Closed michaelbanfield closed 6 years ago
HCLarsen
commented
6 years ago I like the idea, but I feel that it's out of the scope of this gem. The point of this gem is to block common passwords. Blocking "pwned passwords," as per this API, would be great, but would best be implemented in a different, yet albeit very similar gem. Perhaps a gem that could be called devise-pwned_password, thus providing a self-explanatory name.
michaelbanfield
commented
6 years ago Makes sense, thanks.
HCLarsen
commented
6 years ago No problem. If you want something like that, I'd be happy to build it as a separate gem, or if you want to do it yourself, I'd love to see it when it's done.
michaelbanfield
commented
6 years ago Sure,
I've put together a basic gem and tested it with my use case (ActiveAdmin).
https://github.com/michaelbanfield/devise-pwned_password
This is the first gem I've written so any feedback is welcome!
HCLarsen
commented
6 years ago The documentation is very good. Thank you for the mention in your Readme.
I'm happy to create a PR for this, mainly checking if you are interested in the idea/think it makes sense for this gem.
I would like to add a configuration to uncommon_password to call
https://haveibeenpwned.com/API/v2#PwnedPasswords
This would be opt in, as people already using the gem may not want hashed user passwords being sent to a third party.