-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpwnedpass.js
164 lines (130 loc) · 5.08 KB
/
pwnedpass.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
// module for checking passwords against a set of known exposed passwords
var PwnedPass = (function () {
//haveibeenpwned.com/Passwords
var apiURL = "https://api.pwnedpasswords.com/range/";
var GitHubSrc = "jpxor-pwnedpass.js";
// Calls to haveibeenpwned should be rate limited
var RateLimit = 2000; // ms
var throttle = throttler(RateLimit);
// A User-Agent HTTP header is required by haveibeenpwned
var UserAgent = GitHubSrc;
// httpGET used to call haveibeenpwned API
function httpGET(url, callback) {
var request = new XMLHttpRequest();
request.onreadystatechange = function () {
if (request.readyState == 4 && request.status == 200) {
callback(request.responseText);
}
}
request.open("GET", url, true);
request.setRequestHeader("User-Agent", UserAgent);
request.send(null);
}
// isValidSHA1 allows us to check whether a
// password input is plaintext or sha-1 hash.
function isValidSHA1(str) {
var regex = /[a-fA-F0-9]{40}/g;
return str.search(regex) >= 0;
}
// doSHA1 is used because we need the SHA-1 hash of a password
function doSHA1(plaintext) {
var buffer = new TextEncoder("utf-8").encode(plaintext);
return crypto.subtle.digest("SHA-1", buffer).then(function (hashbuffer) {
var hexCodes = [];
var padding = '00000000';
var view = new DataView(hashbuffer);
for (var i = 0; i < view.byteLength; i += 4) {
var value = view.getUint32(i);
var stringValue = value.toString(16);
var paddedValue = (padding + stringValue).slice(-padding.length);
hexCodes.push(paddedValue);
}
return hexCodes.join("");
});
}
// cleanInput parses the input types and provides a single params object
// in the format accepted by the doCheck function. A promise is used solely
// for the ability to write: "cleanInput(,).then(doCheck)".
function cleanInput(first, second) {
return new Promise(async function (resolve, error) {
var params = {}
if (!first || 'string' !== typeof first) {
error("must provide password or SHA-1 hash as first parameter");
return;
}
if (!second) {
error("must provide callbacks as the second parameter");
return;
}
if ('function' === typeof second) {
params.Pwned = second;
params.Clean = function () { };
} else {
params = second;
if (!params.Pwned) { params.Pwned = function (count) { console.log("This password is compromised, frequency: " + count); } }
if (!params.Clean) { params.Clean = function () { }; }
}
if (!isValidSHA1(first) || params.ForceHash) {
params.SHA1Hash = await Promise.resolve(doSHA1(first));
} else {
params.SHA1Hash = first;
}
resolve(params);
});
}
// doCheck calls the haveibeenpwned API and compares password hashes,
// A throttler is applied because calls to the haveibeenpwned API should
// be limited to one per 2 seconds.
function doCheck(params) {
throttle.apply(function () {
var first5 = params.SHA1Hash.substr(0, 5);
var remainder = params.SHA1Hash.substr(5).toUpperCase();
httpGET(apiURL + first5, function (response) {
var lines = response.split('\n');
for (var i = 0; i < lines.length; ++i) {
respSplit = lines[i].split(':');
respHash = respSplit[0];
if (respHash === remainder) {
params.Pwned(parseInt(respSplit[1]));
return;
}
}
params.Clean();
});
});
}
// exposed module functions
return {
setUserAgent: function (userAgent) {
UserAgent = userAgent + "-via-" + GitHubSrc;
},
check: function (password, callbacks) {
cleanInput(password, callbacks).then(doCheck).catch(console.error);
}
}
}());
//throttler module provided for rate limiting API calls
function throttler(period) {
return (function () {
var active = false
var lastrun = 0;
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
return {
apply: async function (targetfunc) {
if (active) {
return
} active = true;
var now = new Date().getTime();
var remainder = lastrun + period - now;
if (remainder > 0) {
await sleep(remainder);
}
targetfunc();
lastrun = new Date().getTime();
active = false;
}
}
}());
}