From 515b87755a35b35afd8d8a7cf72996a518f82c17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Garc=C3=ADa?= Date: Tue, 20 Aug 2019 20:07:12 +0200 Subject: [PATCH] Update HIBP to v3, requires paid API key, fixes #583 --- src/api/core/mod.rs | 33 ++++++++++++++++++++++++--------- src/api/web.rs | 10 +++++----- src/config.rs | 3 +++ src/static/images/error-x.svg | 6 ++++++ 4 files changed, 38 insertions(+), 14 deletions(-) create mode 100644 src/static/images/error-x.svg diff --git a/src/api/core/mod.rs b/src/api/core/mod.rs index 6be0f9c1..dd5fe284 100644 --- a/src/api/core/mod.rs +++ b/src/api/core/mod.rs @@ -132,18 +132,33 @@ fn put_eq_domains(data: JsonUpcase, headers: Headers, conn: DbC #[get("/hibp/breach?")] fn hibp_breach(username: String) -> JsonResult { - let url = format!("https://haveibeenpwned.com/api/v2/breachedaccount/{}", username); let user_agent = "Bitwarden_RS"; + let url = format!( + "https://haveibeenpwned.com/api/v3/breachedaccount/{}?truncateResponse=false&includeUnverified=false", + username + ); use reqwest::{header::USER_AGENT, Client}; - let res = Client::new().get(&url).header(USER_AGENT, user_agent).send()?; - - // If we get a 404, return a 404, it means no breached accounts - if res.status() == 404 { - return Err(Error::empty().with_code(404)); + if let Some(api_key) = crate::CONFIG.hibp_api_key() { + let res = Client::new() + .get(&url) + .header(USER_AGENT, user_agent) + .header("hibp-api-key", api_key) + .send()?; + + // If we get a 404, return a 404, it means no breached accounts + if res.status() == 404 { + return Err(Error::empty().with_code(404)); + } + + let value: Value = res.error_for_status()?.json()?; + Ok(Json(value)) + } else { + Ok(Json(json!([{ + "title": "--- Error! ---", + "description": "HaveIBeenPwned API key not set! Go to https://haveibeenpwned.com/API/Key", + "logopath": "/bwrs_images/error-x.svg" + }]))) } - - let value: Value = res.error_for_status()?.json()?; - Ok(Json(value)) } diff --git a/src/api/web.rs b/src/api/web.rs index 6185c32b..106dca79 100644 --- a/src/api/web.rs +++ b/src/api/web.rs @@ -65,11 +65,11 @@ fn alive() -> Json { } #[get("/bwrs_images/")] -fn images(filename: String) -> Result>, Error> { - let image_type = ContentType::new("image", "png"); +fn images(filename: String) -> Result, Error> { match filename.as_ref() { - "mail-github.png" => Ok(Content(image_type , include_bytes!("../static/images/mail-github.png").to_vec())), - "logo-gray.png" => Ok(Content(image_type, include_bytes!("../static/images/logo-gray.png").to_vec())), - _ => err!("Image not found") + "mail-github.png" => Ok(Content(ContentType::PNG, include_bytes!("../static/images/mail-github.png"))), + "logo-gray.png" => Ok(Content(ContentType::PNG, include_bytes!("../static/images/logo-gray.png"))), + "error-x.svg" => Ok(Content(ContentType::SVG, include_bytes!("../static/images/error-x.svg"))), + _ => err!("Image not found"), } } \ No newline at end of file diff --git a/src/config.rs b/src/config.rs index eaf8127c..d97d7fa8 100644 --- a/src/config.rs +++ b/src/config.rs @@ -234,6 +234,9 @@ make_config! { /// Enable web vault web_vault_enabled: bool, false, def, true; + /// HIBP Api Key |> HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key + hibp_api_key: String, false, option; + /// Disable icon downloads |> Set to true to disable icon downloading, this would still serve icons from /// $ICON_CACHE_FOLDER, but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0, /// otherwise it will delete them and they won't be downloaded again. diff --git a/src/static/images/error-x.svg b/src/static/images/error-x.svg new file mode 100644 index 00000000..108026d7 --- /dev/null +++ b/src/static/images/error-x.svg @@ -0,0 +1,6 @@ + + + + + +