Check if passwords are compromised in HIBP.

This commit is contained in:
FireMasterK 2021-09-06 00:49:54 +05:30
parent 721f197bd8
commit cdcae82c4d
No known key found for this signature in database
GPG key ID: 49451E4482CC5BCD
3 changed files with 47 additions and 2 deletions

View file

@ -0,0 +1,23 @@
package me.kavin.piped.utils;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse.BodyHandlers;
import me.kavin.piped.consts.Constants;
public class RequestUtils {
public static String sendGet(String url) throws IOException, InterruptedException, URISyntaxException {
return sendGet(url, Constants.USER_AGENT);
}
public static String sendGet(String url, String ua) throws IOException, InterruptedException, URISyntaxException {
HttpRequest request = HttpRequest.newBuilder(new URI(url)).GET().setHeader("User-Agent", ua).build();
return Constants.h2client.send(request, BodyHandlers.ofString()).body();
}
}

View file

@ -4,6 +4,7 @@ import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL; import java.net.URL;
import java.net.http.HttpRequest; import java.net.http.HttpRequest;
import java.net.http.HttpRequest.BodyPublishers; import java.net.http.HttpRequest.BodyPublishers;
@ -26,6 +27,7 @@ import javax.persistence.criteria.CriteriaBuilder;
import javax.persistence.criteria.CriteriaQuery; import javax.persistence.criteria.CriteriaQuery;
import javax.persistence.criteria.Root; import javax.persistence.criteria.Root;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.io.IOUtils; import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils; import org.apache.commons.lang3.exception.ExceptionUtils;
@ -88,6 +90,7 @@ import me.kavin.piped.utils.obj.search.SearchPlaylist;
import me.kavin.piped.utils.resp.AcceptedResponse; import me.kavin.piped.utils.resp.AcceptedResponse;
import me.kavin.piped.utils.resp.AlreadyRegisteredResponse; import me.kavin.piped.utils.resp.AlreadyRegisteredResponse;
import me.kavin.piped.utils.resp.AuthenticationFailureResponse; import me.kavin.piped.utils.resp.AuthenticationFailureResponse;
import me.kavin.piped.utils.resp.CompromisedPasswordResponse;
import me.kavin.piped.utils.resp.IncorrectCredentialsResponse; import me.kavin.piped.utils.resp.IncorrectCredentialsResponse;
import me.kavin.piped.utils.resp.InvalidRequestResponse; import me.kavin.piped.utils.resp.InvalidRequestResponse;
import me.kavin.piped.utils.resp.LoginResponse; import me.kavin.piped.utils.resp.LoginResponse;
@ -551,8 +554,8 @@ public class ResponseHelper {
private static final Argon2PasswordEncoder argon2PasswordEncoder = new Argon2PasswordEncoder(); private static final Argon2PasswordEncoder argon2PasswordEncoder = new Argon2PasswordEncoder();
public static final byte[] registerResponse(String user, String pass) public static final byte[] registerResponse(String user, String pass) throws IOException, NoSuchAlgorithmException,
throws IOException, NoSuchAlgorithmException, InvalidKeySpecException { InvalidKeySpecException, InterruptedException, URISyntaxException {
if (user == null || pass == null) if (user == null || pass == null)
return Constants.mapper.writeValueAsBytes(new InvalidRequestResponse()); return Constants.mapper.writeValueAsBytes(new InvalidRequestResponse());
@ -571,6 +574,18 @@ public class ResponseHelper {
return Constants.mapper.writeValueAsBytes(new AlreadyRegisteredResponse()); return Constants.mapper.writeValueAsBytes(new AlreadyRegisteredResponse());
} }
{
String sha1Hash = DigestUtils.sha1Hex(pass).toUpperCase();
String prefix = sha1Hash.substring(0, 5);
String suffix = sha1Hash.substring(5);
String[] entries = RequestUtils
.sendGet("https://api.pwnedpasswords.com/range/" + prefix, "github.com/TeamPiped/Piped-Backend")
.split("\n");
for (String entry : entries)
if (StringUtils.substringBefore(entry, ":").equals(suffix))
return Constants.mapper.writeValueAsBytes(new CompromisedPasswordResponse());
}
User newuser = new User(user, argon2PasswordEncoder.encode(pass), Collections.emptyList()); User newuser = new User(user, argon2PasswordEncoder.encode(pass), Collections.emptyList());
s.save(newuser); s.save(newuser);

View file

@ -0,0 +1,7 @@
package me.kavin.piped.utils.resp;
public class CompromisedPasswordResponse {
public String error = "The password you have entered has already been compromised.";
}