Skip to content

Instantly share code, notes, and snippets.

@scicco

scicco/devise_pwned_passwords_hooks.rb

Created March 15, 2021 14:31
Show Gist options
  • Save scicco/df5d7811a6c662f8516c4fd5e757c299 to your computer and use it in GitHub Desktop.
Save scicco/df5d7811a6c662f8516c4fd5e757c299 to your computer and use it in GitHub Desktop.
Download ZIP
Devise - Check if existing user has weak passwords and force password change
Raw
devise_pwned_passwords_hooks.rb
Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
if user.class.respond_to?(:pwned_password_check_on_sign_in) && user.class.pwned_password_check_on_sign_in
password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
is_pwned = password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
if is_pwned
Devise.sign_out_all_scopes
if defined?(::Devise::Models::Recoverable) && user.respond_to?(:send_reset_password_instructions)
user.send_reset_password_instructions
message = :pwned_recoverable
else
message = :pwned
end
scope = opts[:scope]
auth.logout(scope)
throw(:warden, :scope => scope, :message => message)
end
end
end
@scicco
Copy link
Author

scicco commented Mar 15, 2021

Inside devise.en.yml put these two keys:

en:
  devise:
    failure:
      #...
      pwned: "Your password has previously appeared in a data breach and should never be used. Please contact Support Team to get assistance"
      pwned_recoverable: "Your password has previously appeared in a data breach and should never be used. Check your Email to change your password"
      #...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment