Check passwords against HaveIBeenPwned (#12716)

* Implement pwn

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Update module

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Apply suggestions mrsdizzie

Co-authored-by: mrsdizzie <info@mrsdizzie.com>

* Add link to HIBP

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Add more details to admin command

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Add context to pwn

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Consistency and making some noise ;)

Signed-off-by: jolheiser <john.olheiser@gmail.com>

Co-authored-by: mrsdizzie <info@mrsdizzie.com>
Co-authored-by: zeripath <art27@cantab.net>

1 files changed, 8 insertions, 0 deletions

diff --git a/cmd/admin.go b/cmd/admin.go
index a049f7f2cf..9f81f5284d 100644
--- a/cmd/admin.go
+++ b/cmd/admin.go
@@ -6,6 +6,7 @@
 package cmd
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -265,6 +266,13 @@ func runChangePassword(c *cli.Context) error {
 	if !pwd.IsComplexEnough(c.String("password")) {
 		return errors.New("Password does not meet complexity requirements")
 	}
+	pwned, err := pwd.IsPwned(context.Background(), c.String("password"))
+	if err != nil {
+		return err
+	}
+	if pwned {
+		return errors.New("The password you chose is on a list of stolen passwords previously exposed in public data breaches. Please try again with a different password.\nFor more details, see https://haveibeenpwned.com/Passwords")
+	}
 	uname := c.String("username")
 	user, err := models.GetUserByName(uname)
 	if err != nil {