Releases: michaelbanfield/devise-pwned_password
Expose pwned_count
Thanks for @barrywoolgar for contributing to this release.
This release exposes pwned_count
the number of times a password has been pwned to the devise'd model. This allows surfacing this value in the UI, or making a more granular validation decision based on the amount of pwnage. The count has a default of 0 so it can be safely used without a nil check.
Pwned gem & simplified dependancies
Thanks to @philnash and @wjordan for contributing this release.
This release migrates common logic to the pwned gem. This should have no impact on the behaviour of the plugin.
Additionally this release moves the explicit dependency on rails to a development dependancy. This will allow a broader ranch of clients to use the plugin, being constrained by devise's rails support rather than the plugins specific dependancy.
Warn existing users on sign in
Thanks to @damonmorgan for contributing this new feature.
This releases adds a new feature, hooking the pwned password check into the sign in path of an existing devise user. In the readme is an example of how to use this to push a flash notification after sign in to warn users if they are using a password that previously appeared in a data breach.
You could also use this hook to redirect users to a change password page or similar.
This change is backwards compatible, so you can upgrade without changing existing behaviour.
Custom message & Bug Fixes
Thanks to @damonmorgan for contributing these features and fixes
This release fixes two bugs:
- Catch some extra exceptions from Net::HTTP so we dont prevent users from signing up regardless of issues with Pwned Password API
- Fix a issue where password might be nil when checking pwned passwords
Additionally two features are added:
- The ability to add a custom validation message when a password is found in a data breach
- Lower HTTP timeouts from the default 60 seconds to 5 seconds, preventing pwned passwords validation from slowing down or preventing user signup
Pwned Passwords V2
Thanks to @PatF for contributing this!
Pwned Passwords V2 brings some new features
- a larger dataset
- a prefix based api removing the need to send full passwords to an external service
- frequency for each password hash returned
- the removal of rate limiting! (previously a big limitation for a server side library like this)
More details here: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
This change is backwards compatible however there is one new optional config
# Minimum number of times a pwned password must exist in the data set in order
# to be reject.
config.min_password_matches = 10