Check passwords against HaveIBeenPwned (#12716)

* Implement pwn

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Update module

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Apply suggestions mrsdizzie

Co-authored-by: mrsdizzie <info@mrsdizzie.com>

* Add link to HIBP

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Add more details to admin command

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Add context to pwn

Signed-off-by: jolheiser <john.olheiser@gmail.com>

* Consistency and making some noise ;)

Signed-off-by: jolheiser <john.olheiser@gmail.com>

Co-authored-by: mrsdizzie <info@mrsdizzie.com>
Co-authored-by: zeripath <art27@cantab.net>

1 files changed, 30 insertions, 0 deletions

diff --git a/modules/password/pwn.go b/modules/password/pwn.go
new file mode 100644
index 0000000000..938524e6de
--- /dev/null
+++ b/modules/password/pwn.go
@@ -0,0 +1,30 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package password
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/modules/setting"
+
+	"go.jolheiser.com/pwn"
+)
+
+// IsPwned checks whether a password has been pwned
+// NOTE: This func returns true if it encounters an error under the assumption that you ALWAYS want to check against
+// HIBP, so not getting a response should block a password until it can be verified.
+func IsPwned(ctx context.Context, password string) (bool, error) {
+	if !setting.PasswordCheckPwn {
+		return false, nil
+	}
+
+	client := pwn.New(pwn.WithContext(ctx))
+	count, err := client.CheckPassword(password, true)
+	if err != nil {
+		return true, err
+	}
+
+	return count > 0, nil
+}