use the Have-I-been-pwned API outside our plugins
23 Aug 2017 11:25 - 24 Aug 2017 17:15 #1
by Rüdiger Schultz
Ruediger Schultz
Schultz IT Solutions
Please support jDBexport on JOOMLA Extension directory (JED) at
extensions.joomla.org/extensions/extensi...ta-reports/jdbexport
use the Have-I-been-pwned API outside our plugins was created by Rüdiger Schultz
There might be other situations (not registration, password change or login), where you would like to check the email address (and possibly the password) of a user.
Well this indeed is easy to achieve (provided our password_pwned plugin is actually installed of course). See this example on how to do this:
A few explaining words
The Password_pwnedHelper class should always be existing within the Joomla environment, as it is loaded in the "system" plugin. So you should be able to call it!
The _callHIBPapi method takes four parameters
you will receive a string representing the actual HTTP status response from the Have I been pwned? API, on which you can react.
Well this indeed is easy to achieve (provided our password_pwned plugin is actually installed of course). See this example on how to do this:
$data = array ('password1' => 'CorrectHorseBatteryStaple');
$method = 'pwnedpassword';
$caller = 'yourOwnTextID';
$param4 = FALSE;
$response = Password_pwnedHelper::_callHIBPapi($data, $method, $caller, $param4);
switch ($response)
{
case '200' : // password was found in "Have-I-been-Pwned" database, this one is known to hackers
if ( Password_pwnedHelper::getPluginParams('allowpwned', $caller, $this) )
{
$application->enqueueMessage(JText::_('PLG_PASSWORD_PWNED_MSG_PASSWORDFOUND'), 'warning');
}
else
{
$application->enqueueMessage(JText::_('PLG_PASSWORD_PWNED_MSG_PASSWORDFOUND_BLOCK'), 'error');
$return = FALSE;
}
if ( Password_pwnedHelper::getPluginParams('showmoreinfo', $caller, $this) )
{
$url = JURI::base() . 'index.php?option=com_content&view=article&id=' .$this->params->get('articleidmoreinfo') ;
$message = str_replace ('{PASSWORDPWNEDINFOARTICLE}',$url, JText::_('PLG_PASSWORD_PWNED_MSG_SHOWMOREINFO'));
$application->enqueueMessage($message, 'notice');
}
break;
case '404' : // password was not found in "Have-I-been-Pwned" database, should be OK
break;
case '429' : // Rate limit exceeded for "Have-I-been-Pwned" API callse
break;
default :
$return = FALSE;
break;
}
A few explaining words
The Password_pwnedHelper class should always be existing within the Joomla environment, as it is loaded in the "system" plugin. So you should be able to call it!
The _callHIBPapi method takes four parameters
- $data : an assoziative array with your data (see example above)
- $method : to check for a pwned password, use 'pwnedpassword'
- $caller : identify your calling context by a text string, do not use 'plgSystem' or 'plgAuthentication' as these are reserved already!
- $param4 : we suggest you provide FALSE here (it is not utilised in any other context than 'plgSystem')
you will receive a string representing the actual HTTP status response from the Have I been pwned? API, on which you can react.
Ruediger Schultz
Schultz IT Solutions
Please support jDBexport on JOOMLA Extension directory (JED) at
extensions.joomla.org/extensions/extensi...ta-reports/jdbexport
The topic has been locked.