. */ declare(strict_types=1); namespace FireflyIII\Services\Password; use GuzzleHttp\Client; use GuzzleHttp\Exception\GuzzleException; use GuzzleHttp\Exception\RequestException; use Log; use RuntimeException; /** * Class PwndVerifierV2. * * @codeCoverageIgnore */ class PwndVerifierV2 implements Verifier { /** * Verify the given password against (some) service. * * @param string $password * * @return bool */ public function validPassword(string $password): bool { // Yes SHA1 is unsafe but in this context its fine. $hash = sha1($password); $prefix = substr($hash, 0, 5); $rest = substr($hash, 5); $uri = sprintf('https://api.pwnedpasswords.com/range/%s', $prefix); $opt = [ 'headers' => [ 'User-Agent' => sprintf('Firefly III v%s', config('firefly.version')), 'Add-Padding' => 'true', ], 'timeout' => 3.1415]; Log::debug(sprintf('hash prefix is %s', $prefix)); Log::debug(sprintf('rest is %s', $rest)); try { $client = new Client(); $res = $client->request('GET', $uri, $opt); } catch (GuzzleException | RequestException $e) { Log::error(sprintf('Could not verify password security: %s', $e->getMessage())); return true; } Log::debug(sprintf('Status code returned is %d', $res->getStatusCode())); if (404 === $res->getStatusCode()) { return true; } try { $strpos = stripos($res->getBody()->getContents(), $rest); } catch (RuntimeException $e) { // @phpstan-ignore-line Log::error(sprintf('Could not get body from Pwnd result: %s', $e->getMessage())); $strpos = false; } if (false === $strpos) { Log::debug(sprintf('%s was not found in result body. Return true.', $rest)); return true; } Log::debug(sprintf('Found %s, return FALSE.', $rest)); return false; } }