Closed brandon-carag closed 5 years ago
As far as I can tell, the API key doesn’t affect the Pwned Passwords section of the API. From the blog post:
One important distinction: this doesn't apply to the APIs that don't pull back information about an email address; the API listing all breaches in the system, for example, is not impacted by any of the changes outlined here. It can be requested with version 3 in the path, but also with previous versions of the API. Because it returns generic, non-personal data it doesn't need to be protected in the same fashion (plus it's really aggressively cached at Cloudflare). Same too for Pwned Passwords - there's absolutely zero impact on that service.
So I don’t believe anything needs to be done. Do you agree?
I think you're right; the post seems to imply a distinction between the "Have I been Pwned" service and the "Pwned Password" service. Since it sounds like there's not going to be an impending deprecation of API v1 or v2 for the "Pwned Password" service, I imagine the auth requirement won't be imposed.
Thanks for the prompt response!
No worries. I'll close this issue now, but I am going to follow up with Troy just to properly confirrm this. Will open again and fix if I'm wrong.
Didn't need to ask, someone else already had!
https://twitter.com/troyhunt/status/1151806919457329153
We're all good, no work to do.
It looks like the API will soon require users to have a paid account--Any plans to update the gem accordingly?
https://haveibeenpwned.com/API/Key