Update to use HIBP's anonymous endpoint

andrewlock / PwnedPasswords

An ASP.NET Core Identity validator that checks for PwnedPasswords

MIT License

103 stars 12 forks source link

Update to use HIBP's anonymous endpoint #5

Closed mattlorimor closed 6 years ago

mattlorimor commented 6 years ago

Troy has disabled the ability to search by password. This PR changes the pwned password API check to use the anonymous endpoint Troy has set up. This change is desirable because:

The full password to be checked is no longer transferred across the wire.
The new endpoint has no rate limiting.

andrewlock commented 6 years ago

Hi @mattlorimor, thanks for the PR, I've been meaning to update this for a while! Fixing #2 is definitely a bonus 👍 The changes look great, I've just tweaked a couple of things around logging.

andrewlock commented 6 years ago

Out of interest, how are you using this package? Just realised I haven't actually pushed a first release up to NuGet yet...

I'm thinking of refactoring if for 2.1 to use the new IHttpClientFactory stuff. new-ing up the HttpClient like it does currently is a bit messy

mattlorimor commented 6 years ago

Out of interest, how are you using this package? Just realised I haven't actually pushed a first release up to NuGet yet...

I'm not, actually. I just made a list of projects the other day that looked like they were going to be impacted by Troy shutting off the old endpoint and have started to pick through them.

That said, this project is kickass. If I were still doing web dev in Microsoft land, I'd be looking to use this for sure.

andrewlock commented 6 years ago

Oh wow, kudos man! Well, I appreciate it 🙂