first working version

CHANGELOG.md

@@ -0,0 +1,5 @@
+## Changelog
+
+#### 0.1.0
+
+first working version

PasswordVerifier.php

@@ -0,0 +1,56 @@
+<?php
+/**
+ * Piwik - free/libre analytics platform
+ *
+ * @link http://piwik.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\PasswordVerifier;
+
+use Piwik\Container\StaticContainer;
+use Piwik\Http;
+use Piwik\Piwik;
+use Piwik\Plugins\BulkTracking\Tracker\Response;
+use Piwik\Validators\Exception;
+use Psr\Log\LoggerInterface;
+
+class PasswordVerifier extends \Piwik\Plugin
+{
+
+    public function registerEvents() {
+        return array(
+            'UsersManager.checkPassword' => 'verifyPassword'
+        );
+    }
+
+    public function verifyPassword($password) {
+        $hash = strtoupper(sha1($password));
+        $prefix = substr($hash, 0, 5);
+        $suffix = substr($hash, 5);
+        $url = 'https://api.pwnedpasswords.com/range/' . $prefix;
+
+
+        try {
+            $response = Http::sendHttpRequest($url, $timeout = 10);
+        } catch (\Exception $e) {
+            $logger = StaticContainer::getContainer()->get('Psr\Log\LoggerInterface');
+            $logger->warning("Can't reach haveibeenpwned.com");
+            $logger->warning($e->getMessage());
+            throw new Exception(Piwik::translate("PasswordVerifier_CantReachAPI"));
+        }
+        $hashes = [];
+        if (strpos($response, $suffix) === false) {
+            return true;
+        }
+        foreach (explode("\n", $response) as $hash) {
+            $split = explode(":", $hash);
+            $hashes[$split[0]] = (int)$split[1];
+        }
+
+        if (empty($hashes[$suffix])) {
+            return true;
+        }
+        throw new \Exception(Piwik::translate('PasswordVerifier_PasswordFoundInDb', $hashes[$suffix]));
+    }
+}

README.md

@@ -0,0 +1,7 @@
+# Matomo PasswordVerifier Plugin
+
+## Description
+
+This plugin sends the first 5 characters of the SHA1 hash of the password to the [haveibeenpwned.com database](https://haveibeenpwned.com/Passwords) of over 500 million passwords exposed in data breaches. If the password is found, Matomo rejects it and asks the user to use a more secure password.
+
+This plugin only acts on passwords changes and can't access existing passwords as they are stored securely hashed by Matomo.

docs/faq.md

@@ -0,0 +1,5 @@
+## FAQ
+
+__This plugin is rejecting too many passwords. Can I set a threshold of occurances required to reject a password?__
+
+Not yet, but it would be very easy to add. If you are interested, just contact me.

lang/de.json

@@ -0,0 +1,6 @@
+{
+  "PasswordVerifier": {
+    "PasswordFoundInDb": "Das gewählte Passwort kommt %1$s Mal in der haveibeenpwned.com Datenbank vor. Bitte wählen Sie ein sicheres Passwort.",
+    "CantReachAPI": "haveibeenpwned.com ist nicht erreichbar. Bitte überprüfen Sie das Matomo Log für mehr Informationen."
+  }
+}

lang/en.json

@@ -0,0 +1,6 @@
+{
+  "PasswordVerifier": {
+    "PasswordFoundInDb": "Your password occurs %1$s times in the haveibeenpwned.com database. Please choose a secure password",
+    "CantReachAPI": "Can't reach haveibeenpwned.com to verify the password. Please check the Matomo log for more information"
+  }
+}

plugin.json

@@ -0,0 +1,29 @@
+{
+  "name": "PasswordVerifier",
+  "description": "Reject insecure passwords by searching for their hash in the haveibeenpwned.com database",
+  "version": "0.1.0",
+  "theme": false,
+  "require": {
+    "piwik": ">=3.6.1,<4.0.0-b1"
+  },
+  "authors": [
+    {
+      "name": "Lukas Winkler",
+      "email": "lukas@matomo.org",
+      "homepage": "https://lw1.at"
+    }
+  ],
+  "support": {
+    "email": "lukas@matomo.org",
+    "issues": "https://github.com/Findus23/plugin-PasswordVerifier/issues",
+    "forum": "https://forum.matomo.org",
+    "source": "https://github.com/Findus23/plugin-PasswordVerifier"
+  },
+  "homepage": "https://lw1.at",
+  "license": "GPL v3+",
+  "keywords": [
+    "security",
+    "passwords",
+    "haveibeenpwned"
+  ]
+}