Skip to content

prevent use of common password using the haveibeenpwned password api #958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Mar 6, 2025
Merged

prevent use of common password using the haveibeenpwned password api #958

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c54b3fd
prevent use of common password using the haveibeenpwned password api
AdityaKirad Mar 6, 2025
963b990
made requested chages
AdityaKirad Mar 6, 2025
203592d
Update app/utils/auth.server.ts
AdityaKirad Mar 6, 2025
8c7723d
requested changes made
AdityaKirad Mar 6, 2025
ccbb669
Merge branch 'prevent-common-passowords' of https://github.com/Aditya…
AdityaKirad Mar 6, 2025
cc0348e
renamed the common-password to pwnedpasswords
AdityaKirad Mar 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions app/routes/_auth+/onboarding.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import crypto from 'node:crypto'
import { getFormProps, getInputProps, useForm } from '@conform-to/react'
import { getZodConstraint, parseWithZod } from '@conform-to/zod'
import { data, redirect, Form, useSearchParams } from 'react-router'
Expand Down Expand Up @@ -72,6 +73,27 @@ export async function action({ request }: Route.ActionArgs) {
})
return
}
const hash = crypto
.createHash('sha1')
.update(data.password, 'utf8')
.digest('hex')
.toUpperCase()
const [prefix, suffix] = [hash.slice(0, 5), hash.slice(5)]
const res = await fetch(
`https://api.pwnedpasswords.com/range/${prefix}`,
)
if (!res.ok) throw new Error(`HTTP error! status: ${res.status}`)
const text = await res.text()
const matches = text
.split('/\r?\n/')
.filter((line) => line.includes(suffix))
if (matches.length) {
ctx.addIssue({
path: ['password'],
code: 'custom',
message: 'Password is too common',
})
}
}).transform(async (data) => {
if (intent !== null) return { ...data, session: null }

Expand Down
26 changes: 24 additions & 2 deletions app/routes/_auth+/reset-password.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import crypto from 'node:crypto'
import { getFormProps, getInputProps, useForm } from '@conform-to/react'
import { getZodConstraint, parseWithZod } from '@conform-to/zod'
import { type SEOHandle } from '@nasa-gcn/remix-seo'
Expand Down Expand Up @@ -41,8 +42,29 @@ export async function loader({ request }: Route.LoaderArgs) {
export async function action({ request }: Route.ActionArgs) {
const resetPasswordUsername = await requireResetPasswordUsername(request)
const formData = await request.formData()
const submission = parseWithZod(formData, {
schema: ResetPasswordSchema,
const submission = await parseWithZod(formData, {
schema: ResetPasswordSchema.superRefine(async ({ password }, ctx) => {
const hash = crypto
.createHash('sha1')
.update(password, 'utf8')
.digest('hex')
.toUpperCase()
const [prefix, suffix] = [hash.slice(0, 5), hash.slice(5)]
const res = await fetch(`https://api.pwnedpasswords.com/range/${prefix}`)
if (!res.ok) throw new Error(`HTTP error! status: ${res.status}`)
const data = await res.text()
const matches = data
.split('/\r?\n/')
.filter((line) => line.includes(suffix))
if (matches.length) {
ctx.addIssue({
path: ['password'],
code: 'custom',
message: 'Password is too common',
})
}
}),
async: true,
})
if (submission.status !== 'success') {
return data(
Expand Down