WTF-508 HIBP now uses API v3 with authorization to fetch data

2025-01-18 04:03:14 -08:00 · 2019-07-21 14:45:10 -07:00 · 2019-07-21 14:45:10 -07:00 · edcb6d0ca4
commit edcb6d0ca4
parent 4160d4e770
2 changed files with 29 additions and 4 deletions
--- a/modules/hibp/client.go
+++ b/modules/hibp/client.go
@ -2,6 +2,7 @@ package hibp

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@ -9,12 +10,16 @@ import (
 )

 const (
-	apiURL            = "https://haveibeenpwned.com/api/breachedaccount/"
-	apiVersion        = "application/vnd.haveibeenpwned.v2+json"
+	apiURL            = "https://haveibeenpwned.com/api/v3/breachedaccount/"
 	clientTimeoutSecs = 2
 	userAgent         = "WTFUtil"
 )

+type hibpError struct {
+	StatusCode int    `json:"statusCode"`
+	Message    string `json:"message"`
+}
+
 func (widget *Widget) fullURL(account string, truncated bool) string {
 	truncStr := "false"
 	if truncated == true {
@ -43,8 +48,8 @@ func (widget *Widget) fetchForAccount(account string, since string) (*Status, er
 		return nil, err
 	}

-	request.Header.Set("Accept", apiVersion)
 	request.Header.Set("User-Agent", userAgent)
+	request.Header.Set("hibp-api-key", widget.settings.apiKey)

 	response, getErr := hibpClient.Do(request)
 	if getErr != nil {
@ -56,6 +61,11 @@ func (widget *Widget) fetchForAccount(account string, since string) (*Status, er
 		return nil, err
 	}

+	hibpErr := widget.validateHTTPResponse(response.StatusCode, body)
+	if hibpErr != nil {
+		return nil, errors.New(hibpErr.Message)
+	}
+
 	stat, err := widget.parseResponseBody(account, body)
 	if err != nil {
 		return nil, err
@ -115,3 +125,16 @@ func (widget *Widget) filterBreaches(breaches []Breach) []Breach {

 	return latestBreaches
 }
+
+func (widget *Widget) validateHTTPResponse(responseCode int, body []byte) *hibpError {
+	hibpErr := &hibpError{}
+
+	switch responseCode {
+	case 401, 402:
+		json.Unmarshal(body, hibpErr)
+	default:
+		hibpErr = nil
+	}
+
+	return hibpErr
+}
--- a/modules/hibp/settings.go
+++ b/modules/hibp/settings.go
@ -24,7 +24,8 @@ type Settings struct {
 	common *cfg.Common

 	accounts []string `help:"A list of the accounts to check the HIBP database for."`
-	since    string   `help:"Only check for breaches after this date. Set this if you’ve been breached in the past, have taken steps to mitigate that (changing passwords, cancelling accounts, etc.) and now only want to know about future breaches." values:"A date string in the format 'yyyy-mm-dd', ie: '2019-06-22'", optional:"true"`
+	apiKey   string   `help:"Your HIBP API v3 API key"`
+	since    string   `help:"Only check for breaches after this date. Set this if you’ve been breached in the past, have taken steps to mitigate that (changing passwords, cancelling accounts, etc.) and now only want to know about future breaches." values:"A date string in the format 'yyyy-mm-dd', ie. '2019-06-22'" optional:"true"`
 }

 // NewSettingsFromYAML creates a new settings instance from a YAML config block
@ -32,6 +33,7 @@ func NewSettingsFromYAML(name string, ymlConfig *config.Config, globalConfig *co
 	settings := &Settings{
 		common: cfg.NewCommonSettingsFromModule(name, defaultTitle, ymlConfig, globalConfig),

+		apiKey:   ymlConfig.UString("apiKey", ""),
 		accounts: wtf.ToStrs(ymlConfig.UList("accounts")),
 		since:    ymlConfig.UString("since", ""),
 	}