Banned password check with have I been pwned DB

[chpapa]

Description

1. When user signup or change password, the new password will be checked via the password DB and throw an error if the password is dangerous when this feature is enabled
2. When enabled, a truncated SHA Hash password will be stored, and a periodic check could be setup to send email notify cms admin for pwned password, and at cms user management, will highlight all ac with pwned password.

Related info:

• https://www.bloomingpassword.fun
• https://haveibeenpwned.com/Passwords

Portal Design

• Enable or disable the feature

CMS Design

• Disabled / Set periodic check
• User list with pwned accounts

API Design

Remove this section if the feature have no API

Open Questions

• Shall we have the env config point to:
  1. A file url / location of bloomfiltered DB, or
  2. A url to a simple services to check against truncated SHA1 with bloomfilter

2 seems better because:

1. We can provide an end point for the open sources Skygear version to simplify the deployment of open sources versions
2. All Skygear.io cluster can use the same services, updating the pwned DB is easier
3. Although a web services have higher overhead for massive checking (such as when periodic check is enabled), however it can be solved by supporting batch checking on the api.

   Related Issues

• Server Issues
• Client Issues
• Guides Issues

[chpapa]

Since Skygear Next will support multi-tenant, using option 1 of "File URL / Location of Bloomfiltered DB" is as good as 2 now (No more batch restart of skygear instances when we update the pwned DB)