Skip to content
This repository
Browse code

Added ability to specify which passwords you want as weak passwords

  • Loading branch information...
commit a39a3337698ca42ab158dc3b4b08ea75039b8a89 1 parent 863de37
Mikel Lindsaar authored December 19, 2010
31  activemodel/lib/active_model/secure_password.rb
@@ -5,12 +5,10 @@ module ActiveModel
5 5
   module SecurePassword
6 6
     extend ActiveSupport::Concern
7 7
 
8  
-    WEAK_PASSWORDS = %w( password qwerty 123456 )
9  
-
10 8
     module ClassMethods
11 9
       # Adds methods to set and authenticate against a BCrypt password.
12 10
       # This mechanism requires you to have a password_digest attribute.
13  
-      # 
  11
+      #
14 12
       # Validations for presence of password, confirmation of password (using a "password_confirmation" attribute),
15 13
       # and strength of password (at least 6 chars, not "password", etc) are automatically added.
16 14
       # You can add more validations by hand if need be.
@@ -24,9 +22,9 @@ module ClassMethods
24 22
       #
25 23
       #   user = User.new(:name => "david", :password => "secret", :password_confirmation => "nomatch")
26 24
       #   user.save                                                      # => false, password not long enough
27  
-      #   user.password = "mUc3m00RsqyRe"                                
  25
+      #   user.password = "mUc3m00RsqyRe"
28 26
       #   user.save                                                      # => false, confirmation doesn't match
29  
-      #   user.password_confirmation = "mUc3m00RsqyRe"                   
  27
+      #   user.password_confirmation = "mUc3m00RsqyRe"
30 28
       #   user.save                                                      # => true
31 29
       #   user.authenticate("notright")                                  # => false
32 30
       #   user.authenticate("mUc3m00RsqyRe")                             # => user
@@ -42,6 +40,27 @@ def has_secure_password
42 40
         validates_presence_of     :password_digest
43 41
         validate                  :password_must_be_strong
44 42
       end
  43
+
  44
+      # Allows you to specify the set of weak passwords that will be validated against
  45
+      # if you specify has_secure_password in your model.
  46
+      #
  47
+      # The default set of weak passwords are:
  48
+      #
  49
+      #   class User < ActiveRecord::Base
  50
+      #     weak_passwords = %w( password qwerty 123456 mypass )
  51
+      #   end
  52
+      def weak_passwords=(*values)
  53
+        @weak_passwords = values.flatten
  54
+      end
  55
+
  56
+      # Returns the list of current weak passwords defined.  Defaults to the standard
  57
+      # list of 'password', 'qwerty' and '123456'
  58
+      #
  59
+      #   User.weak_passwords #=> ['password', 'qwerty', '123456']
  60
+      def weak_passwords
  61
+        @weak_passwords ||= %w( password qwerty 123456 )
  62
+      end
  63
+
45 64
     end
46 65
 
47 66
     # Returns self if the password is correct, otherwise false.
@@ -64,7 +83,7 @@ def password=(unencrypted_password)
64 83
     def password_must_be_strong
65 84
       if password.present?
66 85
         errors.add(:password, :too_short, :count => 7) unless password.size > 6
67  
-        errors.add(:password, :insecure) if WEAK_PASSWORDS.include?(password)
  86
+        errors.add(:password, :insecure) if self.class.weak_passwords.include?(password)
68 87
       end
69 88
     end
70 89
   end
42  activemodel/test/cases/secure_password_test.rb
@@ -2,37 +2,57 @@
2 2
 require 'models/user'
3 3
 
4 4
 class SecurePasswordTest < ActiveModel::TestCase
  5
+
5 6
   setup do
  7
+    User.weak_passwords = %w( password qwerty 123456 )
6 8
     @user = User.new
7 9
   end
8 10
 
  11
+  test "there should be a list of default weak passwords" do
  12
+    assert_equal %w( password qwerty 123456 ), User.weak_passwords
  13
+  end
  14
+
  15
+  test "specifying the list of passwords" do
  16
+    User.weak_passwords = %w( pass )
  17
+    assert_equal %w( pass ), User.weak_passwords
  18
+  end
  19
+
  20
+  test "adding to the list of passwords" do
  21
+    User.weak_passwords << 'pass'
  22
+    @user.password = "password"
  23
+    assert !@user.valid?
  24
+
  25
+    @user.password = "pass"
  26
+    assert !@user.valid?
  27
+  end
  28
+
9 29
   test "password must be present" do
10 30
     assert !@user.valid?
11 31
     assert_equal 1, @user.errors.size
12 32
   end
13  
-  
  33
+
14 34
   test "password must match confirmation" do
15 35
     @user.password = "thiswillberight"
16 36
     @user.password_confirmation = "wrong"
17  
-    
  37
+
18 38
     assert !@user.valid?
19  
-    
  39
+
20 40
     @user.password_confirmation = "thiswillberight"
21  
-    
  41
+
22 42
     assert @user.valid?
23 43
   end
24  
-  
  44
+
25 45
   test "password must pass validation rules" do
26 46
     @user.password = "password"
27 47
     assert !@user.valid?
28  
-    
  48
+
29 49
     @user.password = "short"
30 50
     assert !@user.valid?
31  
-    
  51
+
32 52
     @user.password = "plentylongenough"
33 53
     assert @user.valid?
34 54
   end
35  
-  
  55
+
36 56
   test "too weak passwords" do
37 57
     @user.password = "012345"
38 58
     assert !@user.valid?
@@ -41,14 +61,14 @@ class SecurePasswordTest < ActiveModel::TestCase
41 61
     @user.password = "password"
42 62
     assert !@user.valid?
43 63
     assert_equal ["is too weak and common"], @user.errors[:password]
44  
-    
  64
+
45 65
     @user.password = "d9034rfjlakj34RR$!!"
46 66
     assert @user.valid?
47 67
   end
48  
-  
  68
+
49 69
   test "authenticate" do
50 70
     @user.password = "secret"
51  
-    
  71
+
52 72
     assert !@user.authenticate("wrong")
53 73
     assert @user.authenticate("secret")
54 74
   end

0 notes on commit a39a333

Daniel Rodríguez Troitiño

Defaults in the documentation of this method differs from defaults in the next method and the code.

Mikel Lindsaar

Thanks, fixed in #fa14df0

Please sign in to comment.
Something went wrong with that request. Please try again.