
235 lines
7.9 KiB
Raw Normal View History

2018-03-18 17:37:36 +01:00
* KeeWeb plugin: haveibeenpwned
* @author Olivier LEVILLAIN
* @license MIT
const Logger = require('util/logger').Logger;
2018-03-25 13:51:50 +02:00
// change log level here.
const LogLevel = Logger.Level.Info;
const DetailsView = require('views/details/details-view').DetailsView;
const InputFx = require('util/ui/input-fx').InputFx;
const Kdbxweb = require('kdbxweb');
const utilFn = require('util/fn');
const Tip = require('util/ui/tip').Tip;
2018-03-19 22:03:13 +01:00
const detailsViewFieldChanged = DetailsView.prototype.fieldChanged;
2018-03-18 17:37:36 +01:00
let _seen = [];
2018-03-18 17:37:36 +01:00
class HIBPUtils {
constructor() {
_seen = [];
this.checkPwnedPwd = true;
this.checkPwnedName = true;
this.blockPwnedPwd = false;
this.blockPwnedName = false;
this.logger = new Logger('HaveIBeenPwned');
2019-08-18 11:06:46 +02:00
2018-03-18 17:37:36 +01:00
replacer(key, value) {
if (value != null && typeof value === 'object') {
if (_seen.indexOf(value) >= 0) {
2018-03-18 17:37:36 +01:00
2018-03-18 17:37:36 +01:00
return value;
2019-08-18 11:06:46 +02:00
2018-03-18 17:37:36 +01:00
stringify(obj) {
const ret = JSON.stringify(obj, this.replacer);
_seen = [];
2018-03-18 17:37:36 +01:00
return ret;
2019-08-18 11:06:46 +02:00
2018-03-18 17:37:36 +01:00
xhrcall (config) {
const xhr = new XMLHttpRequest();
if (config.responseType) {
xhr.responseType = config.responseType;
const statuses = config.statuses || [200];
xhr.addEventListener('load', () => {
if (statuses.indexOf(xhr.status) >= 0) {
return config.success && config.success(xhr.response, xhr);
} else {
return config.error && config.error('http status ' + xhr.status, xhr);
xhr.addEventListener('error', () => {
const err = xhr.response && xhr.response.error || new Error('Network error');
this.logger.error('HaveIBeenPwned API error', 'GET', xhr.status, err);
err.status = xhr.status;
return err;
2018-03-18 17:37:36 +01:00
xhr.addEventListener('timeout', () => {
return config.error && config.error('timeout', xhr);
}); || 'GET', config.url);
if (config.headers) {
config.headers.forEach((value, key) => {
xhr.setRequestHeader(key, value);
2018-03-18 17:37:36 +01:00
2019-08-18 11:06:46 +02:00
2018-03-18 17:37:36 +01:00
hex (buffer) {
const hexCodes = [];
const view = new DataView(buffer);
for (let i = 0; i < view.byteLength; i += 4) {
2018-03-18 17:37:36 +01:00
// Using getUint32 reduces the number of iterations needed (we process 4 bytes each time)
const value = view.getUint32(i);
2018-03-18 17:37:36 +01:00
// toString(16) will give the hex representation of the number without padding
const stringValue = value.toString(16);
2018-03-18 17:37:36 +01:00
// We use concatenation and slice for padding
const padding = '00000000';
const paddedValue = (padding + stringValue).slice(-padding.length);
2018-03-18 17:37:36 +01:00
// Join all the hex strings into one
return hexCodes.join('');
2019-08-18 11:06:46 +02:00
2018-03-18 17:37:36 +01:00
digest(algo, str) {
const buffer = Kdbxweb.ByteUtils.stringToBytes(str);
2018-03-18 17:37:36 +01:00
const subtle = window.crypto.subtle || window.crypto.webkitSubtle;
const _self = this;
return subtle.digest(algo, buffer).then(hash => {
2018-03-18 17:37:36 +01:00
return _self.hex(hash);
2019-08-18 11:06:46 +02:00
2018-03-18 17:37:36 +01:00
sha1(str) {
return this.digest('SHA-1', str);
2019-08-18 11:06:46 +02:00
2018-03-18 17:37:36 +01:00
sha256(str) {
return this.digest('SHA-256', str);
2019-08-18 11:06:46 +02:00
alert (el, msg) {
//{ body: msg, title: 'HaveIBeenPwned' });
Tip.createTip(el, { title: msg, placement: 'bottom' });
2019-08-18 11:06:46 +02:00
passed(el, msg) {;
2018-03-18 17:37:36 +01:00
const hibp = new HIBPUtils();
2018-03-18 17:37:36 +01:00
DetailsView.prototype.checkNamePwned = function (name) {'check hibp name ' + name);
2018-03-18 17:37:36 +01:00
name = encodeURIComponent(name);
const url = `${name}?truncateResponse=true`;
hibp.logger.debug('url ' + url);
2018-03-18 17:37:36 +01:00
url: url,
method: 'GET',
responseType: 'json',
headers: undefined,
data: null,
statuses: [200, 404],
success: (data, xhr) => {
if (data && data.length > 0) {
hibp.logger.debug('found breaches ' + JSON.stringify(data));
let breaches = '';
data.forEach(breach => { breaches += '<li>' + utilFn.escape(breach.Name) + '</li>\n'; });
hibp.alert(this.userEditView.$el, `WARNING! This account has been pawned in the following breaches<br/>\n<ul>\n${breaches}\n</ul>\n<p>Please check on <a href=''></a>\n`);
2018-03-18 17:37:36 +01:00
} else {
hibp.passed(this.userEditView.$el, 'check pwned user name passed...');
2018-03-18 17:37:36 +01:00
2018-03-18 17:37:36 +01:00
DetailsView.prototype.checkPwdPwned = function (passwordHash) {'check hibp pwd (hash) ' + passwordHash);
const prefix = passwordHash.substring(0, 5);
2018-03-18 17:37:36 +01:00
url: `${prefix}`,
method: 'GET',
responseType: 'text',
headers: undefined,
data: null,
statuses: [200, 404],
success: data => {
if (data) {
hibp.logger.debug('found breaches ' + JSON.stringify(data));
2018-03-18 17:37:36 +01:00
data.split('\r\n').forEach(line => {
const h = line.split(':');
2018-03-19 22:03:13 +01:00
const suffix = h[0];
2018-03-18 17:37:36 +01:00
if (prefix + suffix === passwordHash) {
const nb = utilFn.escape(h[1]);
hibp.alert(this.passEditView.$el, `WARNING: This password is referenced as pawned ${nb} times on <a href=''></a>!\n`);
2018-03-18 17:37:36 +01:00
} else {
hibp.passed(this.userEditView.$el, 'check pwned password passed...');
2018-03-18 17:37:36 +01:00
DetailsView.prototype.fieldChanged = function (e) {
detailsViewFieldChanged.apply(this, arguments);
2018-03-18 17:37:36 +01:00
if (e.field) {
hibp.logger.debug('field changed ' + hibp.stringify(e));
if (e.field === '$Password' && hibp.checkPwnedPwd) {
2018-03-18 17:37:36 +01:00
if (this.passEditView.value) {
const pwd = this.passEditView.value.getText();
if (pwd.replace(/\s/, '') !== '' && !pwd.startsWith('{REF:')) {
hibp.sha1(pwd).then(hash => {
2018-03-18 17:37:36 +01:00
} else if (e.field === '$UserName' && hibp.checkPwnedName) {
2018-03-18 17:37:36 +01:00
module.exports.getSettings = function () {
return [{
2018-03-18 17:37:36 +01:00
name: 'checkPwnedPwd',
label: 'Check passwords against HaveIBeenPwned list',
type: 'checkbox',
value: hibp.checkPwnedPwd
2018-03-18 17:37:36 +01:00
}, {
name: 'checkPwnedName',
label: 'Check user ids against HaveIBeenPwned list',
type: 'checkbox',
value: hibp.checkPwnedName
2018-03-18 17:37:36 +01:00
}, {
name: 'blockPwnedPwd',
label: 'Block pwned passwords if they are in HaveIBeenPwned list',
type: 'checkbox',
value: hibp.blockPwnedPwd
2018-03-18 17:37:36 +01:00
}, {
name: 'blockPwnedName',
label: 'Block pwned names if they are in HaveIBeenPwned list',
type: 'checkbox',
value: hibp.blockPwnedName
2018-03-18 17:37:36 +01:00
module.exports.setSettings = function (changes) {
for (const field in changes) {
const ccfield = field.substr(0, 1).toLowerCase() + field.substring(1);
hibp[ccfield] = changes[field];
2018-03-18 17:37:36 +01:00
module.exports.uninstall = function () {
DetailsView.prototype.fieldChanged = detailsViewFieldChanged;
2018-03-18 17:37:36 +01:00