From 6904451ef26b5e398b4df2b1a874c7605efb0173 Mon Sep 17 00:00:00 2001
From: Lukas Winkler <git@lw1.at>
Date: Tue, 6 Nov 2018 14:22:20 +0100
Subject: [PATCH] first working version

---
 CHANGELOG.md         |  5 ++++
 PasswordVerifier.php | 56 ++++++++++++++++++++++++++++++++++++++++++++
 README.md            |  7 ++++++
 docs/faq.md          |  5 ++++
 lang/de.json         |  6 +++++
 lang/en.json         |  6 +++++
 plugin.json          | 29 +++++++++++++++++++++++
 screenshots/.gitkeep |  0
 8 files changed, 114 insertions(+)
 create mode 100644 CHANGELOG.md
 create mode 100644 PasswordVerifier.php
 create mode 100644 README.md
 create mode 100644 docs/faq.md
 create mode 100644 lang/de.json
 create mode 100644 lang/en.json
 create mode 100644 plugin.json
 create mode 100644 screenshots/.gitkeep

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..60d487c
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,5 @@
+## Changelog
+
+#### 0.1.0
+
+first working version
diff --git a/PasswordVerifier.php b/PasswordVerifier.php
new file mode 100644
index 0000000..0ae2fa7
--- /dev/null
+++ b/PasswordVerifier.php
@@ -0,0 +1,56 @@
+<?php
+/**
+ * Piwik - free/libre analytics platform
+ *
+ * @link http://piwik.org
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
+ */
+
+namespace Piwik\Plugins\PasswordVerifier;
+
+use Piwik\Container\StaticContainer;
+use Piwik\Http;
+use Piwik\Piwik;
+use Piwik\Plugins\BulkTracking\Tracker\Response;
+use Piwik\Validators\Exception;
+use Psr\Log\LoggerInterface;
+
+class PasswordVerifier extends \Piwik\Plugin
+{
+
+    public function registerEvents() {
+        return array(
+            'UsersManager.checkPassword' => 'verifyPassword'
+        );
+    }
+
+    public function verifyPassword($password) {
+        $hash = strtoupper(sha1($password));
+        $prefix = substr($hash, 0, 5);
+        $suffix = substr($hash, 5);
+        $url = 'https://api.pwnedpasswords.com/range/' . $prefix;
+
+
+        try {
+            $response = Http::sendHttpRequest($url, $timeout = 10);
+        } catch (\Exception $e) {
+            $logger = StaticContainer::getContainer()->get('Psr\Log\LoggerInterface');
+            $logger->warning("Can't reach haveibeenpwned.com");
+            $logger->warning($e->getMessage());
+            throw new Exception(Piwik::translate("PasswordVerifier_CantReachAPI"));
+        }
+        $hashes = [];
+        if (strpos($response, $suffix) === false) {
+            return true;
+        }
+        foreach (explode("\n", $response) as $hash) {
+            $split = explode(":", $hash);
+            $hashes[$split[0]] = (int)$split[1];
+        }
+
+        if (empty($hashes[$suffix])) {
+            return true;
+        }
+        throw new \Exception(Piwik::translate('PasswordVerifier_PasswordFoundInDb', $hashes[$suffix]));
+    }
+}
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b6665f1
--- /dev/null
+++ b/README.md
@@ -0,0 +1,7 @@
+# Matomo PasswordVerifier Plugin
+
+## Description
+
+This plugin sends the first 5 characters of the SHA1 hash of the password to the [haveibeenpwned.com database](https://haveibeenpwned.com/Passwords) of over 500 million passwords exposed in data breaches. If the password is found, Matomo rejects it and asks the user to use a more secure password.
+
+This plugin only acts on passwords changes and can't access existing passwords as they are stored securely hashed by Matomo.
diff --git a/docs/faq.md b/docs/faq.md
new file mode 100644
index 0000000..1374e52
--- /dev/null
+++ b/docs/faq.md
@@ -0,0 +1,5 @@
+## FAQ
+
+__This plugin is rejecting too many passwords. Can I set a threshold of occurances required to reject a password?__
+
+Not yet, but it would be very easy to add. If you are interested, just contact me.
diff --git a/lang/de.json b/lang/de.json
new file mode 100644
index 0000000..a1f4c4f
--- /dev/null
+++ b/lang/de.json
@@ -0,0 +1,6 @@
+{
+  "PasswordVerifier": {
+    "PasswordFoundInDb": "Das gewählte Passwort kommt %1$s Mal in der haveibeenpwned.com Datenbank vor. Bitte wählen Sie ein sicheres Passwort.",
+    "CantReachAPI": "haveibeenpwned.com ist nicht erreichbar. Bitte überprüfen Sie das Matomo Log für mehr Informationen."
+  }
+}
diff --git a/lang/en.json b/lang/en.json
new file mode 100644
index 0000000..c3aabf0
--- /dev/null
+++ b/lang/en.json
@@ -0,0 +1,6 @@
+{
+  "PasswordVerifier": {
+    "PasswordFoundInDb": "Your password occurs %1$s times in the haveibeenpwned.com database. Please choose a secure password",
+    "CantReachAPI": "Can't reach haveibeenpwned.com to verify the password. Please check the Matomo log for more information"
+  }
+}
diff --git a/plugin.json b/plugin.json
new file mode 100644
index 0000000..3dfac6f
--- /dev/null
+++ b/plugin.json
@@ -0,0 +1,29 @@
+{
+  "name": "PasswordVerifier",
+  "description": "Reject insecure passwords by searching for their hash in the haveibeenpwned.com database",
+  "version": "0.1.0",
+  "theme": false,
+  "require": {
+    "piwik": ">=3.6.1,<4.0.0-b1"
+  },
+  "authors": [
+    {
+      "name": "Lukas Winkler",
+      "email": "lukas@matomo.org",
+      "homepage": "https://lw1.at"
+    }
+  ],
+  "support": {
+    "email": "lukas@matomo.org",
+    "issues": "https://github.com/Findus23/plugin-PasswordVerifier/issues",
+    "forum": "https://forum.matomo.org",
+    "source": "https://github.com/Findus23/plugin-PasswordVerifier"
+  },
+  "homepage": "https://lw1.at",
+  "license": "GPL v3+",
+  "keywords": [
+    "security",
+    "passwords",
+    "haveibeenpwned"
+  ]
+}
diff --git a/screenshots/.gitkeep b/screenshots/.gitkeep
new file mode 100644
index 0000000..e69de29