diff options
| author | John Olheiser <john.olheiser@gmail.com> | 2020-09-08 17:06:39 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-09-08 17:06:39 -0500 |
| commit | c6e4bc53aad371210f0cb670e36c57132087b230 (patch) | |
| tree | ef2eecef855a4257a22eb61aefd5439be23a770e /modules/password | |
| parent | bea343ce0997262e61c5d83812a270090896afbf (diff) | |
| download | gitea-c6e4bc53aad371210f0cb670e36c57132087b230.tar.gz gitea-c6e4bc53aad371210f0cb670e36c57132087b230.zip | |
Check passwords against HaveIBeenPwned (#12716)
* Implement pwn
Signed-off-by: jolheiser <john.olheiser@gmail.com>
* Update module
Signed-off-by: jolheiser <john.olheiser@gmail.com>
* Apply suggestions mrsdizzie
Co-authored-by: mrsdizzie <info@mrsdizzie.com>
* Add link to HIBP
Signed-off-by: jolheiser <john.olheiser@gmail.com>
* Add more details to admin command
Signed-off-by: jolheiser <john.olheiser@gmail.com>
* Add context to pwn
Signed-off-by: jolheiser <john.olheiser@gmail.com>
* Consistency and making some noise ;)
Signed-off-by: jolheiser <john.olheiser@gmail.com>
Co-authored-by: mrsdizzie <info@mrsdizzie.com>
Co-authored-by: zeripath <art27@cantab.net>
Diffstat (limited to 'modules/password')
| -rw-r--r-- | modules/password/password.go | 9 | ||||
| -rw-r--r-- | modules/password/pwn.go | 30 |
2 files changed, 37 insertions, 2 deletions
diff --git a/modules/password/password.go b/modules/password/password.go index 1c4b9c514a..e1f1f769ec 100644 --- a/modules/password/password.go +++ b/modules/password/password.go @@ -6,6 +6,7 @@ package password import ( "bytes" + goContext "context" "crypto/rand" "math/big" "strings" @@ -88,7 +89,7 @@ func IsComplexEnough(pwd string) bool { return true } -// Generate a random password +// Generate a random password func Generate(n int) (string, error) { NewComplexity() buffer := make([]byte, n) @@ -101,7 +102,11 @@ func Generate(n int) (string, error) { } buffer[j] = validChars[rnd.Int64()] } - if IsComplexEnough(string(buffer)) && string(buffer[0]) != " " && string(buffer[n-1]) != " " { + pwned, err := IsPwned(goContext.Background(), string(buffer)) + if err != nil { + return "", err + } + if IsComplexEnough(string(buffer)) && !pwned && string(buffer[0]) != " " && string(buffer[n-1]) != " " { return string(buffer), nil } } diff --git a/modules/password/pwn.go b/modules/password/pwn.go new file mode 100644 index 0000000000..938524e6de --- /dev/null +++ b/modules/password/pwn.go @@ -0,0 +1,30 @@ +// Copyright 2020 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package password + +import ( + "context" + + "code.gitea.io/gitea/modules/setting" + + "go.jolheiser.com/pwn" +) + +// IsPwned checks whether a password has been pwned +// NOTE: This func returns true if it encounters an error under the assumption that you ALWAYS want to check against +// HIBP, so not getting a response should block a password until it can be verified. +func IsPwned(ctx context.Context, password string) (bool, error) { + if !setting.PasswordCheckPwn { + return false, nil + } + + client := pwn.New(pwn.WithContext(ctx)) + count, err := client.CheckPassword(password, true) + if err != nil { + return true, err + } + + return count > 0, nil +} |