Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Added ability to specify which passwords you want as weak passwords

  • Loading branch information...
commit a39a3337698ca42ab158dc3b4b08ea75039b8a89 1 parent 863de37
@mikel mikel authored
View
31 activemodel/lib/active_model/secure_password.rb
@@ -5,12 +5,10 @@ module ActiveModel
module SecurePassword
extend ActiveSupport::Concern
- WEAK_PASSWORDS = %w( password qwerty 123456 )
-
module ClassMethods
# Adds methods to set and authenticate against a BCrypt password.
# This mechanism requires you to have a password_digest attribute.
- #
+ #
# Validations for presence of password, confirmation of password (using a "password_confirmation" attribute),
# and strength of password (at least 6 chars, not "password", etc) are automatically added.
# You can add more validations by hand if need be.
@@ -24,9 +22,9 @@ module ClassMethods
#
# user = User.new(:name => "david", :password => "secret", :password_confirmation => "nomatch")
# user.save # => false, password not long enough
- # user.password = "mUc3m00RsqyRe"
+ # user.password = "mUc3m00RsqyRe"
# user.save # => false, confirmation doesn't match
- # user.password_confirmation = "mUc3m00RsqyRe"
+ # user.password_confirmation = "mUc3m00RsqyRe"
# user.save # => true
# user.authenticate("notright") # => false
# user.authenticate("mUc3m00RsqyRe") # => user
@@ -42,6 +40,27 @@ def has_secure_password
validates_presence_of :password_digest
validate :password_must_be_strong
end
+
+ # Allows you to specify the set of weak passwords that will be validated against
+ # if you specify has_secure_password in your model.
+ #
+ # The default set of weak passwords are:
+ #
+ # class User < ActiveRecord::Base
+ # weak_passwords = %w( password qwerty 123456 mypass )

Defaults in the documentation of this method differs from defaults in the next method and the code.

@mikel Collaborator
mikel added a note

Thanks, fixed in #fa14df0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ # end
+ def weak_passwords=(*values)
+ @weak_passwords = values.flatten
+ end
+
+ # Returns the list of current weak passwords defined. Defaults to the standard
+ # list of 'password', 'qwerty' and '123456'
+ #
+ # User.weak_passwords #=> ['password', 'qwerty', '123456']
+ def weak_passwords
+ @weak_passwords ||= %w( password qwerty 123456 )
+ end
+
end
# Returns self if the password is correct, otherwise false.
@@ -64,7 +83,7 @@ def password=(unencrypted_password)
def password_must_be_strong
if password.present?
errors.add(:password, :too_short, :count => 7) unless password.size > 6
- errors.add(:password, :insecure) if WEAK_PASSWORDS.include?(password)
+ errors.add(:password, :insecure) if self.class.weak_passwords.include?(password)
end
end
end
View
42 activemodel/test/cases/secure_password_test.rb
@@ -2,37 +2,57 @@
require 'models/user'
class SecurePasswordTest < ActiveModel::TestCase
+
setup do
+ User.weak_passwords = %w( password qwerty 123456 )
@user = User.new
end
+ test "there should be a list of default weak passwords" do
+ assert_equal %w( password qwerty 123456 ), User.weak_passwords
+ end
+
+ test "specifying the list of passwords" do
+ User.weak_passwords = %w( pass )
+ assert_equal %w( pass ), User.weak_passwords
+ end
+
+ test "adding to the list of passwords" do
+ User.weak_passwords << 'pass'
+ @user.password = "password"
+ assert !@user.valid?
+
+ @user.password = "pass"
+ assert !@user.valid?
+ end
+
test "password must be present" do
assert !@user.valid?
assert_equal 1, @user.errors.size
end
-
+
test "password must match confirmation" do
@user.password = "thiswillberight"
@user.password_confirmation = "wrong"
-
+
assert !@user.valid?
-
+
@user.password_confirmation = "thiswillberight"
-
+
assert @user.valid?
end
-
+
test "password must pass validation rules" do
@user.password = "password"
assert !@user.valid?
-
+
@user.password = "short"
assert !@user.valid?
-
+
@user.password = "plentylongenough"
assert @user.valid?
end
-
+
test "too weak passwords" do
@user.password = "012345"
assert !@user.valid?
@@ -41,14 +61,14 @@ class SecurePasswordTest < ActiveModel::TestCase
@user.password = "password"
assert !@user.valid?
assert_equal ["is too weak and common"], @user.errors[:password]
-
+
@user.password = "d9034rfjlakj34RR$!!"
assert @user.valid?
end
-
+
test "authenticate" do
@user.password = "secret"
-
+
assert !@user.authenticate("wrong")
assert @user.authenticate("secret")
end
Please sign in to comment.
Something went wrong with that request. Please try again.