proxy: "https://username:password@example.com:12345"
+)
+```
+
+If you don't want to set a proxy and you don't want a proxy to be inferred from the environment, set the `:ignore_env_proxy` key:
+
+```ruby
+password = Pwned::Password.new("password", ignore_env_proxy: true)
 ```
 
 ### ActiveRecord Validator
@@ -180,28 +229,82 @@ end
 #### Custom Request Options
 
 You can configure network requests made from the validator using `:request_options` (see [Net::HTTP.start](http://ruby-doc.org/stdlib-2.6.3/libdoc/net/http/rdoc/Net/HTTP.html#method-c-start) for the list of available options).
-In addition to these options, HTTP headers can be specified with the `:headers` key, e.g. `"User-Agent"`):
 
 ```ruby
   validates :password, not_pwned: {
-    request_options: { read_timeout: 5, open_timeout: 1, headers: { "User-Agent" => "Super fun user agent" } }
+    request_options: {
+      read_timeout: 5,
+      open_timeout: 1
+    }
+  }
+```
+
+These options override the globally defined default options (see above).
+
+In addition to these options, you can also set the following:
+
+##### HTTP Headers
+
+HTTP headers can be specified with the `:headers` key (e.g. `"User-Agent"`)
+
+```ruby
+  validates :password, not_pwned: {
+    request_options: {
+      headers: { "User-Agent" => "Super fun user agent" }
+    }
+  }
+```
+
+##### HTTP Proxy
+
+An HTTP proxy can be set using the `http_proxy` or `HTTP_PROXY` environment variable. This is the same way that `Net::HTTP` handles HTTP proxies if no proxy options are given. See [`URI::Generic#find_proxy`](https://ruby-doc.org/stdlib-3.0.1/libdoc/uri/rdoc/URI/Generic.html#method-i-find_proxy) for full details on how Ruby detects a proxy from the environment.
+
+```ruby
+  # Set in the environment
+  ENV["http_proxy"] = "https://username:password@example.com:12345"
+
+  validates :password, not_pwned: true
+```
+
+You can specify a custom HTTP proxy with the `:proxy` key:
+
+```ruby
+  validates :password, not_pwned: {
+    request_options: {
+      proxy: "https://username:password@example.com:12345"
+    }
+  }
+```
+
+If you don't want to set a proxy and you don't want a proxy to be inferred from the environment, set the `:ignore_env_proxy` key:
+
+```ruby
+  validates :password, not_pwned: {
+    request_options: {
+      ignore_env_proxy: true
+    }
   }
 ```
 
 ### Using Asynchronously
 
-You may have a use case for hashing the password in advance, and then making the call to the Pwned api later
-(for example if you want to enqueue a job without storing the plaintext password):
+You may have a use case for hashing the password in advance, and then making the call to the Pwned Passwords API later (for example if you want to enqueue a job without storing the plaintext password). To do this, you can hash the password with the `Pwned.hash_password` method and then initialize the `Pwned::HashedPassword` class with the hash, like this:
 
 ```ruby
 hashed_password = Pwned.hash_password(password)
 # some time later
-Pwned::HashPassword.new(hashed_password, request_options).pwned?
+Pwned::HashedPassword.new(hashed_password, request_options).pwned?
 ```
 
+The `Pwned::HashedPassword` constructor takes all the same options as the regular `Pwned::Password` contructor.
+
 ### Devise
 
-If you are using Devise I recommend you use the [devise-pwned_password extension](https://github.com/michaelbanfield/devise-pwned_password) which is now powered by this gem.
+If you are using [Devise](https://github.com/heartcombo/devise) I recommend you use the [devise-pwned_password extension](https://github.com/michaelbanfield/devise-pwned_password) which is now powered by this gem.
+
+### Rodauth
+
+If you are using [Rodauth](https://github.com/jeremyevans/rodauth) then you can use the [rodauth-pwned](https://github.com/janko/rodauth-pwned) feature which is powered by this gem.
 
 ### Command line
 
@@ -221,6 +324,10 @@ $ pwned --secret
 
 You will be prompted for the password, but it won't be displayed.
 
+### Unpwn
+
+To cut down on unnecessary network requests, [the unpwn project](https://github.com/indirect/unpwn) uses a list of the top one million passwords to check passwords against. Only if a password is not included in the top million is it then checked against the Pwned Passwords API.
+
 ## How Pwned is Pi?
 
 [@daz](https://github.com/daz) [shared](https://twitter.com/dazonic/status/1074647842046660609) a fantastic example of using this gem to show how many times the digits of Pi have been used as passwords and leaked.

data/lib/pwned/deep_merge.rb

@@ -0,0 +1,13 @@
+module DeepMerge
+  refine Hash do
+    def deep_merge(other)
+      self.merge(other) do |key, this_val, other_val|
+        if this_val.is_a?(Hash) && other_val.is_a?(Hash)
+          this_val.deep_merge(other_val)
+        else
+          other_val
+        end
+      end
+    end
+  end
+end

data/lib/pwned/hashed_password.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require "pwned/password_base"
+require "pwned/deep_merge"
+
 
 module Pwned
   ##
@@ -9,6 +11,7 @@ module Pwned
   # @see https://haveibeenpwned.com/API/v2#PwnedPasswords
   class HashedPassword
     include PasswordBase
+    using DeepMerge
     ##
     # Creates a new hashed password object.
     #
@@ -19,17 +22,22 @@ module Pwned
     #
     # @param hashed_password [String] The hash of the password you want to check against the API.
     # @param [Hash] request_options Options that can be passed to +Net::HTTP.start+ when
-    #   calling the API
+    #   calling the API. This overrides any keys specified in +Pwned.default_request_options+.
     # @option request_options [Symbol] :headers ({ "User-Agent" => "Ruby Pwned::Password #{Pwned::VERSION}" })
     #   HTTP headers to include in the request
+    # @option request_options [Symbol] :ignore_env_proxy (false) The library
+    #   will try to infer an HTTP proxy from the `http_proxy` environment
+    #   variable. If you do not want this behaviour, set this option to true.
     # @raise [TypeError] if the password is not a string.
     # @since 2.1.0
     def initialize(hashed_password, request_options={})
       raise TypeError, "hashed_password must be of type String" unless hashed_password.is_a? String
       @hashed_password = hashed_password.upcase
-      @request_options = Hash(request_options).dup
-      @request_headers = Hash(request_options.delete(:headers))
+      @request_options = Pwned.default_request_options.deep_merge(request_options)
+      @request_headers = Hash(@request_options.delete(:headers))
       @request_headers = DEFAULT_REQUEST_HEADERS.merge(@request_headers)
+      @request_proxy = URI(@request_options.delete(:proxy)) if @request_options.key?(:proxy)
+      @ignore_env_proxy = @request_options.delete(:ignore_env_proxy) || false
     end
   end
 end

data/lib/pwned/password.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "pwned/password_base"
+require "pwned/deep_merge"
 
 module Pwned
   ##
@@ -9,6 +10,7 @@ module Pwned
   # @see https://haveibeenpwned.com/API/v2#PwnedPasswords
   class Password
     include PasswordBase
+    using DeepMerge
     ##
     # @return [String] the password that is being checked.
     # @since 1.0.0
@@ -24,19 +26,23 @@ module Pwned
     #
     # @param password [String] The password you want to check against the API.
     # @param [Hash] request_options Options that can be passed to +Net::HTTP.start+ when
-    #   calling the API
+    #   calling the API. This overrides any keys specified in +Pwned.default_request_options+.
     # @option request_options [Symbol] :headers ({ "User-Agent" => "Ruby Pwned::Password #{Pwned::VERSION}" })
     #   HTTP headers to include in the request
-    # @return [Boolean] Whether the password appears in the data breaches or not.
+    # @option request_options [Symbol] :ignore_env_proxy (false) The library
+    #   will try to infer an HTTP proxy from the `http_proxy` environment
+    #   variable. If you do not want this behaviour, set this option to true.
     # @raise [TypeError] if the password is not a string.
     # @since 1.1.0
     def initialize(password, request_options={})
       raise TypeError, "password must be of type String" unless password.is_a? String
       @password = password
       @hashed_password = Pwned.hash_password(password)
-      @request_options = Hash(request_options).dup
-      @request_headers = Hash(request_options.delete(:headers))
+      @request_options = Pwned.default_request_options.deep_merge(request_options)
+      @request_headers = Hash(@request_options.delete(:headers))
       @request_headers = DEFAULT_REQUEST_HEADERS.merge(@request_headers)
+      @request_proxy = URI(@request_options.delete(:proxy)) if @request_options.key?(:proxy)
+      @ignore_env_proxy = @request_options.delete(:ignore_env_proxy) || false
     end
   end
 end

data/lib/pwned/password_base.rb

@@ -65,7 +65,7 @@ module Pwned
 
     private
 
-    attr_reader :request_options, :request_headers
+    attr_reader :request_options, :request_headers, :request_proxy, :ignore_env_proxy
 
     def fetch_pwned_count
       for_each_response_line do |line|
@@ -108,7 +108,17 @@ module Pwned
       request.initialize_http_header(request_headers)
       request_options[:use_ssl] = true
 
-      Net::HTTP.start(uri.host, uri.port, request_options) do |http|
+      environment_proxy = ignore_env_proxy ? nil : :ENV
+
+      Net::HTTP.start(
+        uri.host,
+        uri.port,
+        request_proxy&.host || environment_proxy,
+        request_proxy&.port,
+        request_proxy&.user,
+        request_proxy&.password,
+        request_options
+      ) do |http|
         http.request(request, &block)
       end
     end
@@ -128,6 +138,5 @@ module Pwned
 
       yield last_line unless last_line.empty?
     end
-
   end
 end

data/lib/pwned/version.rb

@@ -3,5 +3,5 @@
 module Pwned
   ##
   # The current version of the +pwned+ gem.
-  VERSION = "2.1.0"
+  VERSION = "2.4.0"
 end

data/lib/pwned.rb

@@ -23,6 +23,29 @@ end
 # results for a password.
 
 module Pwned
+  @default_request_options = {}
+
+  ##
+  # The default request options passed to +Net::HTTP.start+ when calling the API.
+  #
+  # @return [Hash]
+  # @see Pwned::Password#initialize
+  def self.default_request_options
+    @default_request_options
+  end
+
+  ##
+  # Sets the default request options passed to +Net::HTTP.start+ when calling
+  # the API.
+  #
+  # The default options may be overridden in +Pwned::Password#new+.
+  #
+  # @param [Hash] request_options
+  # @see Pwned::Password#initialize
+  def self.default_request_options=(request_options)
+    @default_request_options = request_options
+  end
+
   ##
   # Returns +true+ when the password has been pwned.
   #
@@ -35,6 +58,9 @@ module Pwned
   #   calling the API
   # @option request_options [Symbol] :headers ({ "User-Agent" => "Ruby Pwned::Password #{Pwned::VERSION}" })
   #   HTTP headers to include in the request
+  # @option request_options [Symbol] :ignore_env_proxy (false) The library
+  #   will try to infer an HTTP proxy from the `http_proxy` environment
+  #   variable. If you do not want this behaviour, set this option to true.
   # @return [Boolean] Whether the password appears in the data breaches or not.
   # @since 1.1.0
   def self.pwned?(password, request_options={})
@@ -53,6 +79,9 @@ module Pwned
   #   calling the API
   # @option request_options [Symbol] :headers ({ "User-Agent" => "Ruby Pwned::Password #{Pwned::VERSION}" })
   #   HTTP headers to include in the request
+  # @option request_options [Symbol] :ignore_env_proxy (false) The library
+  #   will try to infer an HTTP proxy from the `http_proxy` environment
+  #   variable. If you do not want this behaviour, set this option to true.
   # @return [Integer] The number of times the password has appeared in the data
   #   breaches.
   # @since 1.1.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pwned
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.4.0
 platform: ruby
 authors:
 - Phil Nash
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-08 00:00:00.000000000 Z
+date: 2022-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -94,9 +94,10 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
+- ".github/workflows/tests.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
 - ".yardopts"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
@@ -109,6 +110,7 @@ files:
 - bin/setup
 - lib/locale/en.yml
 - lib/pwned.rb
+- lib/pwned/deep_merge.rb
 - lib/pwned/error.rb
 - lib/pwned/hashed_password.rb
 - lib/pwned/not_pwned_validator.rb
@@ -125,7 +127,7 @@ metadata:
   documentation_uri: https://www.rubydoc.info/gems/pwned
   homepage_uri: https://github.com/philnash/pwned
   source_code_uri: https://github.com/philnash/pwned
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -140,8 +142,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: Tools to use the Pwned Passwords API.
 test_files: []

data/.travis.yml

@@ -1,27 +0,0 @@
-sudo: false
-language: ruby
-
-env:
-  matrix:
-    - RAILS_VERSION=4.2.11.1
-    - RAILS_VERSION=5.0.7.2
-    - RAILS_VERSION=5.1.7
-    - RAILS_VERSION=5.2.3
-    - RAILS_VERSION=6.0.0
-
-rvm:
-  - 2.7
-  - 2.6
-  - 2.5
-  - 2.4
-  - jruby
-  - ruby-head
-
-before_install: gem install bundler
-
-matrix:
-  allow_failures:
-    - rvm: ruby-head
-  exclude:
-    - rvm: 2.4
-      env: RAILS_VERSION=6.0.0