Repository files navigation

Rodauth feature that checks user passwords against thePwned Passwords API(using thePwned rubygem).

gem"rodauth-pwned"

All you need to do is enable thepwned_password Rodauth feature provided bythis gem, and new passwords will be automatically checked.

plugin:rodauthdoenable:pwned_password, ...# ...end

You can still accept passwords that have only been exposed a small number oftimes:

plugin:rodauthdo# ...password_allowed_pwned_count5# allow password to be pwned up to 5 timesend

You can change the default validation error message:

plugin:rodauthdo# ...password_pwned_message"has been pwned"end

You can pass additional request options to thePwned gem:

plugin:rodauthdo# ...pwned_request_optionsopen_timeout:1,read_timeout:5,headers:{"User-Agent"=>"MyApp"}end

By default, any network errors to the Pwned Passwords API will be ignored, andthe password will be considered not pwned. You can hook into these errors:

plugin:rodauthdo# ...on_pwned_error{ |error|Raven.capture_exception(error)}end

The feature exposes two public methods which you can use in your own code:

• password_pwned?(password) – whether given password is considered pwned
• pwned_count(password) – how many times has the given password been pwned

rodauth.password_pwned?("password123")#=> truerodauth.pwned_count("password123")#=> 123063

You can also override these two methods:

plugin:rodauthdo# ...password_pwned?{ |password| ...}pwned_count{ |password| ...}end

If a user's password becomes pwned, you may want to warn them on login:

plugin:rodauthdo# ...after_logindodb.after_commitdo# better to make HTTP requests outside of transactionsifparam_or_nil(password_param) &&password_pwned?(param(password_param))set_redirect_error_flash"Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password."endendendend

Run tests with Rake:

$ bundleexec raketest

This gem has been inspired bydevise-pwned_password.

The gem is available as open source under the terms of theMIT License.

Everyone interacting in the Rodauth::Pwned project's codebases, issue trackers, chat rooms and mailing lists is expected to follow thecode of conduct.