|
| 1 | +# PwnedPasswords Integration |
| 2 | + |
| 3 | +Date: 2024-03-22 |
| 4 | + |
| 5 | +Status: accepted |
| 6 | + |
| 7 | +## Context |
| 8 | + |
| 9 | +Password security is a critical concern for web applications. While we already |
| 10 | +have strong password requirements (minimum length, complexity, etc.), we wanted |
| 11 | +to add an additional layer of security by checking if a password has been |
| 12 | +exposed in known data breaches using the HaveIBeenPwned Password API. |
| 13 | + |
| 14 | +However, we wanted to implement this in a way that: |
| 15 | + |
| 16 | +1. Doesn't block users if the service is unavailable |
| 17 | +2. Doesn't slow down the development experience |
| 18 | +3. Maintains security in production |
| 19 | + |
| 20 | +## Decision |
| 21 | + |
| 22 | +We will integrate the HaveIBeenPwned Password API with the following approach: |
| 23 | + |
| 24 | +1. **Progressive Enhancement** |
| 25 | + |
| 26 | + - The password check is implemented as a non-blocking enhancement |
| 27 | + - If the check fails or times out (>1s), we allow the password |
| 28 | + - This ensures users can still set passwords even if the service is |
| 29 | + unavailable |
| 30 | + |
| 31 | +2. **Development Experience** |
| 32 | + |
| 33 | + - The API calls are mocked during development and testing using MSW (Mock |
| 34 | + Service Worker) |
| 35 | + - This prevents unnecessary API calls during development |
| 36 | + - Allows for consistent testing behavior |
| 37 | + - Follows our pattern of mocking external services |
| 38 | + |
| 39 | +3. **Error Handling** |
| 40 | + |
| 41 | + - Timeout after 1 second to prevent blocking users |
| 42 | + - Graceful fallback if the service is unavailable |
| 43 | + - Warning logs for monitoring service health |
| 44 | + - No user-facing errors for service issues |
| 45 | + |
| 46 | +4. **Implementation Details** |
| 47 | + - Core logic centralized in `auth.server.ts` |
| 48 | + - Mock handlers in `tests/mocks/pwnedpasswords.ts` |
| 49 | + - Consistent with our existing auth patterns |
| 50 | + |
| 51 | +## Consequences |
| 52 | + |
| 53 | +This approach provides several benefits: |
| 54 | + |
| 55 | +1. **Security**: We get the benefits of checking against known compromised |
| 56 | + passwords without making it a hard requirement |
| 57 | +2. **Reliability**: Users can still use the application even if the service is |
| 58 | + down |
| 59 | +3. **Development**: Fast development experience with mocked responses |
| 60 | +4. **Testing**: Consistent test behavior with mocked responses |
| 61 | +5. **Monitoring**: Warning logs help track service health |
| 62 | + |
| 63 | +The main tradeoff is that we might occasionally allow passwords that have been |
| 64 | +compromised if the service is unavailable. However, this is an acceptable |
| 65 | +tradeoff given our other security measures and the importance of application |
| 66 | +availability. |
| 67 | + |
| 68 | +This implementation aligns with our principles of progressive enhancement and |
| 69 | +maintaining a great development experience while adding security features. |
0 commit comments