Check passwords against HaveIBeenPwned (#12716)

* Implement pwn Signed-off-by: jolheiser <john.olheiser@gmail.com> * Update module Signed-off-by: jolheiser <john.olheiser@gmail.com> * Apply suggestions mrsdizzie Co-authored-by: mrsdizzie <info@mrsdizzie.com> * Add link to HIBP Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add more details to admin command Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add context to pwn Signed-off-by: jolheiser <john.olheiser@gmail.com> * Consistency and making some noise ;) Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: mrsdizzie <info@mrsdizzie.com> Co-authored-by: zeripath <art27@cantab.net>
2025-06-21 21:48:00 +02:00 · 2020-09-08 17:06:39 -05:00
parent bea343ce09
commit c6e4bc53aa
22 changed files with 309 additions and 8 deletions
--- a/modules/password/password.go
+++ b/modules/password/password.go
@ -6,6 +6,7 @@ package password

 import (
 	"bytes"
+	goContext "context"
 	"crypto/rand"
 	"math/big"
 	"strings"
@ -88,7 +89,7 @@ func IsComplexEnough(pwd string) bool {
 	return true
 }

-// Generate  a random password
+// Generate a random password
 func Generate(n int) (string, error) {
 	NewComplexity()
 	buffer := make([]byte, n)
@ -101,7 +102,11 @@ func Generate(n int) (string, error) {
 			}
 			buffer[j] = validChars[rnd.Int64()]
 		}
-		if IsComplexEnough(string(buffer)) && string(buffer[0]) != " " && string(buffer[n-1]) != " " {
+		pwned, err := IsPwned(goContext.Background(), string(buffer))
+		if err != nil {
+			return "", err
+		}
+		if IsComplexEnough(string(buffer)) && !pwned && string(buffer[0]) != " " && string(buffer[n-1]) != " " {
 			return string(buffer), nil
 		}
 	}
--- a/modules/password/pwn.go
+++ b/modules/password/pwn.go
@ -0,0 +1,30 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package password
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/modules/setting"
+
+	"go.jolheiser.com/pwn"
+)
+
+// IsPwned checks whether a password has been pwned
+// NOTE: This func returns true if it encounters an error under the assumption that you ALWAYS want to check against
+// HIBP, so not getting a response should block a password until it can be verified.
+func IsPwned(ctx context.Context, password string) (bool, error) {
+	if !setting.PasswordCheckPwn {
+		return false, nil
+	}
+
+	client := pwn.New(pwn.WithContext(ctx))
+	count, err := client.CheckPassword(password, true)
+	if err != nil {
+		return true, err
+	}
+
+	return count > 0, nil
+}
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -146,6 +146,7 @@ var (
 	OnlyAllowPushIfGiteaEnvironmentSet bool
 	PasswordComplexity                 []string
 	PasswordHashAlgo                   string
+	PasswordCheckPwn                   bool

 	// UI settings
 	UI = struct {
@ -744,6 +745,7 @@ func NewContext() {
 	OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
 	PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("argon2")
 	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
+	PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)

 	InternalToken = loadInternalToken(sec)