rodauth-pwned 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: fd0ad8ce7b86521b47c5d4ed6c1986210ba2962651ebf0689de230c2ce177e33
4
+ data.tar.gz: 4561058c9852a558be78f3c1584b72c96656925fcb91b7a8963d2282445a852b
5
+ SHA512:
6
+ metadata.gz: b7d5a4f4a155fcd78871ea41851727b6243a4fd8d5b56453296ae724c150969363d0b20f9a01182541b317ef7cce3e9e5cb0d27879eb974910d5fea4ffb736a7
7
+ data.tar.gz: 207219558e027c559910cba8a662940eee39cbb8c6ce12e2a0d9f06c1c63cca4b9a2415c517f8faff2ea4bd702aedcacb881303371e90f4f33a1e7fd5d8d07c6
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2020 Janko Marohnić
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
@@ -0,0 +1,113 @@
1
+ # rodauth-pwned
2
+
3
+ [Rodauth] feature that checks user passwords against the [Pwned Passwords API].
4
+
5
+ ## Installation
6
+
7
+ ```rb
8
+ gem "rodauth-pwned"
9
+ ```
10
+
11
+ ## Usage
12
+
13
+ All you need to do is enable the `pwned_password` Rodauth feature provided by
14
+ this gem, and new passwords will be automatically checked.
15
+
16
+ ```rb
17
+ plugin :rodauth do
18
+ enable :pwned_password, ...
19
+ # ...
20
+ end
21
+ ```
22
+
23
+ ### Allowed count
24
+
25
+ You can still accept passwords that have only been exposed a small number of
26
+ times:
27
+
28
+ ```rb
29
+ plugin :rodauth do
30
+ # ...
31
+ password_allowed_pwned_count 5 # allow password to be pwned up to 5 times
32
+ end
33
+ ```
34
+
35
+ ### Validation error message
36
+
37
+ You can change the default validation error message:
38
+
39
+ ```rb
40
+ plugin :rodauth do
41
+ # ...
42
+ password_pwned_message "has been pwned"
43
+ end
44
+ ```
45
+
46
+ ### Request options
47
+
48
+ You can pass additional request options to the [Pwned] gem:
49
+
50
+ ```rb
51
+ plugin :rodauth do
52
+ # ...
53
+ pwned_request_options open_timeout: 1, read_timeout: 5, headers: { "User-Agent" => "MyApp" }
54
+ end
55
+ ```
56
+
57
+ ### Handling network errors
58
+
59
+ By default, any network errors to the Pwned Passwords API will be ignored, and
60
+ the password will be considered not pwned. You can hook into these errors:
61
+
62
+ ```rb
63
+ plugin :rodauth do
64
+ # ...
65
+ on_pwned_error { |error| Raven.capture_exception(error) }
66
+ end
67
+ ```
68
+
69
+ ### API
70
+
71
+ The feature exposes two public methods which you can use in your own code:
72
+
73
+ * `password_pwned?(password)` – whether given password is considered pwned
74
+ * `pwned_count(password)` – how many times has the given password been pwned
75
+
76
+ ```rb
77
+ rodauth.password_pwned?("password123") #=> true
78
+ rodauth.pwned_count("password123") #=> 123063
79
+ ```
80
+
81
+ You can also override these two methods:
82
+
83
+ ```rb
84
+ plugin :rodauth do
85
+ # ...
86
+ password_pwned? { |password| ... }
87
+ pwned_count { |password| ... }
88
+ end
89
+ ```
90
+
91
+ ## Development
92
+
93
+ Run tests with Rake:
94
+
95
+ ```sh
96
+ $ bundle exec rake test
97
+ ```
98
+
99
+ ## Contributing
100
+
101
+ Bug reports and pull requests are welcome on GitHub at https://github.com/janko/rodauth-pwned. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/janko/rodauth-pwned/blob/master/CODE_OF_CONDUCT.md).
102
+
103
+ ## License
104
+
105
+ The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
106
+
107
+ ## Code of Conduct
108
+
109
+ Everyone interacting in the Rodauth::Pwned project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/janko/rodauth-pwned/blob/master/CODE_OF_CONDUCT.md).
110
+
111
+ [Rodauth]: https://github.com/jeremyevans/rodauth
112
+ [Pwned Passwords API]: https://haveibeenpwned.com/Passwords
113
+ [Pwned]: https://github.com/philnash/pwned
@@ -0,0 +1,46 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "pwned"
4
+
5
+ module Rodauth
6
+ Feature.define(:pwned_password, :PwnedPassword) do
7
+ depends :login_password_requirements_base
8
+
9
+ auth_value_method :password_allowed_pwned_count, 0
10
+ translatable_method :password_pwned_message, "this password has previously appeared in a data breach and should never be used"
11
+ auth_value_method :pwned_request_options, {}
12
+
13
+ auth_methods(
14
+ :password_pwned?,
15
+ :pwned_count,
16
+ :on_pwned_error,
17
+ )
18
+
19
+ def password_meets_requirements?(password)
20
+ super && password_not_pwned?(password)
21
+ end
22
+
23
+ def password_pwned?(password)
24
+ pwned_count(password) > password_allowed_pwned_count
25
+ rescue Pwned::Error => error
26
+ on_pwned_error(error)
27
+ nil
28
+ end
29
+
30
+ def pwned_count(password)
31
+ Pwned.pwned_count(password, pwned_request_options)
32
+ end
33
+
34
+ private
35
+
36
+ def password_not_pwned?(password)
37
+ return true unless password_pwned?(password)
38
+ @password_requirement_message = password_pwned_message
39
+ false
40
+ end
41
+
42
+ def on_pwned_error(error)
43
+ # nothing by default
44
+ end
45
+ end
46
+ end
@@ -0,0 +1,28 @@
1
+ Gem::Specification.new do |spec|
2
+ spec.name = "rodauth-pwned"
3
+ spec.version = "0.1.0"
4
+ spec.authors = ["Janko Marohnić"]
5
+ spec.email = ["janko.marohnic@gmail.com"]
6
+
7
+ spec.summary = "Rodauth extension for checking whether a password had been exposed in a database breach according to https://haveibeenpwned.com."
8
+ spec.description = "Rodauth extension for checking whether a password had been exposed in a database breach according to https://haveibeenpwned.com."
9
+ spec.homepage = "https://github.com/janko/rodauth-pwned"
10
+ spec.license = "MIT"
11
+
12
+ spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
13
+
14
+ spec.metadata["homepage_uri"] = spec.homepage
15
+ spec.metadata["source_code_uri"] = spec.homepage
16
+
17
+ spec.files = Dir["README.md", "LICENSE.txt", "*.gemspec", "lib/**/*"]
18
+ spec.require_paths = ["lib"]
19
+
20
+ spec.add_dependency "rodauth", "~> 2.0"
21
+ spec.add_dependency "pwned", "~> 2.1"
22
+
23
+ spec.add_development_dependency "minitest"
24
+ spec.add_development_dependency "minitest-hooks"
25
+ spec.add_development_dependency "tilt"
26
+ spec.add_development_dependency "bcrypt"
27
+ spec.add_development_dependency "capybara"
28
+ end
metadata ADDED
@@ -0,0 +1,149 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: rodauth-pwned
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Janko Marohnić
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2020-08-23 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: rodauth
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '2.0'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '2.0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: pwned
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '2.1'
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '2.1'
41
+ - !ruby/object:Gem::Dependency
42
+ name: minitest
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - ">="
46
+ - !ruby/object:Gem::Version
47
+ version: '0'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - ">="
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: minitest-hooks
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: tilt
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
83
+ - !ruby/object:Gem::Dependency
84
+ name: bcrypt
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - ">="
88
+ - !ruby/object:Gem::Version
89
+ version: '0'
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - ">="
95
+ - !ruby/object:Gem::Version
96
+ version: '0'
97
+ - !ruby/object:Gem::Dependency
98
+ name: capybara
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - ">="
102
+ - !ruby/object:Gem::Version
103
+ version: '0'
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - ">="
109
+ - !ruby/object:Gem::Version
110
+ version: '0'
111
+ description: Rodauth extension for checking whether a password had been exposed in
112
+ a database breach according to https://haveibeenpwned.com.
113
+ email:
114
+ - janko.marohnic@gmail.com
115
+ executables: []
116
+ extensions: []
117
+ extra_rdoc_files: []
118
+ files:
119
+ - LICENSE.txt
120
+ - README.md
121
+ - lib/rodauth/features/pwned_password.rb
122
+ - rodauth-pwned.gemspec
123
+ homepage: https://github.com/janko/rodauth-pwned
124
+ licenses:
125
+ - MIT
126
+ metadata:
127
+ homepage_uri: https://github.com/janko/rodauth-pwned
128
+ source_code_uri: https://github.com/janko/rodauth-pwned
129
+ post_install_message:
130
+ rdoc_options: []
131
+ require_paths:
132
+ - lib
133
+ required_ruby_version: !ruby/object:Gem::Requirement
134
+ requirements:
135
+ - - ">="
136
+ - !ruby/object:Gem::Version
137
+ version: 2.3.0
138
+ required_rubygems_version: !ruby/object:Gem::Requirement
139
+ requirements:
140
+ - - ">="
141
+ - !ruby/object:Gem::Version
142
+ version: '0'
143
+ requirements: []
144
+ rubygems_version: 3.1.1
145
+ signing_key:
146
+ specification_version: 4
147
+ summary: Rodauth extension for checking whether a password had been exposed in a database
148
+ breach according to https://haveibeenpwned.com.
149
+ test_files: []