prevent use of common password using the haveibeenpwned password api

epicweb-dev · Mar 6, 2025 · c54b3fd · c54b3fd
1 parent 468c5e5
commit c54b3fd
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/app/routes/_auth+/onboarding.tsx b/app/routes/_auth+/onboarding.tsx
@@ -1,3 +1,4 @@
+import crypto from 'node:crypto'
 import { getFormProps, getInputProps, useForm } from '@conform-to/react'
 import { getZodConstraint, parseWithZod } from '@conform-to/zod'
 import { data, redirect, Form, useSearchParams } from 'react-router'
@@ -72,6 +73,27 @@ export async function action({ request }: Route.ActionArgs) {
 					})
 					return
 				}
+				const hash = crypto
+					.createHash('sha1')
+					.update(data.password, 'utf8')
+					.digest('hex')
+					.toUpperCase()
+				const [prefix, suffix] = [hash.slice(0, 5), hash.slice(5)]
+				const res = await fetch(
+					`https://api.pwnedpasswords.com/range/${prefix}`,
+				)
+				if (!res.ok) throw new Error(`HTTP error! status: ${res.status}`)
+				const text = await res.text()
+				const matches = text
+					.split('/\r?\n/')
+					.filter((line) => line.includes(suffix))
+				if (matches.length) {
+					ctx.addIssue({
+						path: ['password'],
+						code: 'custom',
+						message: 'Password is too common',
+					})
+				}
 			}).transform(async (data) => {
 				if (intent !== null) return { ...data, session: null }
 

diff --git a/app/routes/_auth+/reset-password.tsx b/app/routes/_auth+/reset-password.tsx
@@ -1,3 +1,4 @@
+import crypto from 'node:crypto'
 import { getFormProps, getInputProps, useForm } from '@conform-to/react'
 import { getZodConstraint, parseWithZod } from '@conform-to/zod'
 import { type SEOHandle } from '@nasa-gcn/remix-seo'
@@ -41,8 +42,29 @@ export async function loader({ request }: Route.LoaderArgs) {
 export async function action({ request }: Route.ActionArgs) {
 	const resetPasswordUsername = await requireResetPasswordUsername(request)
 	const formData = await request.formData()
-	const submission = parseWithZod(formData, {
-		schema: ResetPasswordSchema,
+	const submission = await parseWithZod(formData, {
+		schema: ResetPasswordSchema.superRefine(async ({ password }, ctx) => {
+			const hash = crypto
+				.createHash('sha1')
+				.update(password, 'utf8')
+				.digest('hex')
+				.toUpperCase()
+			const [prefix, suffix] = [hash.slice(0, 5), hash.slice(5)]
+			const res = await fetch(`https://api.pwnedpasswords.com/range/${prefix}`)
+			if (!res.ok) throw new Error(`HTTP error! status: ${res.status}`)
+			const data = await res.text()
+			const matches = data
+				.split('/\r?\n/')
+				.filter((line) => line.includes(suffix))
+			if (matches.length) {
+				ctx.addIssue({
+					path: ['password'],
+					code: 'custom',
+					message: 'Password is too common',
+				})
+			}
+		}),
+		async: true,
 	})
 	if (submission.status !== 'success') {
 		return data(