shield/src/Authentication/Passwords/PwnedValidator.php at 71d4bdd8a1cea01b319c6702b2edefb30de71b38 · michalsn/shield · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?php

declare(strict_types=1);

/**
 * This file is part of CodeIgniter Shield.
 *
 * (c) CodeIgniter Foundation <[email protected]>
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

namespace CodeIgniter\Shield\Authentication\Passwords;

use CodeIgniter\Config\Services;
use CodeIgniter\HTTP\Exceptions\HTTPException;
use CodeIgniter\Shield\Authentication\AuthenticationException;
use CodeIgniter\Shield\Entities\User;
use CodeIgniter\Shield\Result;

/**
 * Class PwnedValidator
 *
 * Checks if the password has been compromised by checking against
 * an online database of over 555 million stolen passwords.
 *
 * @see https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
 *
 * NIST recommend to check passwords against those obtained from previous data breaches.
 * @see https://pages.nist.gov/800-63-3/sp800-63b.html#sec5
 */
class PwnedValidator extends BaseValidator implements ValidatorInterface
{
    /**
     * Checks the password against the online database and
     * returns false if a match is found. Returns true if no match is found.
     * If true is returned the password will be passed to next validator.
     * If false is returned the validation process will be immediately stopped.
     *
     * @throws AuthenticationException
     */
    public function check(string $password, ?User $user = null): Result
    {
        $hashedPword = strtoupper(sha1($password));
        $rangeHash   = substr($hashedPword, 0, 5);
        $searchHash  = substr($hashedPword, 5);

        try {
            $client = Services::curlrequest([
                'base_uri' => 'https://api.pwnedpasswords.com/',
            ]);

            $response = $client->get(
                'range/' . $rangeHash,
                ['headers' => ['Accept' => 'text/plain']],
            );
        } catch (HTTPException $e) {
            $exception = AuthenticationException::forHIBPCurlFail($e);
            log_message('error', '[ERROR] {exception}', ['exception' => $exception]);

            throw $exception;
        }

        $range    = $response->getBody();
        $startPos = strpos((string) $range, $searchHash);
        if ($startPos === false) {
            return new Result([
                'success' => true,
            ]);
        }

        $startPos += 36; // right after the delimiter (:)
        $endPos = strpos((string) $range, "\r\n", $startPos);
        $hits   = $endPos !== false ? (int) substr((string) $range, $startPos, $endPos - $startPos) : (int) substr((string) $range, $startPos);

        $wording = $hits > 1 ? 'databases' : 'a database';

        return new Result([
            'success'   => false,
            'reason'    => lang('Auth.errorPasswordPwned', [$password, $hits, $wording]),
            'extraInfo' => lang('Auth.suggestPasswordPwned', [$password]),
        ]);
    }
}