Hello,

It's me again ;)

Actually this PR shouldn't be so big, but somehow it happened.

I would implement this library into my own projects, but wanted to use my own HTTP client and cache provider. This was not possible in the original version. So I made some changes to make it possible. Some new dependencies need PHP7 to run. That's why I increased the minimum version to 7.1 in this PR. Additionally I added some help functions and an abstract class and interface. This allows developers to make their own implementations as needed.

Think of it as a kind of beta for version 3. I haven't adapted the Readme yet. Just check it out and give me feedback.

If you would accept the PR i would write a Symfony bridge to ;)

Best regards.

Changed log

• Upgrade PHPUnit version to ^6.5.
• Add php: >=7.0 in require block and define this in composer.json.
• Add the test classes namespace in autoload-dev block and define this in composer.json.

Hi ,

This is my issue on password store /update,

Issue: "ParagonIE \ Certainty \ Exception \ FilesystemException ca-certs.json not found in data directory"

And i added screen shot.Please kindly give me a solution https://user-images.githubusercontent.com/45994584/50214954-a68a1600-03a7-11e9-914b-71d0966e6b55.png

It seems this package should not indicate support for v1 of the guzzle6-adapter package, because the type of object returned differs between v1 and v2 of the guzzle6-adapter.

This causes a compatibility issue with Laravel 5.7

It is caused by Laravel 5.7 requiring the laravel/nexmo-notification-channel as standard, which depends on the nexmo/client which enforces the use v1 of the guzzle6-adapter.

My plan of action is going to be:

• Create a simple PSR18 Guzzle adapter package, that returns an object which implements the correct PSR18 client interface.
• Modify this package to make use of the new PSR18 Guzzle adapter package.

This issue was discovered by @tswestendorp. See https://github.com/DivineOmega/password_exposed/pull/24.

\Http\Client\HttpClient doesn't implement \Psr\Http\Client\ClientInterface in php-http/guzzle6-adapter ^1.1 which makes the package incompatible with recent versions of laravel/framework

However unlikely, passing a real password to a library is a risk in itself. Since there is no need to do that in this case we should provide a method to check a password by it's SHA-1 hash.

Changed log

• The php-7.1.33 version is latest stable php-7.1 version now.
• Remove trusty dist and these php-7.x versions are enabled on xenial dist by default.
• Upgrade the PHPUnit version to be ^7.0||^8.0. To be compatible with PHPUnit 7.x and PHPUnit 8.x versions, it should add :void to be compatible with PHPUnit\Framework\TestCase::setUp method.
• Using the assertTrue and assertFalse assertions to assert expected value is true or false.

Maybe I didn't see it or am I right that it currently only takes blank strings as input? Useful for the exact moment when users have to choose a new password.

But it would be even nicer to also be able to use this tool for checking against already hashed passwords. Would that work with Troys API? With different hash types? Or does it anyways only work with sha1?

This also makes the library's docblocks, etc. fully type-safe and uses Psalm to verify it.

Keep in mind that Certainty requires PHP 5.6 so this might be a no-go if you wanted e.g. PHP 5.4 compatibility.

It's possible to recover the SHA1 of every password checked in the last 30 days by browsing the /tmp/password-exposed-cache folder.

Example

<?php

require_once(__DIR__ . '/vendor/autoload.php');

const DEMO_PASSWORD = 'WdBNSvWGnovprIe92mn4w3oinmWFxkbTHffqf8S8dUhYmNnbNjLJnUS1M7N6gVZ';

$passwordStatus = password_exposed(DEMO_PASSWORD);

echo 'Using a demo password of ' . DEMO_PASSWORD . ' with SHA1 ' . sha1(DEMO_PASSWORD) . PHP_EOL;
echo 'Status is: ' . $passwordStatus;

Output:

➜ password_exposed git:(master) ✗ php play.php Using a demo password of WdBNSvWGnovprIe92mn4w3oinmWFxkbTHffqf8S8dUhYmNnbNjLJnUS1M7N6gVZ with SHA1 604c4b2521a23ccd21572619e84a895e4153d88a Status is: not_exposed

➜ password_exposed git:(master) ✗ tree /tmp/password-exposed-cache /tmp/password-exposed-cache └── 60 └── 4c4b2521a23ccd21572619e84a895e4153d88a.cache

1 directory, 1 file

PR changes to caching the API response instead.

for commercial use haveibeenpwned uses api-keys for authentication.

looking at the current api of this package, I don't know where/how to pass in the api key into the lib. Am I the only one in need for this feature? :)

In some cases, the response body pulled from the HaveIBeenPwned API can end with a blank space after the final new line characters. When pulled into the $lines array, this creates an index that consists of just a blank string.

When attempting to call list() on the result of calling explode(':', $line), an Exception is thrown.

This Exception is not caught in this package, or within Laravel NIST which uses it. The stack trace of this Exception exposes the User's password to any logs that record it.

Passing the $lines array through an array_filter() removes any blank indexes and prevents this error.

In this method, if the $line variable does not contain a colon (e.g., is an empty string), then the call to list() will throw an Exception.

https://github.com/DivineOmega/password_exposed/blob/327f93ee5cab54622077bcae721412b55be16720/src/AbstractPasswordExposedChecker.php#L147

This exception is not caught by the handling in NIST or the DivineOmega packages. The stack trace of this exception will contain the submitted password in plain text.

hi,

cant install as a dependemcy from divineomega/laravel-password-exposed-validation-rule :

Running composer update langleyfoxall/laravel-nist-password-rules
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - divineomega/password_exposed v3.2.0 requires psr/cache ^1.0 -> found psr/cache[1.0.0, 1.0.1] but the package is fixed to 3.0.0 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.
    - langleyfoxall/laravel-nist-password-rules[v5.0.0, ..., v5.0.1] require divineomega/laravel-password-exposed-validation-rule ^2.4.0 -> satisfiable by divineomega/laravel-password-exposed-validation-rule[v2.4.0].
    - divineomega/laravel-password-exposed-validation-rule v2.4.0 requires divineomega/password_exposed ^3.2.0 -> satisfiable by divineomega/password_exposed[v3.2.0].
    - Root composer.json requires langleyfoxall/laravel-nist-password-rules ^5.0 -> satisfiable by langleyfoxall/laravel-nist-password-rules[v5.0.0, v5.0.1].

https://github.com/DivineOmega/password_exposed/blob/327f93ee5cab54622077bcae721412b55be16720/composer.json#L25

We had a user in production get a strange error today which seems to originate from this package:

rename(/home/sites/15a/5/564543e965/production/releases/161/vendor/divineomega/password_exposed/src/../bundles/ca-certs.json,/home/sites/15a/5/564543e965/production/releases/161/vendor/divineomega/password_exposed/src/../bundles/ca-certs-backup-20210915192000.json): No such file or directory

Its only happened once but should I be worried here?