Initial commit

.gitignore

@@ -0,0 +1,2 @@
+pkg/
+Gemfile.lock

CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at janko.marohnic@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [https://contributor-covenant.org/version/1/4][version]
+
+[homepage]: https://contributor-covenant.org
+[version]: https://contributor-covenant.org/version/1/4/

Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+gemspec
+
+gem "sqlite3"
+gem "rake", "~> 12.0"

LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Janko Marohnić
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,113 @@
+# rodauth-pwned
+
+[Rodauth] feature that checks user passwords against the [Pwned Passwords API].
+
+## Installation
+
+```rb
+gem "rodauth-pwned"
+```
+
+## Usage
+
+All you need to do is enable the `pwned_password` Rodauth feature provided by
+this gem, and new passwords will be automatically checked.
+
+```rb
+plugin :rodauth do
+  enable :pwned_password, ...
+  # ...
+end
+```
+
+### Allowed count
+
+You can still accept passwords that have only been exposed a small number of
+times:
+
+```rb
+plugin :rodauth do
+  # ...
+  password_allowed_pwned_count 5 # allow password to be pwned up to 5 times
+end
+```
+
+### Validation error message
+
+You can change the default validation error message:
+
+```rb
+plugin :rodauth do
+  # ...
+  password_pwned_message "has been pwned"
+end
+```
+
+### Request options
+
+You can pass additional request options to the [Pwned] gem:
+
+```rb
+plugin :rodauth do
+  # ...
+  pwned_request_options open_timeout: 1, read_timeout: 5, headers: { "User-Agent" => "MyApp" }
+end
+```
+
+### Handling network errors
+
+By default, any network errors to the Pwned Passwords API will be ignored, and
+the password will be considered not pwned. You can hook into these errors:
+
+```rb
+plugin :rodauth do
+  # ...
+  on_pwned_error { |error| Raven.capture_exception(error) }
+end
+```
+
+### API
+
+The feature exposes two public methods which you can use in your own code:
+
+* `password_pwned?(password)` – whether given password is considered pwned
+* `pwned_count(password)` – how many times has the given password been pwned
+
+```rb
+rodauth.password_pwned?("password123") #=> true
+rodauth.pwned_count("password123")     #=> 123063
+```
+
+You can also override these two methods:
+
+```rb
+plugin :rodauth do
+  # ...
+  password_pwned? { |password| ... }
+  pwned_count { |password| ... }
+end
+```
+
+## Development
+
+Run tests with Rake:
+
+```sh
+$ bundle exec rake test
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/janko/rodauth-pwned. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/janko/rodauth-pwned/blob/master/CODE_OF_CONDUCT.md).
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the Rodauth::Pwned project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/janko/rodauth-pwned/blob/master/CODE_OF_CONDUCT.md).
+
+[Rodauth]: https://github.com/jeremyevans/rodauth
+[Pwned Passwords API]: https://haveibeenpwned.com/Passwords
+[Pwned]: https://github.com/philnash/pwned

Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList["test/**/*_test.rb"]
+  t.warning = false
+end
+
+task default: :test

lib/rodauth/features/pwned_password.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require "pwned"
+
+module Rodauth
+  Feature.define(:pwned_password, :PwnedPassword) do
+    depends :login_password_requirements_base
+
+    auth_value_method :password_allowed_pwned_count, 0
+    translatable_method :password_pwned_message, "this password has previously appeared in a data breach and should never be used"
+    auth_value_method :pwned_request_options, {}
+
+    auth_methods(
+      :password_pwned?,
+      :pwned_count,
+      :on_pwned_error,
+    )
+
+    def password_meets_requirements?(password)
+      super && password_not_pwned?(password)
+    end
+
+    def password_pwned?(password)
+      pwned_count(password) > password_allowed_pwned_count
+    rescue Pwned::Error => error
+      on_pwned_error(error)
+      nil
+    end
+
+    def pwned_count(password)
+      Pwned.pwned_count(password, pwned_request_options)
+    end
+
+    private
+
+    def password_not_pwned?(password)
+      return true unless password_pwned?(password)
+      @password_requirement_message = password_pwned_message
+      false
+    end
+
+    def on_pwned_error(error)
+      # nothing by default
+    end
+  end
+end

rodauth-pwned.gemspec

@@ -0,0 +1,28 @@
+Gem::Specification.new do |spec|
+  spec.name          = "rodauth-pwned"
+  spec.version       = "0.1.0"
+  spec.authors       = ["Janko Marohnić"]
+  spec.email         = ["janko.marohnic@gmail.com"]
+
+  spec.summary       = "Rodauth extension for checking whether a password had been exposed in a database breach according to https://haveibeenpwned.com."
+  spec.description   = "Rodauth extension for checking whether a password had been exposed in a database breach according to https://haveibeenpwned.com."
+  spec.homepage      = "https://github.com/janko/rodauth-pwned"
+  spec.license       = "MIT"
+
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+
+  spec.files         = Dir["README.md", "LICENSE.txt", "*.gemspec", "lib/**/*"]
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "rodauth", "~> 2.0"
+  spec.add_dependency "pwned", "~> 2.1"
+
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "minitest-hooks"
+  spec.add_development_dependency "tilt"
+  spec.add_development_dependency "bcrypt"
+  spec.add_development_dependency "capybara"
+end