Make all the specs pass and add pwned gem

Gemfile

@@ -133,4 +133,5 @@ group :ui do
   gem 'site_prism'
 end
 
-gem "devise-security", "~> 0.18.0"
+gem 'devise-pwned_password', '~> 0.1.10'
+gem 'devise-security', '~> 0.18.0'

Gemfile.lock

@@ -135,6 +135,9 @@ GEM
       railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
+    devise-pwned_password (0.1.10)
+      devise (~> 4)
+      pwned (~> 2.0.0)
     devise-security (0.18.0)
       devise (>= 4.3.0)
     dibber (0.7.0)
@@ -341,6 +344,7 @@ GEM
     public_suffix (5.0.3)
     puma (6.4.0)
       nio4r (~> 2.0)
+    pwned (2.0.2)
     que (2.2.1)
     que-scheduler (4.4.0)
       activesupport (>= 5.0)
@@ -573,6 +577,7 @@ DEPENDENCIES
   cssbundling-rails
   debug
   devise
+  devise-pwned_password (~> 0.1.10)
   devise-security (~> 0.18.0)
   dibber
   dotenv-rails

app/helpers/content_helper.rb

@@ -93,6 +93,6 @@ def opt_in_out(type)
 
   # @yield [String]
   def password_complexity
-    t(:password_complexity, length: User.password_length.first)
+    t('password_complexity.html', length: User.password_length.first)
   end
 end

app/models/user.rb

@@ -26,7 +26,8 @@ def self.dashboard_headers
   attr_accessor :context
 
   devise :database_authenticatable, :registerable, :recoverable,
-         :validatable, :rememberable, :confirmable, :lockable, :timeoutable
+         :validatable, :rememberable, :confirmable, :lockable, :timeoutable, :secure_validatable
+  devise :pwned_password unless Rails.env.test?
 
   has_many :responses
   has_many :user_answers
@@ -362,7 +363,7 @@ def redact!
             last_name: 'User',
             email: "redacted_user#{id}@example.com",
             closed_at: Time.zone.now,
-            password: 'redacteduser')
+            password: 'RedactedUser12!@')
 
     notes.destroy_all
   end

app/views/user/edit_password.html.slim

@@ -10,7 +10,8 @@
         p.govuk-hint= password_complexity
 
         = f.govuk_password_field :current_password, autofocus: true, aria: { required: true }
-        = f.govuk_password_field :password, aria: { required: true }
+        = f.govuk_password_field :password, aria: { required: true } do
+          = t('password_hint.html')
         = f.govuk_password_field :password_confirmation, aria: { required: true }
 
       .govuk-button-group

config/initializers/devise_security.rb

@@ -24,7 +24,7 @@
 
   # enable email validation for :secure_validatable. (true, false, validation_options)
   # dependency: see https://github.com/devise-security/devise-security/blob/master/README.md#e-mail-validation
-  # config.email_validation = true
+  config.email_validation = false
 
   # captcha integration for recover form
   # config.captcha_for_recover = true

config/locales/devise.en.yml

@@ -18,7 +18,7 @@ en:
       already_authenticated: "You are already signed in."
       inactive: "Your account is not activated yet."
       invalid: |
-         Enter a valid email address and password. Your account will be locked after 5 unsuccessful attempts. We will email you instructions to unlock your account.
+        Enter a valid email address and password. Your account will be locked after 5 unsuccessful attempts. We will email you instructions to unlock your account.
       locked: "For security reasons your account has been locked for %{unlock_in} hours. For faster access we have sent you an email to reset your password."
       last_attempt: "You have one more attempt before your account is locked."
       not_found_in_database: |
@@ -27,7 +27,7 @@ en:
       unauthenticated: "You need to sign in or sign up before continuing."
       unconfirmed: "You have to confirm your email address before continuing."
     omniauth_callbacks:
-      failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
+      failure: 'Could not authenticate you from %{kind} because "%{reason}".'
       success: "Successfully authenticated from %{kind} account."
     passwords:
       no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
@@ -63,3 +63,4 @@ en:
       not_saved:
         one: "1 error prohibited this %{resource} from being saved:"
         other: "%{count} errors prohibited this %{resource} from being saved:"
+      pwned_password: "Password has previously appeared in a data breach and should never be used.  Please choose a different password."

config/locales/en.yml

@@ -72,9 +72,6 @@ en:
             terms_and_conditions_agreed_at:
               blank: You must accept the terms and conditions and privacy policy to create an account.
 
-
-
-
   # Form Builder ---------------------------------------------------------------
 
   helpers:
@@ -96,7 +93,19 @@ en:
 
   phase_banner: This is a new service, your %{link} will help us improve it.
 
-  password_complexity: Your password must contain at least %{length} characters.
+  password_complexity:
+    html: |
+      <span class="tooltiptext">
+        <ul class="govuk-list" id="password-tooltip">
+          <li>Password fields should:<li>
+          <li>a) Be a minimum of %{length} characters long</li>
+          <li>b) Not contain a dictionary word of more than 4 characters</li>
+          <li>c) Contain at least two uppercase letters</li>
+          <li>d) Contain at least two lowercase letters</li>
+          <li>e) Contain at least two numbers</li>
+          <li>f) Contain at least two special characters or non-alphanumeric characters, such as: ! \" £ $ % & * @</li>
+        </ul>
+      </span>
 
   pagination:
     section: Section %{current} of %{total}
@@ -118,7 +127,7 @@ en:
 
   # Training Modules -----------------------------------------------------------
 
-  date_completed: 'Date completed: %{date}'
+  date_completed: "Date completed: %{date}"
 
   module_indicator:
     completed: completed
@@ -257,7 +266,6 @@ en:
 
       If you have not received the email after a few minutes, please check your spam folder.
 
-
   # Pages ----------------------------------------------------------------------
 
   # /my-learning
@@ -491,7 +499,6 @@ en:
     opt_in: Send me early years email updates
     opt_out: Do not send me early years email updates
 
-
   # /
   home:
     title: Home page
@@ -522,7 +529,6 @@ en:
 
       Sign in to continue learning, see your progress and download certificates.
 
-
   # /about-training
   about:
     title: About training
@@ -565,7 +571,7 @@ en:
   # /settings/cookie-policy
   cookie_policy:
     title: Cookie policy
-    legend : Do you want to accept analytics cookies?
+    legend: Do you want to accept analytics cookies?
     flash: You’ve set your cookie preferences. [Go back to Early years child development training](%{path}).
     body: |
       # Cookies

spec/controllers/user_controller_spec.rb

@@ -52,9 +52,9 @@
     context 'when successful' do
       let(:params) do
         {
-          password: 'NewPassword123',
-          confirm_password: 'NewPassword123',
-          current_password: 'StrongPassword123',
+          password: 'NewPassword12!@',
+          confirm_password: 'NewPassword12!@',
+          current_password: 'StrongPassword12!@',
         }
       end
 
@@ -70,8 +70,8 @@
     context 'when current password is wrong' do
       let(:params) do
         {
-          password: 'NewPassword123',
-          confirm_password: 'NewPassword123',
+          password: 'NewPassword12!@',
+          confirm_password: 'NewPassword12!@',
           current_password: 'wrongpassword',
         }
       end
@@ -90,7 +90,7 @@
         {
           password: '',
           confirm_password: '',
-          current_password: 'StrongPassword123',
+          current_password: 'StrongPassword12!@',
         }
       end
 

spec/models/user_spec.rb

@@ -154,7 +154,7 @@
       expect(user.first_name).to eq 'Redacted'
       expect(user.last_name).to eq 'User'
       expect(user.email).to eq "redacted_user#{user.id}@example.com"
-      expect(user.valid_password?('redacteduser')).to eq true
+      expect(user.valid_password?('RedactedUser12!@')).to eq true
       expect(user.closed_at).to be_within(30).of(Time.zone.now)
     end
   end

spec/system/registered_user/changing_password_spec.rb

@@ -3,13 +3,13 @@
 RSpec.describe 'Registered user changing password', type: :system do
   subject(:user) { create :user, :registered, created_at: 1.month.ago }
 
-  let(:password) { 'StrongPassword123' }
+  let(:password) { 'StrongPassword12!@' }
 
   include_context 'with user'
 
   before do
     visit '/my-account/edit-password'
-    fill_in 'Enter your current password', with: 'StrongPassword123'
+    fill_in 'Enter your current password', with: 'StrongPassword12!@'
     fill_in 'Create a new password', with: password
     fill_in 'Confirm password', with: password
   end
@@ -23,7 +23,7 @@
   end
 
   context 'when successful' do
-    let(:password) { '1NewPassword' }
+    let(:password) { '12!@NewPassword' }
     let(:today) { Time.zone.today.to_formatted_s(:rfc822) } # 18 May 2022
 
     it 'updates password' do

spec/system/registered_user/closing_account_spec.rb

@@ -120,7 +120,7 @@
         expect(user.last_name).to eq 'User'
         expect(user.email).to have_text 'redacted_user'
         expect(user.notes.count).to eq 0
-        expect(user.valid_password?('redacteduser')).to eq true
+        expect(user.valid_password?('RedactedUser12!@')).to eq true
       end
     end
   end