pwned 2.2.0 → 2.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1790330e2068217b48ba0929c4b2409dfecd939e76f7d231acc872ef9802320a
-  data.tar.gz: afa13cc83a53df1be859a74876e00992b15eed757e571bec652168d85b3ab73e
+  metadata.gz: 226abf113cc3359c1157ed43ba530e83123673626ba5c36cb5431518c2236abf
+  data.tar.gz: bcbb22e607b9ac74c5d9aad4f73ab7995bdee8cdca77cc5a6d4048033289f565
 SHA512:
-  metadata.gz: 23482aeeab95bb130ba04f1fdc57f769282d78c7c4c56c594f15652c472ffce9573967d8a31d539548a325c85f54aa038d65bb023aded41352147ad9a906534e
-  data.tar.gz: d31fb7ad5171adc4cc8ee28ed97d125fbd19c93bc68e65e7921076d1fb586748a1a4f12007e70cbfe6378e3c868effa756efaa08e627bfa82b2c73166e0b7dd1
+  metadata.gz: 012faac5d01ece3a5e7a1b56b127c7487cfe11a9d9d69c5b91727a4fcf938fc82ae62d95669a776b1dac87efbddc7073617991d5012738e5761978821310b812
+  data.tar.gz: e51e2f74240394f89a4ecf8ebae3336f3deeb2aff640df5eff937d917b79544467ba96bc42f208f9688c1fb22d510b4ace7f17715f96347ea2e3f9590ca1f7c2

data/.github/workflows/tests.yml

@@ -8,9 +8,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: [2.5, 2.6, 2.7, 3.0, head]
-        rails: [4.2.11.3, 5.0.7.2, 5.1.7, 5.2.4.4, 6.0.3.4, 6.1.0]
+        ruby: [2.6, 2.7, 3.0, 3.1, head]
+        rails: [4.2.11.3, 5.0.7.2, 5.1.7, 5.2.4.4, 6.0.3.4, 6.1.0, 7.0.3.1]
         exclude:
+          # Ruby 2.6 and Rails 7 do not get along together.
+          - ruby: 2.6
+            rails: 7.0.3.1
           # Ruby 3.0 and Rails 5 do not get along together.
           - ruby: 3.0
             rails: 5.0.7.2
@@ -18,6 +21,12 @@ jobs:
             rails: 5.1.7
           - ruby: 3.0
             rails: 5.2.4.4
+          - ruby: 3.1
+            rails: 5.0.7.2
+          - ruby: 3.1
+            rails: 5.1.7
+          - ruby: 3.1
+            rails: 5.2.4.4
           - ruby: head
             rails: 5.0.7.2
           - ruby: head

data/CHANGELOG.md

@@ -1,6 +1,28 @@
 # Changelog for `Pwned`
 
-## Ongoing [☰](https://github.com/philnash/pwned/compare/v2.0.2...master)
+## Ongoing [☰](https://github.com/philnash/pwned/compare/v2.4.0...master)
+
+## 2.4.1 (August 29, 2022) [☰](https://github.com/philnash/pwned/compare/v2.4.0...v2.4.1)
+
+- Minor updates
+
+  - Adds French and Dutch translations
+  - Adds Rails 7 to the test matrix
+
+## 2.4.0 (February 23, 2022) [☰](https://github.com/philnash/pwned/compare/v2.3.0...v2.4.0)
+
+- Minor updates
+
+  - Adds `default_request_options` to set global defaults for the gem
+  - Adds Ruby 3.1 to the test matrix
+
+## 2.3.0 (August 30, 2021) [☰](https://github.com/philnash/pwned/compare/v2.2.0...v2.3.0)
+
+- Minor updates
+
+  - Restores `Net::HTTP` default behaviour to use environment supplied HTTP
+    proxy
+  - Adds `ignore_env_proxy` to ignore any proxies set in the environment
 
 ## 2.2.0 (March 27, 2021) [☰](https://github.com/philnash/pwned/compare/v2.1.0...v2.2.0)
 

data/README.md

@@ -8,36 +8,39 @@ An easy, Ruby way to use the Pwned Passwords API.
 
 ## Table of Contents
 
-- [Pwned](#pwned)
-  - [Table of Contents](#table-of-contents)
-  - [About](#about)
-  - [Installation](#installation)
-  - [Usage](#usage)
-    - [Plain Ruby](#plain-ruby)
-      - [Advanced](#advanced)
-    - [ActiveRecord Validator](#activerecord-validator)
-      - [I18n](#i18n)
-      - [Threshold](#threshold)
-      - [Network Error Handling](#network-error-handling)
-      - [Custom Request Options](#custom-request-options)
-    - [Using Asynchronously](#using-asynchronously)
-    - [Devise](#devise)
-    - [Rodauth](#rodauth)
-    - [Command line](#command-line)
-    - [Unpwn](#unpwn)
-  - [How Pwned is Pi?](#how-pwned-is-pi)
-  - [Development](#development)
-  - [Contributing](#contributing)
-  - [License](#license)
-  - [Code of Conduct](#code-of-conduct)
+* [Table of Contents](#table-of-contents)
+* [About](#about)
+* [Installation](#installation)
+* [Usage](#usage)
+  * [Plain Ruby](#plain-ruby)
+    * [Custom request options](#custom-request-options)
+      * [HTTP Headers](#http-headers)
+      * [HTTP Proxy](#http-proxy)
+  * [ActiveRecord Validator](#activerecord-validator)
+    * [I18n](#i18n)
+    * [Threshold](#threshold)
+    * [Network Error Handling](#network-error-handling)
+    * [Custom Request Options](#custom-request-options-1)
+      * [HTTP Headers](#http-headers-1)
+      * [HTTP Proxy](#http-proxy-1)
+  * [Using Asynchronously](#using-asynchronously)
+  * [Devise](#devise)
+  * [Rodauth](#rodauth)
+  * [Command line](#command-line)
+  * [Unpwn](#unpwn)
+* [How Pwned is Pi?](#how-pwned-is-pi)
+* [Development](#development)
+* [Contributing](#contributing)
+* [License](#license)
+* [Code of Conduct](#code-of-conduct)
 
 ## About
 
-Troy Hunt's [Pwned Passwords API V2](https://haveibeenpwned.com/API/v2#PwnedPasswords) allows you to check if a password has been found in any of the huge data breaches.
+Troy Hunt's [Pwned Passwords API](https://haveibeenpwned.com/API/v3#PwnedPasswords) allows you to check if a password has been found in any of the huge data breaches.
 
 `Pwned` is a Ruby library to use the Pwned Passwords API's [k-Anonymity model](https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity) to test a password against the API without sending the entire password to the service.
 
-The data from this API is provided by [Have I been pwned?](https://haveibeenpwned.com/). Before using the API, please check [the acceptable uses and license of the API](https://haveibeenpwned.com/API/v2#AcceptableUse).
+The data from this API is provided by [Have I been pwned?](https://haveibeenpwned.com/). Before using the API, please check [the acceptable uses and license of the API](https://haveibeenpwned.com/API/v3#AcceptableUse).
 
 Here is a blog post I wrote on [how to use this gem in your Ruby applications to make your users' passwords better](https://www.twilio.com/blog/2018/03/better-passwords-in-ruby-applications-pwned-passwords-api.html).
 
@@ -105,13 +108,57 @@ Pwned.pwned_count("password")
 #=> 3303003
 ```
 
-#### Advanced
+#### Custom request options
 
-You can set http request options to be used with `Net::HTTP.start` when making the request to the API. These options are
-documented in the [`Net::HTTP.start` documentation](http://ruby-doc.org/stdlib-2.6.3/libdoc/net/http/rdoc/Net/HTTP.html#method-c-start). The `:headers` option defines defines HTTP headers. These headers must be string keys.
+You can set HTTP request options to be used with `Net::HTTP.start` when making the request to the API. These options are documented in the [`Net::HTTP.start` documentation](https://ruby-doc.org/stdlib-3.0.0/libdoc/net/http/rdoc/Net/HTTP.html#method-c-start).
+
+You can pass the options to the constructor:
+
+```ruby
+password = Pwned::Password.new("password", read_timeout: 10)
+```
+
+You can also specify global defaults:
+
+```ruby
+Pwned.default_request_options = { read_timeout: 10 }
+```
+
+##### HTTP Headers
+
+The `:headers` option defines defines HTTP headers. These headers must be string keys.
+
+```ruby
+password = Pwned::Password.new("password", headers: {
+  'User-Agent' => 'Super fun new user agent'
+})
+```
+
+##### HTTP Proxy
+
+An HTTP proxy can be set using the `http_proxy` or `HTTP_PROXY` environment variable. This is the same way that `Net::HTTP` handles HTTP proxies if no proxy options are given. See [`URI::Generic#find_proxy`](https://ruby-doc.org/stdlib-3.0.1/libdoc/uri/rdoc/URI/Generic.html#method-i-find_proxy) for full details on how Ruby detects a proxy from the environment.
 
 ```ruby
-password = Pwned::Password.new("password", headers: { 'User-Agent' => 'Super fun new user agent' }, read_timeout: 10)
+# Set in the environment
+ENV["http_proxy"] = "https://username:password@example.com:12345"
+
+# Will use the above proxy
+password = Pwned::Password.new("password")
+```
+
+You can specify a custom HTTP proxy with the `:proxy` option:
+
+```ruby
+password = Pwned::Password.new(
+  "password",
+  proxy: "https://username:password@example.com:12345"
+)
+```
+
+If you don't want to set a proxy and you don't want a proxy to be inferred from the environment, set the `:ignore_env_proxy` key:
+
+```ruby
+password = Pwned::Password.new("password", ignore_env_proxy: true)
 ```
 
 ### ActiveRecord Validator
@@ -182,29 +229,75 @@ end
 #### Custom Request Options
 
 You can configure network requests made from the validator using `:request_options` (see [Net::HTTP.start](http://ruby-doc.org/stdlib-2.6.3/libdoc/net/http/rdoc/Net/HTTP.html#method-c-start) for the list of available options).
-In addition to these options, HTTP headers can be specified with the `:headers` key (e.g. `"User-Agent"`) and proxy can be specified with the `:proxy` key:
 
 ```ruby
   validates :password, not_pwned: {
     request_options: {
       read_timeout: 5,
-      open_timeout: 1,
-      headers: { "User-Agent" => "Super fun user agent" },
+      open_timeout: 1
+    }
+  }
+```
+
+These options override the globally defined default options (see above).
+
+In addition to these options, you can also set the following:
+
+##### HTTP Headers
+
+HTTP headers can be specified with the `:headers` key (e.g. `"User-Agent"`)
+
+```ruby
+  validates :password, not_pwned: {
+    request_options: {
+      headers: { "User-Agent" => "Super fun user agent" }
+    }
+  }
+```
+
+##### HTTP Proxy
+
+An HTTP proxy can be set using the `http_proxy` or `HTTP_PROXY` environment variable. This is the same way that `Net::HTTP` handles HTTP proxies if no proxy options are given. See [`URI::Generic#find_proxy`](https://ruby-doc.org/stdlib-3.0.1/libdoc/uri/rdoc/URI/Generic.html#method-i-find_proxy) for full details on how Ruby detects a proxy from the environment.
+
+```ruby
+  # Set in the environment
+  ENV["http_proxy"] = "https://username:password@example.com:12345"
+
+  validates :password, not_pwned: true
+```
+
+You can specify a custom HTTP proxy with the `:proxy` key:
+
+```ruby
+  validates :password, not_pwned: {
+    request_options: {
       proxy: "https://username:password@example.com:12345"
     }
   }
 ```
 
+If you don't want to set a proxy and you don't want a proxy to be inferred from the environment, set the `:ignore_env_proxy` key:
+
+```ruby
+  validates :password, not_pwned: {
+    request_options: {
+      ignore_env_proxy: true
+    }
+  }
+```
+
 ### Using Asynchronously
 
-You may have a use case for hashing the password in advance, and then making the call to the Pwned Passwords API later (for example if you want to enqueue a job without storing the plaintext password). To do this, you can hash the password with the `Pwned.hash_password` method and then initialize the `Pwned::HashPassword` class with the hash, like this:
+You may have a use case for hashing the password in advance, and then making the call to the Pwned Passwords API later (for example if you want to enqueue a job without storing the plaintext password). To do this, you can hash the password with the `Pwned.hash_password` method and then initialize the `Pwned::HashedPassword` class with the hash, like this:
 
 ```ruby
 hashed_password = Pwned.hash_password(password)
 # some time later
-Pwned::HashPassword.new(hashed_password, request_options).pwned?
+Pwned::HashedPassword.new(hashed_password, request_options).pwned?
 ```
 
+The `Pwned::HashedPassword` constructor takes all the same options as the regular `Pwned::Password` contructor.
+
 ### Devise
 
 If you are using [Devise](https://github.com/heartcombo/devise) I recommend you use the [devise-pwned_password extension](https://github.com/michaelbanfield/devise-pwned_password) which is now powered by this gem.

data/lib/locale/fr.yml

@@ -0,0 +1,5 @@
+fr:
+  errors:
+    messages:
+      not_pwned: "est déjà apparu dans une brèche de données et ne doit pas être utilisé"
+      pwned_error: "n'a pas pu être vérifié par rapport aux brèches de données passées"

data/lib/locale/nl.yml

@@ -0,0 +1,5 @@
+nl:
+  errors:
+    messages:
+      not_pwned: "is eerder verschenen in een datalek en mag niet worden gebruikt"
+      pwned_error: "kon niet worden geverifieerd in eerdere datalekken"

data/lib/pwned/deep_merge.rb

@@ -0,0 +1,13 @@
+module DeepMerge
+  refine Hash do
+    def deep_merge(other)
+      self.merge(other) do |key, this_val, other_val|
+        if this_val.is_a?(Hash) && other_val.is_a?(Hash)
+          this_val.deep_merge(other_val)
+        else
+          other_val
+        end
+      end
+    end
+  end
+end

data/lib/pwned/hashed_password.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require "pwned/password_base"
+require "pwned/deep_merge"
+
 
 module Pwned
   ##
@@ -9,6 +11,7 @@ module Pwned
   # @see https://haveibeenpwned.com/API/v2#PwnedPasswords
   class HashedPassword
     include PasswordBase
+    using DeepMerge
     ##
     # Creates a new hashed password object.
     #
@@ -19,18 +22,22 @@ module Pwned
     #
     # @param hashed_password [String] The hash of the password you want to check against the API.
     # @param [Hash] request_options Options that can be passed to +Net::HTTP.start+ when
-    #   calling the API
+    #   calling the API. This overrides any keys specified in +Pwned.default_request_options+.
     # @option request_options [Symbol] :headers ({ "User-Agent" => "Ruby Pwned::Password #{Pwned::VERSION}" })
     #   HTTP headers to include in the request
+    # @option request_options [Symbol] :ignore_env_proxy (false) The library
+    #   will try to infer an HTTP proxy from the `http_proxy` environment
+    #   variable. If you do not want this behaviour, set this option to true.
     # @raise [TypeError] if the password is not a string.
     # @since 2.1.0
     def initialize(hashed_password, request_options={})
       raise TypeError, "hashed_password must be of type String" unless hashed_password.is_a? String
       @hashed_password = hashed_password.upcase
-      @request_options = Hash(request_options).dup
-      @request_headers = Hash(request_options.delete(:headers))
+      @request_options = Pwned.default_request_options.deep_merge(request_options)
+      @request_headers = Hash(@request_options.delete(:headers))
       @request_headers = DEFAULT_REQUEST_HEADERS.merge(@request_headers)
-      @request_proxy = URI(request_options.delete(:proxy)) if request_options.key?(:proxy)
+      @request_proxy = URI(@request_options.delete(:proxy)) if @request_options.key?(:proxy)
+      @ignore_env_proxy = @request_options.delete(:ignore_env_proxy) || false
     end
   end
 end

data/lib/pwned/password.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "pwned/password_base"
+require "pwned/deep_merge"
 
 module Pwned
   ##
@@ -9,6 +10,7 @@ module Pwned
   # @see https://haveibeenpwned.com/API/v2#PwnedPasswords
   class Password
     include PasswordBase
+    using DeepMerge
     ##
     # @return [String] the password that is being checked.
     # @since 1.0.0
@@ -24,20 +26,23 @@ module Pwned
     #
     # @param password [String] The password you want to check against the API.
     # @param [Hash] request_options Options that can be passed to +Net::HTTP.start+ when
-    #   calling the API
+    #   calling the API. This overrides any keys specified in +Pwned.default_request_options+.
     # @option request_options [Symbol] :headers ({ "User-Agent" => "Ruby Pwned::Password #{Pwned::VERSION}" })
     #   HTTP headers to include in the request
-    # @return [Boolean] Whether the password appears in the data breaches or not.
+    # @option request_options [Symbol] :ignore_env_proxy (false) The library
+    #   will try to infer an HTTP proxy from the `http_proxy` environment
+    #   variable. If you do not want this behaviour, set this option to true.
     # @raise [TypeError] if the password is not a string.
     # @since 1.1.0
     def initialize(password, request_options={})
       raise TypeError, "password must be of type String" unless password.is_a? String
       @password = password
       @hashed_password = Pwned.hash_password(password)
-      @request_options = Hash(request_options).dup
-      @request_headers = Hash(request_options.delete(:headers))
+      @request_options = Pwned.default_request_options.deep_merge(request_options)
+      @request_headers = Hash(@request_options.delete(:headers))
       @request_headers = DEFAULT_REQUEST_HEADERS.merge(@request_headers)
-      @request_proxy = URI(request_options.delete(:proxy)) if request_options.key?(:proxy)
+      @request_proxy = URI(@request_options.delete(:proxy)) if @request_options.key?(:proxy)
+      @ignore_env_proxy = @request_options.delete(:ignore_env_proxy) || false
     end
   end
 end

data/lib/pwned/password_base.rb

@@ -65,7 +65,7 @@ module Pwned
 
     private
 
-    attr_reader :request_options, :request_headers, :request_proxy
+    attr_reader :request_options, :request_headers, :request_proxy, :ignore_env_proxy
 
     def fetch_pwned_count
       for_each_response_line do |line|
@@ -108,10 +108,12 @@ module Pwned
       request.initialize_http_header(request_headers)
       request_options[:use_ssl] = true
 
+      environment_proxy = ignore_env_proxy ? nil : :ENV
+
       Net::HTTP.start(
         uri.host,
         uri.port,
-        request_proxy&.host,
+        request_proxy&.host || environment_proxy,
         request_proxy&.port,
         request_proxy&.user,
         request_proxy&.password,
@@ -136,6 +138,5 @@ module Pwned
 
       yield last_line unless last_line.empty?
     end
-
   end
 end

data/lib/pwned/version.rb

@@ -3,5 +3,5 @@
 module Pwned
   ##
   # The current version of the +pwned+ gem.
-  VERSION = "2.2.0"
+  VERSION = '2.4.1'
 end

data/lib/pwned.rb

@@ -23,6 +23,29 @@ end
 # results for a password.
 
 module Pwned
+  @default_request_options = {}
+
+  ##
+  # The default request options passed to +Net::HTTP.start+ when calling the API.
+  #
+  # @return [Hash]
+  # @see Pwned::Password#initialize
+  def self.default_request_options
+    @default_request_options
+  end
+
+  ##
+  # Sets the default request options passed to +Net::HTTP.start+ when calling
+  # the API.
+  #
+  # The default options may be overridden in +Pwned::Password#new+.
+  #
+  # @param [Hash] request_options
+  # @see Pwned::Password#initialize
+  def self.default_request_options=(request_options)
+    @default_request_options = request_options
+  end
+
   ##
   # Returns +true+ when the password has been pwned.
   #
@@ -35,6 +58,9 @@ module Pwned
   #   calling the API
   # @option request_options [Symbol] :headers ({ "User-Agent" => "Ruby Pwned::Password #{Pwned::VERSION}" })
   #   HTTP headers to include in the request
+  # @option request_options [Symbol] :ignore_env_proxy (false) The library
+  #   will try to infer an HTTP proxy from the `http_proxy` environment
+  #   variable. If you do not want this behaviour, set this option to true.
   # @return [Boolean] Whether the password appears in the data breaches or not.
   # @since 1.1.0
   def self.pwned?(password, request_options={})
@@ -53,6 +79,9 @@ module Pwned
   #   calling the API
   # @option request_options [Symbol] :headers ({ "User-Agent" => "Ruby Pwned::Password #{Pwned::VERSION}" })
   #   HTTP headers to include in the request
+  # @option request_options [Symbol] :ignore_env_proxy (false) The library
+  #   will try to infer an HTTP proxy from the `http_proxy` environment
+  #   variable. If you do not want this behaviour, set this option to true.
   # @return [Integer] The number of times the password has appeared in the data
   #   breaches.
   # @since 1.1.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pwned
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.4.1
 platform: ruby
 authors:
 - Phil Nash
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-27 00:00:00.000000000 Z
+date: 2022-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -109,7 +109,10 @@ files:
 - bin/pwned
 - bin/setup
 - lib/locale/en.yml
+- lib/locale/fr.yml
+- lib/locale/nl.yml
 - lib/pwned.rb
+- lib/pwned/deep_merge.rb
 - lib/pwned/error.rb
 - lib/pwned/hashed_password.rb
 - lib/pwned/not_pwned_validator.rb
@@ -141,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.1.2
 signing_key:
 specification_version: 4
 summary: Tools to use the Pwned Passwords API.