- Notifications
You must be signed in to change notification settings - Fork0
Rodauth extension that checks user passwords against the Pwned Passwords API
License
janko/rodauth-pwned
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Rodauth feature that checks user passwords against thePwned Passwords API(using thePwned rubygem).
gem"rodauth-pwned"
All you need to do is enable thepwned_password Rodauth feature provided bythis gem, and new passwords will be automatically checked.
plugin:rodauthdoenable:pwned_password, ...# ...end
You can still accept passwords that have only been exposed a small number oftimes:
plugin:rodauthdo# ...password_allowed_pwned_count5# allow password to be pwned up to 5 timesend
You can change the default validation error message:
plugin:rodauthdo# ...password_pwned_message"has been pwned"end
You can pass additional request options to thePwned gem:
plugin:rodauthdo# ...pwned_request_optionsopen_timeout:1,read_timeout:5,headers:{"User-Agent"=>"MyApp"}end
By default, any network errors to the Pwned Passwords API will be ignored, andthe password will be considered not pwned. You can hook into these errors:
plugin:rodauthdo# ...on_pwned_error{ |error|Raven.capture_exception(error)}end
The feature exposes two public methods which you can use in your own code:
password_pwned?(password)– whether given password is considered pwnedpwned_count(password)– how many times has the given password been pwned
rodauth.password_pwned?("password123")#=> truerodauth.pwned_count("password123")#=> 123063
You can also override these two methods:
plugin:rodauthdo# ...password_pwned?{ |password| ...}pwned_count{ |password| ...}end
If a user's password becomes pwned, you may want to warn them on login:
plugin:rodauthdo# ...after_logindodb.after_commitdo# better to make HTTP requests outside of transactionsifparam_or_nil(password_param) &&password_pwned?(param(password_param))set_redirect_error_flash"Your password has previously appeared in a data breach and should never be used. We strongly recommend you change your password."endendendend
Run tests with Rake:
$ bundleexec raketest
This gem has been inspired bydevise-pwned_password.
The gem is available as open source under the terms of theMIT License.
Everyone interacting in the Rodauth::Pwned project's codebases, issue trackers, chat rooms and mailing lists is expected to follow thecode of conduct.
About
Rodauth extension that checks user passwords against the Pwned Passwords API