forked from forgejo/forgejo
Check passwords against HaveIBeenPwned (#12716)
* Implement pwn Signed-off-by: jolheiser <john.olheiser@gmail.com> * Update module Signed-off-by: jolheiser <john.olheiser@gmail.com> * Apply suggestions mrsdizzie Co-authored-by: mrsdizzie <info@mrsdizzie.com> * Add link to HIBP Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add more details to admin command Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add context to pwn Signed-off-by: jolheiser <john.olheiser@gmail.com> * Consistency and making some noise ;) Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: mrsdizzie <info@mrsdizzie.com> Co-authored-by: zeripath <art27@cantab.net>
This commit is contained in:
John Olheiser
GitHub
parent
bea343ce09
commit
c6e4bc53aa
22 changed files with 309 additions and 8 deletions
|
|
@ -6,6 +6,7 @@ package password
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
goContext "context"
|
||||
"crypto/rand"
|
||||
"math/big"
|
||||
"strings"
|
||||
|
|
@ -88,7 +89,7 @@ func IsComplexEnough(pwd string) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
// Generate a random password
|
||||
// Generate a random password
|
||||
func Generate(n int) (string, error) {
|
||||
NewComplexity()
|
||||
buffer := make([]byte, n)
|
||||
|
|
@ -101,7 +102,11 @@ func Generate(n int) (string, error) {
|
|||
}
|
||||
buffer[j] = validChars[rnd.Int64()]
|
||||
}
|
||||
if IsComplexEnough(string(buffer)) && string(buffer[0]) != " " && string(buffer[n-1]) != " " {
|
||||
pwned, err := IsPwned(goContext.Background(), string(buffer))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if IsComplexEnough(string(buffer)) && !pwned && string(buffer[0]) != " " && string(buffer[n-1]) != " " {
|
||||
return string(buffer), nil
|
||||
}
|
||||
}
|
||||
|
|
|
|||
30
modules/password/pwn.go
Normal file
30
modules/password/pwn.go
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
// Copyright 2020 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package password
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
|
||||
"go.jolheiser.com/pwn"
|
||||
)
|
||||
|
||||
// IsPwned checks whether a password has been pwned
|
||||
// NOTE: This func returns true if it encounters an error under the assumption that you ALWAYS want to check against
|
||||
// HIBP, so not getting a response should block a password until it can be verified.
|
||||
func IsPwned(ctx context.Context, password string) (bool, error) {
|
||||
if !setting.PasswordCheckPwn {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
client := pwn.New(pwn.WithContext(ctx))
|
||||
count, err := client.CheckPassword(password, true)
|
||||
if err != nil {
|
||||
return true, err
|
||||
}
|
||||
|
||||
return count > 0, nil
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue