Devise - Check if existing user has weak passwords and force password change

devise_pwned_passwords_hooks.rb

Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
  if user.class.respond_to?(:pwned_password_check_on_sign_in) && user.class.pwned_password_check_on_sign_in
    password = auth.request.params.fetch(opts[:scope], {}).fetch(:password, nil)
    is_pwned = password && auth.authenticated?(opts[:scope]) && user.respond_to?(:password_pwned?) && user.password_pwned?(password)
    if is_pwned
      Devise.sign_out_all_scopes
      if defined?(::Devise::Models::Recoverable) && user.respond_to?(:send_reset_password_instructions)
        user.send_reset_password_instructions
        message = :pwned_recoverable
      else
        message = :pwned
      end
      scope = opts[:scope]
      auth.logout(scope)
      throw(:warden, :scope => scope, :message => message)
    end
  end
end

Inside devise.en.yml put these two keys:

en:
  devise:
    failure:
      #...
      pwned: "Your password has previously appeared in a data breach and should never be used. Please contact Support Team to get assistance"
      pwned_recoverable: "Your password has previously appeared in a data breach and should never be used. Check your Email to change your password"
      #...