Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Added ability to specify which passwords you want as weak passwords

  • Loading branch information...
commit a39a3337698ca42ab158dc3b4b08ea75039b8a89 1 parent 863de37
Mikel Lindsaar mikel authored
31 activemodel/lib/active_model/secure_password.rb
View
@@ -5,12 +5,10 @@ module ActiveModel
module SecurePassword
extend ActiveSupport::Concern
- WEAK_PASSWORDS = %w( password qwerty 123456 )
-
module ClassMethods
# Adds methods to set and authenticate against a BCrypt password.
# This mechanism requires you to have a password_digest attribute.
- #
+ #
# Validations for presence of password, confirmation of password (using a "password_confirmation" attribute),
# and strength of password (at least 6 chars, not "password", etc) are automatically added.
# You can add more validations by hand if need be.
@@ -24,9 +22,9 @@ module ClassMethods
#
# user = User.new(:name => "david", :password => "secret", :password_confirmation => "nomatch")
# user.save # => false, password not long enough
- # user.password = "mUc3m00RsqyRe"
+ # user.password = "mUc3m00RsqyRe"
# user.save # => false, confirmation doesn't match
- # user.password_confirmation = "mUc3m00RsqyRe"
+ # user.password_confirmation = "mUc3m00RsqyRe"
# user.save # => true
# user.authenticate("notright") # => false
# user.authenticate("mUc3m00RsqyRe") # => user
@@ -42,6 +40,27 @@ def has_secure_password
validates_presence_of :password_digest
validate :password_must_be_strong
end
+
+ # Allows you to specify the set of weak passwords that will be validated against
+ # if you specify has_secure_password in your model.
+ #
+ # The default set of weak passwords are:
+ #
+ # class User < ActiveRecord::Base
+ # weak_passwords = %w( password qwerty 123456 mypass )

Defaults in the documentation of this method differs from defaults in the next method and the code.

Mikel Lindsaar Collaborator
mikel added a note

Thanks, fixed in #fa14df0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ # end
+ def weak_passwords=(*values)
+ @weak_passwords = values.flatten
+ end
+
+ # Returns the list of current weak passwords defined. Defaults to the standard
+ # list of 'password', 'qwerty' and '123456'
+ #
+ # User.weak_passwords #=> ['password', 'qwerty', '123456']
+ def weak_passwords
+ @weak_passwords ||= %w( password qwerty 123456 )
+ end
+
end
# Returns self if the password is correct, otherwise false.
@@ -64,7 +83,7 @@ def password=(unencrypted_password)
def password_must_be_strong
if password.present?
errors.add(:password, :too_short, :count => 7) unless password.size > 6
- errors.add(:password, :insecure) if WEAK_PASSWORDS.include?(password)
+ errors.add(:password, :insecure) if self.class.weak_passwords.include?(password)
end
end
end
42 activemodel/test/cases/secure_password_test.rb
View
@@ -2,37 +2,57 @@
require 'models/user'
class SecurePasswordTest < ActiveModel::TestCase
+
setup do
+ User.weak_passwords = %w( password qwerty 123456 )
@user = User.new
end
+ test "there should be a list of default weak passwords" do
+ assert_equal %w( password qwerty 123456 ), User.weak_passwords
+ end
+
+ test "specifying the list of passwords" do
+ User.weak_passwords = %w( pass )
+ assert_equal %w( pass ), User.weak_passwords
+ end
+
+ test "adding to the list of passwords" do
+ User.weak_passwords << 'pass'
+ @user.password = "password"
+ assert !@user.valid?
+
+ @user.password = "pass"
+ assert !@user.valid?
+ end
+
test "password must be present" do
assert !@user.valid?
assert_equal 1, @user.errors.size
end
-
+
test "password must match confirmation" do
@user.password = "thiswillberight"
@user.password_confirmation = "wrong"
-
+
assert !@user.valid?
-
+
@user.password_confirmation = "thiswillberight"
-
+
assert @user.valid?
end
-
+
test "password must pass validation rules" do
@user.password = "password"
assert !@user.valid?
-
+
@user.password = "short"
assert !@user.valid?
-
+
@user.password = "plentylongenough"
assert @user.valid?
end
-
+
test "too weak passwords" do
@user.password = "012345"
assert !@user.valid?
@@ -41,14 +61,14 @@ class SecurePasswordTest < ActiveModel::TestCase
@user.password = "password"
assert !@user.valid?
assert_equal ["is too weak and common"], @user.errors[:password]
-
+
@user.password = "d9034rfjlakj34RR$!!"
assert @user.valid?
end
-
+
test "authenticate" do
@user.password = "secret"
-
+
assert !@user.authenticate("wrong")
assert @user.authenticate("secret")
end
Daniel Rodríguez Troitiño

Defaults in the documentation of this method differs from defaults in the next method and the code.

Mikel Lindsaar

Thanks, fixed in #fa14df0

Please sign in to comment.
Something went wrong with that request. Please try again.