fix(pwned-check): ZMS-264: Add feature to check password with PwnedPassword API on User Login (#864)

* implement PwnedPasswords check on each login

* cache pwnedpasswords API response and reuse the value

* refactor, move cache check and api request to separate function

* add pwnedpassword check function to tools.js

* tools.js and pwned password check in user-handler refactor, remove code repetitions

* refactor, improve code readability

* checkPwnedPasswordForUser add check for empty password

* user-handler improve pwned password cache logic, refactor, fix bug

* checkPwnedPasswordForUser use function with await as it is a promise, auth.js add passwordPwned to response and to the schema

* slightly optimize checkRes in checkPwnedPassword and make it more readable

* remove pwnedpasswords dependency, refactor users.js, checkPwnedPassword fix incorrect cast to number

* tools.checkPwnedPassword call in users.js - grab the correct data

* default.toml remove rudimentary comment

* on request timeout reject with an error object

* do not check for pwned password in cache on every login, check every two weeks

* when receiving userData also add lastPwnedCheck to projection

* remove redis cache, make pwnedpasswords api url configurable

* default.toml fix comments

* add user id when user has pwned passwords

Author: NickOvt

config/default.toml

@@ -24,6 +24,16 @@ processes = 1
 #secret="a secret cat"
 #cipher="aes192" # only for decrypting legacy values (if there are any)
 
+[pwned]
+# If enabled then on every login checks the user's passwords against PwnedPasswords API
+enabled = false # disabled by default
+type = "softfail"
+# hardfail -> Fail auth even is API is down or the password is Pwned
+# fail -> Fail auth only if the password is Pwned
+# softfail -> Auth succeeds even if password is Pwned but a flag is added to API response
+# none -> No check is conducted
+apiUrl = "" # url of the PwnedPasswords API. If not set then uses the public url, if set then you can use your own API that uses HIBP Passwords downloaded via official PwnedPasswordsDownloader
+
 [webauthn]
 rpId = "example.com"             # origin domain
 rpName = "WildDuck Email Server"

lib/api/auth.js

@@ -165,9 +165,12 @@ module.exports = (db, server, userHandler) => {
                             address: Joi.string().required().description('Default email address of authenticated User'),
                             scope: Joi.string().required().description('The scope this authentication is valid for'),
                             require2fa: Joi.array().items(Joi.string()).required().description('List of enabled 2FA mechanisms'),
-                            requirePasswordChange: booleanSchema.required().description('Indicates if account hassword has been reset and should be replaced'),
+                            requirePasswordChange: booleanSchema.required().description('Indicates if account password has been reset and should be replaced'),
                             token: Joi.string().description(
                                 'If access token was requested then this is the value to use as access token when making API requests on behalf of logged in user.'
+                            ),
+                            passwordPwned: booleanSchema.description(
+                                'Indicates whether account password has been found in the list of Pwned passwords and should be replaced'
                             )
                         }).$_setFlag('objectName', 'AuthenticateResponse')
                     }
@@ -257,6 +260,10 @@ module.exports = (db, server, userHandler) => {
                 requirePasswordChange: authData.requirePasswordChange
             };
 
+            if (authData.passwordPwned) {
+                authResponse.passwordPwned = authData.passwordPwned;
+            }
+
             if (result.value.token) {
                 try {
                     authResponse.token = await userHandler.generateAuthToken(authData.user);

lib/api/users.js

@@ -11,7 +11,6 @@ const BSON = require('bson');
 const consts = require('../consts');
 const roles = require('../roles');
 const imapTools = require('../../imap-core/lib/imap-tools');
-const pwnedpasswords = require('pwnedpasswords');
 const { nextPageCursorSchema, previousPageCursorSchema, sessSchema, sessIPSchema, booleanSchema, metaDataSchema, usernameSchema } = require('../schemas');
 const TaskHandler = require('../task-handler');
 const { publish, FORWARD_ADDED } = require('../events');
@@ -472,7 +471,7 @@ module.exports = (db, server, userHandler, settingsHandler) => {
 
             if (result.value.password && !result.value.hashedPassword && !result.value.allowUnsafe) {
                 try {
-                    let count = await pwnedpasswords(result.value.password);
+                    const { count } = await tools.checkPwnedPassword(result.value.password);
                     if (count) {
                         res.status(403);
                         return res.json({
@@ -1324,7 +1323,7 @@ module.exports = (db, server, userHandler, settingsHandler) => {
 
             if (values.password && !values.hashedPassword && !values.allowUnsafe) {
                 try {
-                    let count = await pwnedpasswords(values.password);
+                    const { count } = await tools.checkPwnedPassword(values.password);
                     if (count) {
                         res.status(403);
                         return res.json({

lib/tools.js

@@ -16,6 +16,7 @@ const ipaddr = require('ipaddr.js');
 const ObjectId = require('mongodb').ObjectId;
 const log = require('npmlog');
 const addressparser = require('nodemailer/lib/addressparser');
+const https = require('https');
 
 let templates = false;
 
@@ -597,6 +598,85 @@ function buildCertChain(cert, ca) {
         .join('\n');
 }
 
+function checkPwnedPassword(password, opts = {}) {
+    const PREFIX_LENGTH = 5;
+    const API_URL = opts.url || 'https://api.pwnedpasswords.com/range/';
+    const API_TIMEOUT = 1000;
+    const HTTP_STATUS_OK = 200;
+    const HTTP_STATUS_NOT_FOUND = 404;
+
+    function hash(password) {
+        const shasum = crypto.createHash('sha1');
+        shasum.update(password);
+        return shasum.digest('hex');
+    }
+
+    function get(hashedPasswordPrefix) {
+        const opts = {
+            timeout: API_TIMEOUT
+        };
+
+        return new Promise((resolve, reject) => {
+            const req = https
+                .get(API_URL + hashedPasswordPrefix, opts, res => {
+                    let data = '';
+
+                    // According to API spec, 404 is returned when no hash found, so it is a valid response.
+                    if (res.statusCode !== HTTP_STATUS_OK && res.statusCode !== HTTP_STATUS_NOT_FOUND) {
+                        return reject(new Error(`Failed to load pwnedpasswords API: ${res.statusCode}`));
+                    }
+
+                    res.on('data', chunk => {
+                        data += chunk;
+                    });
+
+                    res.on('end', () => {
+                        resolve(data);
+                    });
+
+                    return true;
+                })
+                .on('error', err => {
+                    reject(err);
+                })
+                .on('timeout', () => {
+                    req.destroy();
+                    reject(new Error('pwnedpassword API timeout'));
+                });
+        });
+    }
+
+    if (typeof password !== 'string') {
+        const err = new Error('Input password must be a string.');
+        return Promise.reject(err);
+    }
+
+    const hashedPassword = hash(password);
+    const hashedPasswordPrefix = hashedPassword.substring(0, PREFIX_LENGTH);
+    const hashedPasswordSuffix = hashedPassword.substring(PREFIX_LENGTH);
+
+    function checkRes(res) {
+        const count = Number(
+            res
+                .split('\n')
+                .map(line => line.split(':'))
+                .find(([suffix]) => suffix.toLowerCase() === hashedPasswordSuffix)?.[1] ?? 0
+        );
+
+        return { count, lines: res };
+    }
+
+    if (opts.cache) {
+        return checkRes(opts.cache);
+    }
+
+    return get(hashedPasswordPrefix)
+        .then(res => checkRes(res))
+        .catch(err => {
+            throw err;
+        });
+}
+
 function parseFilterQueryText(queryText) {
     if (!queryText || typeof queryText !== 'string') {
         return { andTerms: [], orTerms: [] };
@@ -697,6 +777,7 @@ module.exports = {
     roundTime,
     parsePemBundle,
     buildCertChain,
+    checkPwnedPassword,
     parseFilterQueryText,
     filterQueryTermMatches,
     extractQuotedPhrases,

lib/user-handler.js

@@ -504,7 +504,8 @@ class UserHandler {
                     webauthn: true,
                     disabled: true,
                     suspended: true,
-                    disabledScopes: true
+                    disabledScopes: true,
+                    lastPwnedCheck: true
                 },
                 maxTimeMS: consts.DB_MAX_TIME_USERS
             });
@@ -581,6 +582,75 @@ class UserHandler {
             return [false, false];
         }
 
+        let isPasswordPwned = false;
+        const twoWeeksMS = 14 * 24 * 60 * 60 * 1000;
+        if (
+            config.pwned &&
+            config.pwned.enabled &&
+            config.pwned.type &&
+            config.pwned.type !== 'none' &&
+            (!userData.lastPwnedCheck || new Date() - userData.lastPwnedCheck >= twoWeeksMS)
+        ) {
+            try {
+                const opts = {};
+                if (config.pwned.apiUrl) {
+                    opts.url = config.pwned.apiUrl;
+                }
+                isPasswordPwned = await this.checkPwnedPasswordForUser(password, opts);
+
+                await this.users.collection('users').updateOne(userQuery, { $set: { lastPwnedCheck: new Date() } });
+                // error can be ignored, in which case the value is not set and another pwned check will be conducted but it will be cashed
+
+                if (isPasswordPwned) {
+                    if (config.pwned.type === 'softfail') {
+                        this.loggelf({
+                            short_message: '[AUTHSOFTFAIL] ' + username,
+                            _error: 'Pwned password found',
+                            _auth_result: 'softfail',
+                            _user: userData._id,
+                            _username: username,
+                            _domain: userDomain,
+                            _scope: requiredScope,
+                            _ip: meta.ip,
+                            _sess: meta.sess
+                        });
+                    } else if (config.pwned.type === 'fail') {
+                        // Hard fail the Pwned password check
+                        this.loggelf({
+                            short_message: '[AUTHFAIL] ' + username,
+                            _error: 'Pwned password found',
+                            _auth_result: 'fail',
+                            _user: userData._id,
+                            _username: username,
+                            _domain: userDomain,
+                            _scope: requiredScope,
+                            _ip: meta.ip,
+                            _sess: meta.sess
+                        });
+
+                        return [false, false];
+                    }
+                }
+            } catch {
+                if (config.pwned.type === 'hardfail') {
+                    // do not ignore errors, hard fail auth
+                    this.loggelf({
+                        short_message: '[AUTHFAIL] ' + username,
+                        _error: 'Pwned password - API Error',
+                        _auth_result: 'fail',
+                        _user: userData._id,
+                        _username: username,
+                        _domain: userDomain,
+                        _scope: requiredScope,
+                        _ip: meta.ip,
+                        _sess: meta.sess
+                    });
+                    return [false, false];
+                }
+                // ignore errors, soft check only
+            }
+        }
+
         // make sure we use the primary domain if available
         userDomain = (userData.address || '').split('@').pop() || userDomain;
 
@@ -849,7 +919,7 @@ class UserHandler {
                     // ignore
                 }
 
-                let authResponse = {
+                const authResponse = {
                     user: userData._id,
                     username: userData.username,
                     scope: meta.requiredScope,
@@ -863,6 +933,10 @@ class UserHandler {
                     authResponse.enabled2fa = enabled2fa;
                 }
 
+                if (isPasswordPwned) {
+                    authResponse.passwordPwned = isPasswordPwned;
+                }
+
                 return await authSuccess(authResponse);
             }
 
@@ -1002,13 +1076,19 @@ class UserHandler {
                     // ignore
                 }
 
-                return await authSuccess({
+                const authResponse = {
                     user: userData._id,
                     username: userData.username,
                     scope: requiredScope,
                     asp: asp._id.toString(),
                     require2fa: false // application scope never requires 2FA
-                });
+                };
+
+                if (isPasswordPwned) {
+                    authResponse.passwordPwned = isPasswordPwned;
+                }
+
+                return await authSuccess(authResponse);
             }
 
             // no suitable password found
@@ -3871,6 +3951,20 @@ class UserHandler {
         let accessToken = crypto.randomBytes(20).toString('hex');
         return await this.setAuthToken(user, accessToken);
     }
+
+    async checkPwnedPasswordForUser(password, opts = {}) {
+        if (!password) {
+            return false;
+        }
+
+        const { count } = await tools.checkPwnedPassword(password, opts);
+
+        if (count) {
+            return true; // password pwned
+        }
+
+        return false; // password not pwned and no errors
+    }
 }
 
 function rateLimitResponse(res) {

package-lock.json

@@ -90,7 +90,6 @@
         "openpgp": "5.11.2",
         "pem-jwk": "2.0.0",
         "punycode.js": "2.3.1",
-        "pwnedpasswords": "1.0.6",
         "qrcode": "1.5.4",
         "restify": "11.1.0",
         "restify-cors-middleware2": "2.2.1",