Added ability to specify which passwords you want as weak passwords

2010-12-19 20:39:54 +11:00 · 2010-12-19 20:39:54 +11:00 · a39a333769
parent 863de37b05
commit a39a333769
2 changed files with 56 additions and 17 deletions
--- a/activemodel/lib/active_model/secure_password.rb
+++ b/activemodel/lib/active_model/secure_password.rb
@ -5,12 +5,10 @@ module ActiveModel
  module SecurePassword
    extend ActiveSupport::Concern

-    WEAK_PASSWORDS = %w( password qwerty 123456 )
-
    module ClassMethods
      # Adds methods to set and authenticate against a BCrypt password.
      # This mechanism requires you to have a password_digest attribute.
-      # 
+      #
      # Validations for presence of password, confirmation of password (using a "password_confirmation" attribute),
      # and strength of password (at least 6 chars, not "password", etc) are automatically added.
      # You can add more validations by hand if need be.
@ -24,9 +22,9 @@ module ActiveModel
      #
      #   user = User.new(:name => "david", :password => "secret", :password_confirmation => "nomatch")
      #   user.save                                                      # => false, password not long enough
-      #   user.password = "mUc3m00RsqyRe"                                
+      #   user.password = "mUc3m00RsqyRe"
      #   user.save                                                      # => false, confirmation doesn't match
-      #   user.password_confirmation = "mUc3m00RsqyRe"                   
+      #   user.password_confirmation = "mUc3m00RsqyRe"
      #   user.save                                                      # => true
      #   user.authenticate("notright")                                  # => false
      #   user.authenticate("mUc3m00RsqyRe")                             # => user
@ -42,6 +40,27 @@ module ActiveModel
        validates_presence_of     :password_digest
        validate                  :password_must_be_strong
      end
+
+      # Allows you to specify the set of weak passwords that will be validated against
+      # if you specify has_secure_password in your model.
+      #
+      # The default set of weak passwords are:
+      #
+      #   class User < ActiveRecord::Base
+      #     weak_passwords = %w( password qwerty 123456 mypass )
+      #   end
+      def weak_passwords=(*values)
+        @weak_passwords = values.flatten
+      end
+
+      # Returns the list of current weak passwords defined.  Defaults to the standard
+      # list of 'password', 'qwerty' and '123456'
+      #
+      #   User.weak_passwords #=> ['password', 'qwerty', '123456']
+      def weak_passwords
+        @weak_passwords ||= %w( password qwerty 123456 )
+      end
+
    end

    # Returns self if the password is correct, otherwise false.
@ -64,7 +83,7 @@ module ActiveModel
    def password_must_be_strong
      if password.present?
        errors.add(:password, :too_short, :count => 7) unless password.size > 6
-        errors.add(:password, :insecure) if WEAK_PASSWORDS.include?(password)
+        errors.add(:password, :insecure) if self.class.weak_passwords.include?(password)
      end
    end
  end
--- a/activemodel/test/cases/secure_password_test.rb
+++ b/activemodel/test/cases/secure_password_test.rb
@ -2,37 +2,57 @@ require 'cases/helper'
 require 'models/user'

 class SecurePasswordTest < ActiveModel::TestCase
+
  setup do
+    User.weak_passwords = %w( password qwerty 123456 )
    @user = User.new
  end

+  test "there should be a list of default weak passwords" do
+    assert_equal %w( password qwerty 123456 ), User.weak_passwords
+  end
+
+  test "specifying the list of passwords" do
+    User.weak_passwords = %w( pass )
+    assert_equal %w( pass ), User.weak_passwords
+  end
+
+  test "adding to the list of passwords" do
+    User.weak_passwords << 'pass'
+    @user.password = "password"
+    assert !@user.valid?
+
+    @user.password = "pass"
+    assert !@user.valid?
+  end
+
  test "password must be present" do
    assert !@user.valid?
    assert_equal 1, @user.errors.size
  end
-  
+
  test "password must match confirmation" do
    @user.password = "thiswillberight"
    @user.password_confirmation = "wrong"
-    
+
    assert !@user.valid?
-    
+
    @user.password_confirmation = "thiswillberight"
-    
+
    assert @user.valid?
  end
-  
+
  test "password must pass validation rules" do
    @user.password = "password"
    assert !@user.valid?
-    
+
    @user.password = "short"
    assert !@user.valid?
-    
+
    @user.password = "plentylongenough"
    assert @user.valid?
  end
-  
+
  test "too weak passwords" do
    @user.password = "012345"
    assert !@user.valid?
@ -41,14 +61,14 @@ class SecurePasswordTest < ActiveModel::TestCase
    @user.password = "password"
    assert !@user.valid?
    assert_equal ["is too weak and common"], @user.errors[:password]
-    
+
    @user.password = "d9034rfjlakj34RR$!!"
    assert @user.valid?
  end
-  
+
  test "authenticate" do
    @user.password = "secret"
-    
+
    assert !@user.authenticate("wrong")
    assert @user.authenticate("secret")
  end