Version 1.0

Author: charlretief

.gitignore

@@ -0,0 +1 @@
+/.idea

composer.json

@@ -0,0 +1,28 @@
+{
+  "name": "payfast/laravel-validate-pwned-password",
+  "description": "Adds Laravel validator rule to check if a password has been pwned from https://haveibeenpwned.com/API/v2",
+  "license": "GPL-3.0-only",
+  "type": "package",
+  "authors": [
+    {
+      "name": "Charl Retief",
+      "email": "[email protected]"
+    }
+  ],
+  "minimum-stability": "dev",
+  "require": {
+    "php": ">=5.6.0"
+  },
+  "autoload": {
+    "psr-4": {
+      "PayFast\\": "src/"
+    }
+  },
+  "extra": {
+    "laravel": {
+      "providers": [
+        "PayFast\\Providers\\PwnedPasswordServiceProvider"
+      ]
+    }
+  }
+}

readme.md

@@ -0,0 +1,32 @@
+# Laravel Pwned Password Validator
+
+Adds a Laravel validator rule that checks if a password has been pwned in any public data breaches.
+This uses Troy Hunt's Pwned Password API https://haveibeenpwned.com/API/v2 to check for pwned passwords.
+
+## Installation
+Using composer:
+```
+composer require "payfast/laravel-validate-pwned-password":"^1.0"
+```
+
+For old verions of Laravel (<5.5) and Lumen you may need to manually register the service provider. Add in `bootstrap/app.php`
+```php
+    $app->register('PayFast\\Providers\\PwnedPasswordServiceProvider');
+```
+
+## Usage
+When using Laravel Validation you can now add a new rule `pwnedpassword` to any field that will contain a password. This rule will fail the input if the supplied value matches a known pwned password.
+
+Example:
+
+```php
+return Validator::make($data, [
+    'password' => 'required|string|min:8|pwnedpassword|confirmed',
+]);
+```
+
+## Customization
+To change the error message add a language string to `resources/lang/en/validation.php`
+```php
+    'pwnedpassword' => 'This :attribute is not secure. It appears :count times in the Pwned Passwords database of security breaches. For more information: https://haveibeenpwned.com/Passwords'
+```

src/Lib/PwnedPassword.php

@@ -0,0 +1,64 @@
+<?php
+
+namespace PayFast\Lib;
+
+class PwnedPassword
+{
+    public static $breachCount;
+
+    /**
+     * Validate function called by the validator
+     *
+     * @param $attribute
+     * @param $value
+     * @param $parameters
+     * @param $validator
+     * @return bool
+     */
+    public function validate($attribute, $value, $parameters, $validator)
+    {
+        $hash = sha1($value);
+
+        $ch = curl_init();
+        curl_setopt($ch, CURLOPT_URL, 'https://api.pwnedpasswords.com/range/' . substr($hash, 0, 5));
+        curl_setopt($ch, CURLOPT_USERAGENT, 'PHP - Laravel Pwned Password Validator');
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        $results = curl_exec($ch);
+        $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        curl_close($ch);
+
+        if (($httpcode !== 200) || empty($results)) {
+            //hmm if don't get normal 200 response code or empty result then just stop
+            return true;
+        }
+
+        if (preg_match('/' . preg_quote(substr($hash, 5)) . ':([0-9]+)/ism', $results, $matches) == 1) {
+            self::$breachCount = $matches[1];
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Generate the error message displayed for a pwned password
+     *
+     * @param $message
+     * @param $attribute
+     * @param $rule
+     * @param $parameters
+     * @return mixed|string
+     */
+    public function message($message, $attribute, $rule, $parameters)
+    {
+        if ($message == 'validation.pwnedpassword') {
+            $message = 'This :attribute is not secure. It appears :count times in the Pwned Passwords database of security breaches. For more information: https://haveibeenpwned.com/Passwords';
+        }
+
+        $message = str_replace(':ATTRIBUTE', strtoupper($attribute), $message);
+        $message = str_replace(':Attribute', ucwords($attribute), $message);
+        $message = str_replace(':attribute', $attribute, $message);
+        $message = str_ireplace(':count', self::$breachCount, $message);
+        return $message;
+    }
+}

src/Providers/PwnedPasswordServiceProvider.php

@@ -0,0 +1,30 @@
+<?php
+
+namespace PayFast\Providers;
+
+use Illuminate\Support\ServiceProvider;
+use Illuminate\Support\Facades\Validator;
+
+class PwnedPasswordServiceProvider extends ServiceProvider
+{
+    /**
+     * Boot the application events.
+     *
+     * @return void
+     */
+    public function boot()
+    {
+        Validator::extend('pwnedpassword', 'PayFast\Lib\PwnedPassword@validate');
+        Validator::replacer('pwnedpassword', 'PayFast\Lib\PwnedPassword@message');
+    }
+
+    /**
+     * Get the services provided by the provider.
+     *
+     * @return array
+     */
+    public function provides()
+    {
+        return ['PayFast\\Providers\\PwnedPasswordServiceProvider'];
+    }
+}