Created repo

Author: scheibling

.github/workflows/release.yml

@@ -0,0 +1,33 @@
+name: goreleaser
+
+on:
+  pull_request:
+  push:
+    tags:
+      - "*"
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: "latest"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      

.gitignore

@@ -0,0 +1,3 @@
+config.json
+.env
+dist/

.goreleaser.yaml

@@ -0,0 +1,46 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+    
+release:
+  extra_files:
+    - glob: email_template.html
+    - glob: config.example.json
+    - glob: README.md
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"

README.md

@@ -0,0 +1,90 @@
+# Have I Been Pwned Notifier
+Notifies users when their details have been in a data breach based on the HIBP API.
+
+## How it works
+1. Checks the HIBP API to see what the latest breach is
+2. If the breach is the one mentioned in the configuration file, exit
+3. If it is a new breach, get all breached users from the domains endpoint for all domains in the config
+4. Check if a user has been in a breach that is not in the "notifiedBreaches" list
+5. If they're in that list, send them an email with the new breach and a list of old breaches their account has been in as well
+
+## Configuration
+```json
+{
+  # Have I been Pwned API Key
+    "hibpApiKey": "",
+
+  # Domains to check for breaches
+  # All domains here have to be verified on the HIBP dashboard before usage
+    "domains": [
+        "domain.com"
+    ],
+
+  # The latest breach that the script has notified users about
+    "latestBreach": "VTech",
+
+  # Breaches that the script has already notified users about
+    "notifiedBreaches": [
+        "Spytech",
+        "Adobe",
+        "Badoo",
+        "Kickstarter",
+        "MyFitnessPal"
+    ],
+
+  # SMTP Settings
+    "smtp": {
+        "sender": "mailer@domain.com",
+        "host": "smtp.domain.com",
+        "port": 25,
+        "secure": false,
+        "starttls": true,
+        "user": "username",
+        "pass": "password"
+    },
+
+  # Ignore breaches of certain types
+  # To read more, visit https://haveibeenpwned.com/API/v3#BreachModel
+    "ignore": {
+        "unverified": false,
+        "fabricated": false,
+        "sensitive": false,
+        "retired": false,
+        "spamList": false,
+        "malware": false
+    },
+    
+    # Settings for colors and texts in the email sent to the users
+    # You can also provide your own custom email template. For substitutions, check below
+    "email": {
+        "colors": {
+            "background": "#ff8000",
+            "text": "#ffffff"
+        },
+        "subject": "Your account might have been compromised",
+        "body": {
+            "header": "Your account might have been compromised",
+            "texts": [
+                "In a recent scan, we found that your email address was mentioned in a recent breach of user information.",
+                "This does not necessarily mean that your password has been compromised, but for security reasons we do recommend that you change it.",
+                "For more information about the breach, click one of the links next to the relevant breaches below."
+            ],
+            "previous_breach_texts": [
+                "Your account has also been in previous, older breaches. You can find a complete list below."
+            ]
+        }
+    }
+}
+```
+
+
+## Email Template Substitutions
+| Placeholder | Description | Example | Value From |
+|-------------|-------------|---------|------------|
+| `{{text_color}}` | The color of the text in the email | `#ffffff` | config.json |
+| `{{bg_color}}` | The color of the background in the email | `#ff8000` | config.json |
+| `{{body_text}}` | The body text section from the configuration file | `In a recent scan, we found that your email address was mentioned in a recent breach of user information.` | config.json |
+| `{{previous_breaches_text}}` | The text that is shown before the list of previous breaches | `Your account has also been in previous, older breaches. You can find a complete list below.` | config.json |
+| `{{username}}` | The email of the user that was in the breach | `user@domain.com` | HIBP API |
+| `{{new_breach_rows}}` | The list of new breaches that the user was in | `<tr><td>BreachA</td><td>Link to BreachA</td></tr>` | HIBP API |
+| `{{previous_breaches_rows}}` | The list of previous breaches that the user was in | `<tr><td>BreachA</td><td>Link to BreachA</td></tr>` | HIBP API |

config.example.json

@@ -0,0 +1,53 @@
+{
+    "hibpApiKey": "",
+    "domains": [
+        "domain.com"
+    ],
+
+    "latestBreach": "VTech",
+    "notifiedBreaches": [
+        "Spytech",
+        "Adobe",
+        "Badoo",
+        "Kickstarter",
+        "MyFitnessPal"
+    ],
+
+    "smtp": {
+        "sender": "mailer@domain.com",
+        "host": "smtp.domain.com",
+        "port": 25,
+        "secure": false,
+        "starttls": true,
+        "user": "username",
+        "pass": "password"
+    },
+
+    "ignore": {
+        "unverified": false,
+        "fabricated": false,
+        "sensitive": false,
+        "retired": false,
+        "spamList": false,
+        "malware": false
+    },
+    
+    "email": {
+        "colors": {
+            "background": "#ff8000",
+            "text": "#ffffff"
+        },
+        "subject": "Your account might have been compromised",
+        "body": {
+            "header": "Your account might have been compromised",
+            "texts": [
+                "In a recent scan, we found that your email address was mentioned in a recent breach of user information.",
+                "This does not necessarily mean that your password has been compromised, but for security reasons we do recommend that you change it.",
+                "For more information about the breach, click one of the links next to the relevant breaches below."
+            ],
+            "previous_breach_texts": [
+                "Your account has also been in previous, older breaches. You can find a complete list below."
+            ]
+        }
+    }
+}

config.go

@@ -0,0 +1,70 @@
+package main
+
+import (
+	"encoding/json"
+	"os"
+)
+
+type SmtpConfig struct {
+	Sender   string `json:"sender"`
+	Host     string `json:"host"`
+	Port     int    `json:"port"`
+	User     string `json:"user"`
+	Pass     string `json:"pass"`
+	Secure   bool   `json:"secure"`
+	StartTLS bool   `json:"starttls"`
+}
+
+type IgnoreConfig struct {
+	Unverified bool `json:"unverified"`
+	Fabricated bool `json:"fabricated"`
+	Sensitive  bool `json:"sensitive"`
+	SpamList   bool `json:"spamList"`
+	Malware    bool `json:"malware"`
+	Retired    bool `json:"retired"`
+}
+
+type EmailConfig struct {
+	Colors struct {
+		Background string `json:"background"`
+		Text       string `json:"text"`
+	} `json:"colors"`
+
+	Subject string `json:"subject"`
+	Body    struct {
+		Header              string   `json:"header"`
+		Texts               []string `json:"texts"`
+		PreviousBreachTexts []string `json:"previous_breach_texts"`
+	} `json:"body"`
+}
+
+type Config struct {
+	ApiKey           string       `json:"hibpApiKey"`
+	Domains          []string     `json:"domains"`
+	LatestBreach     string       `json:"latestBreach"`
+	NotifiedBreaches []string     `json:"notifiedBreaches"`
+	Smtp             SmtpConfig   `json:"smtp"`
+	Ignore           IgnoreConfig `json:"ignore"`
+	Email            EmailConfig  `json:"email"`
+}
+
+func LoadConfig() (Config, error) {
+	config, err := os.ReadFile("config.json")
+	if err != nil {
+		return Config{}, err
+	}
+
+	var cfg Config
+	err = json.Unmarshal(config, &cfg)
+	return cfg, err
+}
+
+func SaveConfig(cfg Config) error {
+	config, err := json.MarshalIndent(cfg, "", "    ")
+	if err != nil {
+		return err
+	}
+
+	err = os.WriteFile("config.json", config, 0644)
+	return err
+}

domain_breaches.go

@@ -0,0 +1,59 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"strconv"
+	"time"
+)
+
+type DomainBreachesResponse map[string][]string
+
+func QueryDomainBreaches(domain string, config Config) (DomainBreachesResponse, error) {
+	req, err := http.NewRequest("GET", fmt.Sprintf("https://haveibeenpwned.com/api/v3/breacheddomain/%s", domain), nil)
+	if err != nil {
+		log.Fatal(err)
+		return DomainBreachesResponse{}, err
+	}
+
+	req.Header.Set("User-Agent", "HIBP Breach Alert")
+	req.Header.Set("hibp-api-key", config.ApiKey)
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		log.Fatal(err)
+		return DomainBreachesResponse{}, err
+	}
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		if resp.StatusCode != 429 {
+			log.Fatalf("Received status code %d", resp.StatusCode)
+			return DomainBreachesResponse{}, fmt.Errorf("Received status code %d", resp.StatusCode)
+		}
+
+		waitFor := resp.Header.Get("Retry-After")
+		log.Printf("Rate limited. Waiting for %s seconds", waitFor)
+		ival, err := strconv.ParseInt(waitFor, 10, 64)
+		if err != nil {
+			log.Fatal(err)
+			return DomainBreachesResponse{}, err
+		}
+		time.Sleep(time.Second * time.Duration(ival+10))
+
+		return QueryDomainBreaches(domain, config)
+	}
+
+	var domainBreachResponse DomainBreachesResponse
+
+	if err := json.NewDecoder(resp.Body).Decode(&domainBreachResponse); err != nil {
+		log.Fatal(err)
+		return DomainBreachesResponse{}, err
+	}
+
+	return domainBreachResponse, nil
+}