Merge pull request #16633 from lichess-org/pwned-direct

directly use pwned k-anonymity api
lichess-org · Dec 20, 2024 · 9141574 · 9141574
2 parents 1a2a745 + 2d86ba4
commit 9141574
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 9 deletions.
diff --git a/conf/base.conf b/conf/base.conf
@@ -215,7 +215,7 @@ security {
     enabled = false
     url = "http://ip2proxy.lichess.ovh:1929"
   }
-  pwned.url = ""
+  pwned.range_url = "https://api.pwnedpasswords.com/range/"
   hcaptcha = ${hcaptcha}
   lame_name_check = true
   password.bpass.secret = ${user.password.bpass.secret}

diff --git a/modules/security/src/main/Env.scala b/modules/security/src/main/Env.scala
@@ -147,7 +147,7 @@ final class Env(
 
   lazy val ipTrust: IpTrust = wire[IpTrust]
 
-  lazy val pwned: Pwned = Pwned(ws, config.pwnedUrl)
+  lazy val pwned: Pwned = Pwned(ws, config.pwnedRangeUrl)
 
   lazy val proxy2faSetting: SettingStore[Strings] @@ Proxy2faSetting = settingStore[Strings](
     "proxy2fa",

diff --git a/modules/security/src/main/Pwned.scala b/modules/security/src/main/Pwned.scala
@@ -6,21 +6,21 @@ import play.api.libs.ws.DefaultBodyReadables.*
 import play.api.libs.ws.JsonBodyReadables.*
 import play.api.libs.ws.StandaloneWSClient
 
-// https://github.com/lichess-org/lila-pwned
-final class Pwned(ws: StandaloneWSClient, url: String)(using Executor):
+final class Pwned(ws: StandaloneWSClient, rangeUrl: String)(using Executor):
 
   def apply(pass: lila.core.security.ClearPassword): Fu[Boolean] =
-    url.nonEmpty.so(
+    rangeUrl.nonEmpty.so:
+      val (prefix, suffix) = pass.value.sha1.hex.toUpperCase.splitAt(5)
+      val url              = s"${rangeUrl}${prefix}"
       ws.url(url)
-        .addQueryStringParameters("sha1" -> pass.value.sha1)
+        .addHttpHeaders("Add-Padding" -> "true")
         .withRequestTimeout(1.second)
         .get()
         .map:
           case res if res.status == 200 =>
-            (res.body[JsValue] \ "n").asOpt[Int].exists(_ > 0)
+            res.body[String].contains(suffix)
           case res =>
             logger.warn(s"Pwnd ${url} ${res.status} ${res.body[String].take(200)}")
             false
         .monValue: result =>
           _.security.pwned.get(result)
-    )
diff --git a/modules/security/src/main/SecurityConfig.scala b/modules/security/src/main/SecurityConfig.scala
@@ -24,7 +24,7 @@ final private class SecurityConfig(
     val hcaptcha: Hcaptcha.Config,
     @ConfigName("ip2proxy") val ip2Proxy: Ip2Proxy,
     @ConfigName("lame_name_check") val lameNameCheck: LameNameCheck,
-    @ConfigName("pwned.url") val pwnedUrl: String,
+    @ConfigName("pwned.range_url") val pwnedRangeUrl: String,
     @ConfigName("password.bpass.secret") val passwordBPassSecret: Secret
 )