Password validation using Unpwn

[matiaskorhonen]

Check if the password chosen by the user has already been compromised in a data breach.

This uses the Unpwn gem by Andre Arko as suggested in #2052. Unpwn 1.0 hasn't been published to RubyGems.org yet, so this shouldn't be merged before that happens…

Unpwn checks passwords locally against the top one million passwords, as provided by the nbp project. Then, it uses the haveibeenpwned API to check proposed passwords against the largest corpus of publicly dumped passwords in the world.

The Pwned Passwords API “implements a k-Anonymity model that allows a password to be searched for by partial hash”.

You can read more about the k-Anonymity model in Troy Hunt's blog post about it, but the gist of it is that it allows passwords to be checked for breaches without revealing the password to a third party.

If the API cannot be reached or it errors out, the pwned password check is bypassed and the password is presumed to be valid.

[indirect]

I should probably release this, shouldn't I. Ok, going over to do that...

[dwradcliffe]

Looks pretty good! Thanks for doing this!
What is the timeout for the remote http call? Can we configure it?
It would be neat to see a toxiproxy test to prove that a failed or slow api wouldn't impact our service, but I'm not sure how much work that would be.

[matiaskorhonen]

Unpwned doesn't currently pass options down to Pwned.pwned?, so currently the time is the default for read_timeout in Ruby, 60 seconds.

I agree that 60 seconds is way too long, so I think that should be fixed before this is merged. I'd argue that something around 3 to 5 seconds would be acceptable.

I've never used toxiproxy, so I don't really know how to go about adding a test using it…

[matiaskorhonen]

I created a PR on Unpwn to allow the timeout to be passed through: indirect/unpwn#2

[sonalkr132]

I've never used toxiproxy, so I don't really know how to go about adding a test using it…

It is not too much work, just add the service and call down on it in tests

[sonalkr132]

It is not too much work

Okay, it is not too much work if the server was on localhost. Not sure how would one go about it for external service, perhaps override it to resolve to localhost using /etc/hosts?

[simi]

@matiaskorhonen ping me if you need any help with Toxiproxy, I can help you if needed or I can contribute that requested test if needed.

[matiaskorhonen]

@simi If you could write that test, that'd be great

[matiaskorhonen]

Aside from the Toxiproxy test, PR is pretty much ready to merge.

I tried adding the Toxiproxy endpoint using the code below, but even after disabling certificate verification I only get 403's from the upstream. I suspect that the HTTP Host header or something is missing…

if (Rails.env.test? || Rails.env.development?) && Toxiproxy.running?
  port = 22_222
  Toxiproxy.populate(
    [
      {
        name: 'haveibeenpwned',
        listen: "127.0.0.1:#{port}",
        upstream: 'api.pwnedpasswords.com:443'
      }
    ]
  )

  Pwned::Password::API_URL = "https://127.0.0.1:#{port}/range/"
end

[matiaskorhonen]

Something seems to be wrong at Travis so the builds aren't working (operations are timing out while trying to setup the test environment).

[simi]

I have restarted the main build it looks ok now.

[matiaskorhonen]

Could this be merged?

[indirect]

Thanks so much for all your work on this!