I’m working on password strength in my Yii 1.1 app. I’m using the haveibeenpwned API.
If the password is not accepted, what can I do to run the routine again?
If the password is accepted, what can I do to return to $user->save()?
This is my helper file (PasswordHelper.php):
public static function passwordCheck($password)
{
if ($password) {
// sha1 hash of new password
$hash = sha1($password, false);
// character 0-4 of new password
$prefix = strtoupper(substr($hash, 0, 5));
// character 5-39 of new password
$suffix = strtoupper(substr($hash, 5, 35));
// API url
$url = “https://api.pwnedpasswords.com/range/” . $prefix;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 300);
curl_setopt($ch, CURLOPT_TIMEOUT, 500);
$result = curl_exec($ch);
// Change the result from string to array, split it by every line
$result = explode("\n", $result);
foreach ($result as $r) {
$r = explode(":", $r);
if ($r[0] == $suffix) {
return Yii::app()->systemMsg->raiseError(Yii::t('validators', 'NOT_APPROVED_PASSWORD'));
}
}
curl_close($ch);
}
}
}
And this is part of the controller file:
if ($user->newPassword) {
$password = $user->newPassword;
PasswordHelper::passwordCheck($password);
}
if ( $user->save() ) {
Yii::app()->systemMsg->raiseSuccess( Yii::t( 'validators', 'SAVE_SUCCESS' ) );
$redirectUrl = Yii::app()->input->get( 'return', $this->module->returnUrl );
$this->redirect( $redirectUrl );
}
else {
Yii::app()->systemMsg->raiseError( Yii::t( 'validators', 'SAVE_ERROR' ) );
$this->setModel( $user );
$this->actionEdit( $user->id );
}