From cdcae82c4d3ee164e41d9f6b8c54568a70ca0f0e Mon Sep 17 00:00:00 2001 From: FireMasterK <20838718+FireMasterK@users.noreply.github.com> Date: Mon, 6 Sep 2021 00:49:54 +0530 Subject: [PATCH] Check if passwords are compromised in HIBP. --- .../me/kavin/piped/utils/RequestUtils.java | 23 +++++++++++++++++++ .../me/kavin/piped/utils/ResponseHelper.java | 19 +++++++++++++-- .../resp/CompromisedPasswordResponse.java | 7 ++++++ 3 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 src/main/java/me/kavin/piped/utils/RequestUtils.java create mode 100644 src/main/java/me/kavin/piped/utils/resp/CompromisedPasswordResponse.java diff --git a/src/main/java/me/kavin/piped/utils/RequestUtils.java b/src/main/java/me/kavin/piped/utils/RequestUtils.java new file mode 100644 index 0000000..d52bb09 --- /dev/null +++ b/src/main/java/me/kavin/piped/utils/RequestUtils.java @@ -0,0 +1,23 @@ +package me.kavin.piped.utils; + +import java.io.IOException; +import java.net.URI; +import java.net.URISyntaxException; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse.BodyHandlers; + +import me.kavin.piped.consts.Constants; + +public class RequestUtils { + + public static String sendGet(String url) throws IOException, InterruptedException, URISyntaxException { + return sendGet(url, Constants.USER_AGENT); + } + + public static String sendGet(String url, String ua) throws IOException, InterruptedException, URISyntaxException { + + HttpRequest request = HttpRequest.newBuilder(new URI(url)).GET().setHeader("User-Agent", ua).build(); + + return Constants.h2client.send(request, BodyHandlers.ofString()).body(); + } +} diff --git a/src/main/java/me/kavin/piped/utils/ResponseHelper.java b/src/main/java/me/kavin/piped/utils/ResponseHelper.java index 12c886a..958f6cf 100644 --- a/src/main/java/me/kavin/piped/utils/ResponseHelper.java +++ b/src/main/java/me/kavin/piped/utils/ResponseHelper.java @@ -4,6 +4,7 @@ import java.io.IOException; import java.io.InputStream; import java.net.MalformedURLException; import java.net.URI; +import java.net.URISyntaxException; import java.net.URL; import java.net.http.HttpRequest; import java.net.http.HttpRequest.BodyPublishers; @@ -26,6 +27,7 @@ import javax.persistence.criteria.CriteriaBuilder; import javax.persistence.criteria.CriteriaQuery; import javax.persistence.criteria.Root; +import org.apache.commons.codec.digest.DigestUtils; import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.exception.ExceptionUtils; @@ -88,6 +90,7 @@ import me.kavin.piped.utils.obj.search.SearchPlaylist; import me.kavin.piped.utils.resp.AcceptedResponse; import me.kavin.piped.utils.resp.AlreadyRegisteredResponse; import me.kavin.piped.utils.resp.AuthenticationFailureResponse; +import me.kavin.piped.utils.resp.CompromisedPasswordResponse; import me.kavin.piped.utils.resp.IncorrectCredentialsResponse; import me.kavin.piped.utils.resp.InvalidRequestResponse; import me.kavin.piped.utils.resp.LoginResponse; @@ -551,8 +554,8 @@ public class ResponseHelper { private static final Argon2PasswordEncoder argon2PasswordEncoder = new Argon2PasswordEncoder(); - public static final byte[] registerResponse(String user, String pass) - throws IOException, NoSuchAlgorithmException, InvalidKeySpecException { + public static final byte[] registerResponse(String user, String pass) throws IOException, NoSuchAlgorithmException, + InvalidKeySpecException, InterruptedException, URISyntaxException { if (user == null || pass == null) return Constants.mapper.writeValueAsBytes(new InvalidRequestResponse()); @@ -571,6 +574,18 @@ public class ResponseHelper { return Constants.mapper.writeValueAsBytes(new AlreadyRegisteredResponse()); } + { + String sha1Hash = DigestUtils.sha1Hex(pass).toUpperCase(); + String prefix = sha1Hash.substring(0, 5); + String suffix = sha1Hash.substring(5); + String[] entries = RequestUtils + .sendGet("https://api.pwnedpasswords.com/range/" + prefix, "github.com/TeamPiped/Piped-Backend") + .split("\n"); + for (String entry : entries) + if (StringUtils.substringBefore(entry, ":").equals(suffix)) + return Constants.mapper.writeValueAsBytes(new CompromisedPasswordResponse()); + } + User newuser = new User(user, argon2PasswordEncoder.encode(pass), Collections.emptyList()); s.save(newuser); diff --git a/src/main/java/me/kavin/piped/utils/resp/CompromisedPasswordResponse.java b/src/main/java/me/kavin/piped/utils/resp/CompromisedPasswordResponse.java new file mode 100644 index 0000000..3d6bae5 --- /dev/null +++ b/src/main/java/me/kavin/piped/utils/resp/CompromisedPasswordResponse.java @@ -0,0 +1,7 @@ +package me.kavin.piped.utils.resp; + +public class CompromisedPasswordResponse { + + public String error = "The password you have entered has already been compromised."; + +}