Check passwords against HaveIBeenPwned (#12716)

* Implement pwn Signed-off-by: jolheiser <john.olheiser@gmail.com> * Update module Signed-off-by: jolheiser <john.olheiser@gmail.com> * Apply suggestions mrsdizzie Co-authored-by: mrsdizzie <info@mrsdizzie.com> * Add link to HIBP Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add more details to admin command Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add context to pwn Signed-off-by: jolheiser <john.olheiser@gmail.com> * Consistency and making some noise ;) Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: mrsdizzie <info@mrsdizzie.com> Co-authored-by: zeripath <art27@cantab.net>
2025-06-21 13:38:00 +02:00 · 2020-09-08 17:06:39 -05:00
parent bea343ce09
commit c6e4bc53aa
22 changed files with 309 additions and 8 deletions
--- a/routers/admin/users.go
+++ b/routers/admin/users.go
@ -108,6 +108,17 @@ func NewUserPost(ctx *context.Context, form auth.AdminCreateUserForm) {
 			ctx.RenderWithErr(password.BuildComplexityError(ctx), tplUserNew, &form)
 			return
 		}
+		pwned, err := password.IsPwned(ctx.Req.Context(), form.Password)
+		if pwned {
+			ctx.Data["Err_Password"] = true
+			errMsg := ctx.Tr("auth.password_pwned")
+			if err != nil {
+				log.Error(err.Error())
+				errMsg = ctx.Tr("auth.password_pwned_err")
+			}
+			ctx.RenderWithErr(errMsg, tplUserNew, &form)
+			return
+		}
 		u.MustChangePassword = form.MustChangePassword
 	}
 	if err := models.CreateUser(u); err != nil {
@ -224,6 +235,17 @@ func EditUserPost(ctx *context.Context, form auth.AdminEditUserForm) {
 			ctx.RenderWithErr(password.BuildComplexityError(ctx), tplUserEdit, &form)
 			return
 		}
+		pwned, err := password.IsPwned(ctx.Req.Context(), form.Password)
+		if pwned {
+			ctx.Data["Err_Password"] = true
+			errMsg := ctx.Tr("auth.password_pwned")
+			if err != nil {
+				log.Error(err.Error())
+				errMsg = ctx.Tr("auth.password_pwned_err")
+			}
+			ctx.RenderWithErr(errMsg, tplUserNew, &form)
+			return
+		}
 		if u.Salt, err = models.GetUserSalt(); err != nil {
 			ctx.ServerError("UpdateUser", err)
 			return
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@ -87,6 +87,15 @@ func CreateUser(ctx *context.APIContext, form api.CreateUserOption) {
 		ctx.Error(http.StatusBadRequest, "PasswordComplexity", err)
 		return
 	}
+	pwned, err := password.IsPwned(ctx.Req.Context(), form.Password)
+	if pwned {
+		if err != nil {
+			log.Error(err.Error())
+		}
+		ctx.Data["Err_Password"] = true
+		ctx.Error(http.StatusBadRequest, "PasswordPwned", errors.New("PasswordPwned"))
+		return
+	}
 	if err := models.CreateUser(u); err != nil {
 		if models.IsErrUserAlreadyExist(err) ||
 			models.IsErrEmailAlreadyUsed(err) ||
@ -151,7 +160,15 @@ func EditUser(ctx *context.APIContext, form api.EditUserOption) {
 			ctx.Error(http.StatusBadRequest, "PasswordComplexity", err)
 			return
 		}
-		var err error
+		pwned, err := password.IsPwned(ctx.Req.Context(), form.Password)
+		if pwned {
+			if err != nil {
+				log.Error(err.Error())
+			}
+			ctx.Data["Err_Password"] = true
+			ctx.Error(http.StatusBadRequest, "PasswordPwned", errors.New("PasswordPwned"))
+			return
+		}
 		if u.Salt, err = models.GetUserSalt(); err != nil {
 			ctx.Error(http.StatusInternalServerError, "UpdateUser", err)
 			return
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@ -1110,6 +1110,17 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
 		ctx.RenderWithErr(password.BuildComplexityError(ctx), tplSignUp, &form)
 		return
 	}
+	pwned, err := password.IsPwned(ctx.Req.Context(), form.Password)
+	if pwned {
+		errMsg := ctx.Tr("auth.password_pwned")
+		if err != nil {
+			log.Error(err.Error())
+			errMsg = ctx.Tr("auth.password_pwned_err")
+		}
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(errMsg, tplSignUp, &form)
+		return
+	}

 	u := &models.User{
 		Name:     form.UserName,
@ -1409,6 +1420,16 @@ func ResetPasswdPost(ctx *context.Context) {
 		ctx.Data["Err_Password"] = true
 		ctx.RenderWithErr(password.BuildComplexityError(ctx), tplResetPassword, nil)
 		return
+	} else if pwned, err := password.IsPwned(ctx.Req.Context(), passwd); pwned || err != nil {
+		errMsg := ctx.Tr("auth.password_pwned")
+		if err != nil {
+			log.Error(err.Error())
+			errMsg = ctx.Tr("auth.password_pwned_err")
+		}
+		ctx.Data["IsResetForm"] = true
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(errMsg, tplResetPassword, nil)
+		return
 	}

 	// Handle two-factor
@ -1443,7 +1464,6 @@ func ResetPasswdPost(ctx *context.Context) {
 			}
 		}
 	}
-
 	var err error
 	if u.Rands, err = models.GetUserSalt(); err != nil {
 		ctx.ServerError("UpdateUser", err)
--- a/routers/user/setting/account.go
+++ b/routers/user/setting/account.go
@ -54,6 +54,13 @@ func AccountPost(ctx *context.Context, form auth.ChangePasswordForm) {
 		ctx.Flash.Error(ctx.Tr("form.password_not_match"))
 	} else if !password.IsComplexEnough(form.Password) {
 		ctx.Flash.Error(password.BuildComplexityError(ctx))
+	} else if pwned, err := password.IsPwned(ctx.Req.Context(), form.Password); pwned || err != nil {
+		errMsg := ctx.Tr("auth.password_pwned")
+		if err != nil {
+			log.Error(err.Error())
+			errMsg = ctx.Tr("auth.password_pwned_err")
+		}
+		ctx.Flash.Error(errMsg)
 	} else {
 		var err error
 		if ctx.User.Salt, err = models.GetUserSalt(); err != nil {