It would be useful to be able to configure the pwned_password checking feature to be disabled by default — this is what we would want in most tests, so that tests and user factory calls run faster — but to be able to enable them for certain feature tests that specifically need to test the flow/behavior for what should happen when a user does try to use, or already have, a pwned password.

I was thinking of adding a setting called pwned_password_check_enabled (to match pwned_password_check_on_sign_in), like:

Devise.pwned_password_check_enabled = false  # default true

This would be similar to PaperTrail.enabled, for example, and toggle the behavior on and off globally.

Then we'd just make the validation depend on that config, like:

  validate :not_pwned_password, if: :check_pwned_password?

check_pwned_password? could just delegate to Devise.pwned_password_check_enabled:

def check_pwned_password?
  Devise.pwned_password_check_enabled &&
    (Devise.activerecord51? ? :will_save_change_to_encrypted_password? : :encrypted_password_changed?)
end

Of course the docs would have to be updated, too. See PaperTrail's section on testing.

Does this sound good?

See also: #18, #27