Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up

Rodauth extension that checks user passwords against the Pwned Passwords API

License

NotificationsYou must be signed in to change notification settings

janko/rodauth-pwned

Repository files navigation

Rodauth feature that checks user passwords against thePwned Passwords API(using thePwned rubygem).

Installation

gem"rodauth-pwned"

Usage

All you need to do is enable thepwned_password Rodauth feature provided bythis gem, and new passwords will be automatically checked.

plugin:rodauthdoenable:pwned_password, ...# ...end

Allowed count

You can still accept passwords that have only been exposed a small number oftimes:

plugin:rodauthdo# ...password_allowed_pwned_count5# allow password to be pwned up to 5 timesend

Validation error message

You can change the default validation error message:

plugin:rodauthdo# ...password_pwned_message"has been pwned"end

Request options

You can pass additional request options to thePwned gem:

plugin:rodauthdo# ...pwned_request_optionsopen_timeout:1,read_timeout:5,headers:{"User-Agent"=>"MyApp"}end

Handling network errors

By default, any network errors to the Pwned Passwords API will be ignored, andthe password will be considered not pwned. You can hook into these errors:

plugin:rodauthdo# ...on_pwned_error{ |error|Raven.capture_exception(error)}end

API

The feature exposes two public methods which you can use in your own code:

  • password_pwned?(password) – whether given password is considered pwned
  • pwned_count(password) – how many times has the given password been pwned
rodauth.password_pwned?("password123")#=> truerodauth.pwned_count("password123")#=> 123063

You can also override these two methods:

plugin:rodauthdo# ...password_pwned?{ |password| ...}pwned_count{ |password| ...}end

Warning users with pwned passwords

If a user's password becomes pwned, you may want to warn them on login:

plugin:rodauthdo# ...after_logindodb.after_commitdo# better to make HTTP requests outside of transactionsifparam_or_nil(password_param) &&password_pwned?(param(password_param))set_redirect_error_flash"Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password."endendendend

Development

Run tests with Rake:

$ bundleexec raketest

Credits

This gem has been inspired bydevise-pwned_password.

License

The gem is available as open source under the terms of theMIT License.

Code of Conduct

Everyone interacting in the Rodauth::Pwned project's codebases, issue trackers, chat rooms and mailing lists is expected to follow thecode of conduct.

About

Rodauth extension that checks user passwords against the Pwned Passwords API

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages


[8]ページ先頭

©2009-2025 Movatter.jp