Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prevent use of common password using the haveibeenpwned password api #958

Merged
merged 6 commits into from
Mar 6, 2025
Merged

prevent use of common password using the haveibeenpwned password api #958

merged 6 commits into from
Mar 6, 2025

Conversation

AdityaKirad
Copy link
Contributor

added checks in the schemas of onboarding and reset-password page to prevent the use of common password using the HaveIBeenPwned Password API

kentcdodds
kentcdodds requested changes Mar 6, 2025
View reviewed changes
Copy link
Member

@kentcdodds kentcdodds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this! I think it's a good idea. Just a couple things:

  1. Let's reduce the duplication by putting this logic in auth.server.ts as a util and using that util.
  2. Let's add a MSW mock in the test/mocks directory so we don't depend on it for development and testing
  3. Let's add a timeout to the request so if it takes more than 1 second we skip the check
  4. If the request fails, let's skip the check

I don't want a user to not be able to set their password just because a third party service is down or slow or unreliable. And all third party requests we make should be mocked out.

Thanks for this! I think it's great!

@AdityaKirad
Copy link
Contributor Author

will make the necessary changes asap

@AdityaKirad
made requested chages
963b990 
1. Reduced the core logic by extracting it in custom function in auth.server.ts
2. added timeout to the request to skip the check if request takes more than 1s
3. skips the check if request fails
4. added msw mock so that we don't depend upon it in development and testing
kentcdodds
kentcdodds requested changes Mar 6, 2025
View reviewed changes
Copy link
Member

@kentcdodds kentcdodds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Just two things :)

kentcdodds
kentcdodds requested changes Mar 6, 2025
View reviewed changes
app/utils/auth.server.ts
if (error instanceof Error && error.name === 'AbortError') {
console.warn('Password check timed out')
}
return false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be a good idea to add a warning if any other kind of error is thrown so we at least have some visibility into whether things are working.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah completely forgot about it

@AdityaKirad
requested changes made
8c7723d 
1. Added warning in case if the error is not AbortError to get more info about the error
2. updated the msw mock to follow convention of other msw mocks
@AdityaKirad
Merge branch 'prevent-common-passowords' of https://github.com/Aditya…
ccbb669 
…Kirad/epic-stack into prevent-common-passowords
kentcdodds
kentcdodds requested changes Mar 6, 2025
View reviewed changes
Copy link
Member

@kentcdodds kentcdodds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to give two warnings.

app/utils/auth.server.ts Outdated
Comment on lines 285 to 286
}
console.warn('unknow error during password check', error)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
console.warn('unknow error during password check', error)
} else {
console.warn('unknow error during password check', error)
}

kentcdodds
kentcdodds reviewed Mar 6, 2025
View reviewed changes
tests/mocks/index.ts Outdated
@@ -1,5 +1,6 @@
import closeWithGrace from 'close-with-grace'
import { setupServer } from 'msw/node'
import { pwnedPasswordApiHandlers } from './common-password.ts'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's rename the common-password file to pwnedpasswords.ts

kentcdodds
kentcdodds approved these changes Mar 6, 2025
View reviewed changes
Copy link
Member

@kentcdodds kentcdodds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! This is a nifty feature 👏

@kentcdodds kentcdodds merged commit 832c24c into epicweb-dev:main Mar 6, 2025
5 checks passed
@AdityaKirad AdityaKirad deleted the prevent-common-passowords branch March 7, 2025 01:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kentcdodds kentcdodds kentcdodds approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AdityaKirad @kentcdodds