Add count_threshold option

Fixes #3

Author: mjnaderi

README.md

@@ -34,7 +34,7 @@ AUTH_PASSWORD_VALIDATORS = [
 
 ## Validators
 
-### PwnedPasswordValidator(request_timeout=1.5)
+### PwnedPasswordValidator(request_timeout=1.5, count_threshold=1)
 
 This validator uses the [Pwned Passwords API] to check for compromised passwords.
 
@@ -54,8 +54,30 @@ AUTH_PASSWORD_VALIDATORS = [
 
 You can set the API request timeout with the `request_timeout` parameter (in seconds).
 
+You can set the `count_threshold` to reject a password if it appears more than
+a certain number of times in the Pwned Passwords data set.
+By default, this threshold is set to `1`.
+For instance, setting `count_threshold=2` means the password will be rejected
+if it appears in the data set at least twice.
+
+Example configuration:
+
+```python
+AUTH_PASSWORD_VALIDATORS = [
+    # ...
+    {
+      "NAME": "django_pwned.validators.PwnedPasswordValidator",
+      "OPTIONS": {
+        "request_timeout": 2,
+        "count_threshold": 5,
+      },
+    },
+    # ...
+]
+```
+
 If for any reason (connection issues, timeout, ...) the request to Pwned API fails,
-this validator skips checking password.
+this validator skips checking password and logs a message.
 
 ### GitHubLikePasswordValidator(min_length=8, safe_length=15)
 
@@ -64,7 +86,7 @@ Validates whether the password is at least:
 - 8 characters long, if it includes a number and a lowercase letter, or
 - 15 characters long with any combination of characters
 
-Based on Github's documentation about [creating a strong password].
+Based on GitHub's documentation about [creating a strong password].
 
 You may want to disable Django's `NumericPasswordValidator`
 and `MinimumLengthValidator` if you want to use

django_pwned/validators.py

@@ -20,8 +20,9 @@ class PwnedPasswordValidator:
     Password validator which checks Django's list of common passwords and the Pwned Passwords database.
     """
 
-    def __init__(self, request_timeout: float = 1.5):
+    def __init__(self, request_timeout: float = 1.5, count_threshold: int = 1):
         self.request_timeout = request_timeout
+        self.count_threshold = count_threshold
 
     def validate(self, password: str, user=None):
         # First, check Django's list of common passwords
@@ -35,7 +36,7 @@ def validate(self, password: str, user=None):
             log.warning("Skipped Pwned Passwords check due to error: %r", e)
             return
 
-        if count > 0:
+        if count >= self.count_threshold:
             raise ValidationError(
                 _("Password is in a list of passwords commonly used on other websites."),
                 code="password_pwned",

tests/test_pwned.py

@@ -42,7 +42,7 @@ def test_pwned_api__leaked_password():
                 "0BD86C0E684498894064E4AB86B9420CA0E:763",
                 "2019C3022C39C4E5FD5A92ECD102E87476D:3",
                 "3C56EAB73498B6A58EF5692C4E4937B4466:81",
-                "5565F95194F23408B0EA21A0D02C4EEA81D:2",
+                "5565F95194F23408B0EA21A0D02C4EEA81D:1",
                 "6E9AC9194DA65040917139BA238B3900354:2,103",
                 "BB48AB53E4E454BC487CA6400380C05D41A:5",
                 "D55A6ED26C1DE9350D40771822316CC4B29:3",
@@ -78,6 +78,36 @@ def test_pwned_api__strong_password():
     assert len(responses.calls) == 1
 
 
+@responses.activate
+def test_pwned_api__count_threshold():
+    leaked_password = r"pass-word"
+    leaked_password_hash = "43BEF3EAB34187D71D7E1D9CC307C5E7C07665A8"
+    responses.add(
+        responses.GET,
+        API_ENDPOINT.format(leaked_password_hash[:5]),
+        body="\n".join(
+            [
+                "0BD86C0E684498894064E4AB86B9420CA0E:763",
+                "3EAB34187D71D7E1D9CC307C5E7C07665A8:3",
+                "3C56EAB73498B6A58EF5692C4E4937B4466:81",
+                "5565F95194F23408B0EA21A0D02C4EEA81D:1",
+                "6E9AC9194DA65040917139BA238B3900354:2,103",
+                "BB48AB53E4E454BC487CA6400380C05D41A:5",
+                "D55A6ED26C1DE9350D40771822316CC4B29:3",
+            ]
+        ),
+    )
+    with pytest.raises(ValidationError):
+        PwnedPasswordValidator().validate(leaked_password)
+    with pytest.raises(ValidationError):
+        PwnedPasswordValidator(count_threshold=2).validate(leaked_password)
+    with pytest.raises(ValidationError):
+        PwnedPasswordValidator(count_threshold=3).validate(leaked_password)
+    PwnedPasswordValidator(count_threshold=4).validate(leaked_password)
+    PwnedPasswordValidator(count_threshold=5).validate(leaked_password)
+    assert len(responses.calls) == 5
+
+
 @responses.activate
 def test_pwned_api__connection_error():
     strong_password = r"SGz=L.%U\;Os$,k]%U2m"