go-hibp/hibp.go

package hibp

import (
	"bytes"
	"crypto/tls"
	"fmt"
	"io"
	"log"
	"net/http"
	"net/url"
	"time"
)

// Version represents the version of this package
const Version = "1.0.1"

// BaseUrl is the base URL for the majority of API calls
const BaseUrl = "https://haveibeenpwned.com/api/v3"

// DefaultUserAgent defines the default UA string for the HTTP client
// Currently the URL in the UA string is comment out, as there is a bug in the HIBP API
// not allowing multiple slashes
const DefaultUserAgent = `go-hibp v` + Version + ` (https://github.com/wneessen/go-hibp)`

// Client is the HIBP client object
type Client struct {
	hc *http.Client  // HTTP client to perform the API requests
	to time.Duration // HTTP client timeout
	ak string        // HIBP API key
	ua string        // User agent string for the HTTP client

	// If set to true, the HTTP client will sleep instead of failing in case the HTTP 429
	// rate limit hits a request
	rlSleep bool

	PwnedPassApi     *PwnedPassApi         // Reference to the PwnedPassApi API
	PwnedPassApiOpts *PwnedPasswordOptions // Additional options for the PwnedPassApi API

	BreachApi *BreachApi // Reference to the BreachApi
	PasteApi  *PasteApi  // Reference to the PasteApi
}

// Option is a function that is used for grouping of Client options.
type Option func(*Client)

// New creates and returns a new HIBP client object
func New(options ...Option) Client {
	c := Client{}

	// Set defaults
	c.to = time.Second * 5
	c.PwnedPassApiOpts = &PwnedPasswordOptions{}
	c.ua = DefaultUserAgent

	// Set additional options
	for _, opt := range options {
		if opt == nil {
			continue
		}
		opt(&c)
	}

	// Add a http client to the Client object
	c.hc = httpClient(c.to)

	// Associate the different HIBP service APIs with the Client
	c.PwnedPassApi = &PwnedPassApi{hibp: &c}
	c.BreachApi = &BreachApi{hibp: &c}
	c.PasteApi = &PasteApi{hibp: &c}

	return c
}

// WithHttpTimeout overrides the default http client timeout
func WithHttpTimeout(t time.Duration) Option {
	return func(c *Client) {
		c.to = t
	}
}

// WithApiKey set the optional API key to the Client object
func WithApiKey(k string) Option {
	return func(c *Client) {
		c.ak = k
	}
}

// WithPwnedPadding enables padding-mode for the PwnedPasswords API client
func WithPwnedPadding() Option {
	return func(c *Client) {
		c.PwnedPassApiOpts.WithPadding = true
	}
}

// WithUserAgent sets a custom user agent string for the HTTP client
func WithUserAgent(a string) Option {
	if a == "" {
		return nil
	}
	return func(c *Client) {
		c.ua = a
	}
}

// WithRateLimitSleep let's the HTTP client sleep in case the API rate limiting hits (Defaults to fail)
func WithRateLimitSleep() Option {
	return func(c *Client) {
		c.rlSleep = true
	}
}

// HttpReq performs an HTTP request to the corresponding API
func (c *Client) HttpReq(m, p string, q map[string]string) (*http.Request, error) {
	u, err := url.Parse(p)
	if err != nil {
		return nil, err
	}

	if m == http.MethodGet {
		uq := u.Query()
		for k, v := range q {
			uq.Add(k, v)
		}
		u.RawQuery = uq.Encode()
	}

	hr, err := http.NewRequest(m, u.String(), nil)
	if err != nil {
		return nil, err
	}

	if m == http.MethodPost {
		pd := url.Values{}
		for k, v := range q {
			pd.Add(k, v)
		}

		rb := io.NopCloser(bytes.NewBufferString(pd.Encode()))
		hr.Body = rb
	}

	hr.Header.Set("Accept", "application/json")
	hr.Header.Set("user-agent", c.ua)
	if c.ak != "" {
		hr.Header.Set("hibp-api-key", c.ak)
	}
	if c.PwnedPassApiOpts.WithPadding {
		hr.Header.Set("Add-Padding", "true")
	}

	return hr, nil
}

// HttpResBody performs the API call to the given path and returns the response body as byte array
func (c *Client) HttpResBody(m string, p string, q map[string]string) ([]byte, *http.Response, error) {
	hreq, err := c.HttpReq(m, p, q)
	if err != nil {
		return nil, nil, err
	}
	hr, err := c.hc.Do(hreq)
	if err != nil {
		return nil, hr, err
	}
	defer func() {
		_ = hr.Body.Close()
	}()

	hb, err := io.ReadAll(hr.Body)
	if err != nil {
		return nil, hr, err
	}

	if hr.StatusCode == 429 && c.rlSleep {
		headerDelay := hr.Header.Get("Retry-After")
		delayTime, err := time.ParseDuration(headerDelay + "s")
		if err != nil {
			return nil, hr, err
		}
		log.Printf("API rate limit hit. Retrying request in %s", delayTime.String())
		time.Sleep(delayTime)
		return c.HttpResBody(m, p, q)
	}

	if hr.StatusCode != 200 {
		return nil, hr, fmt.Errorf("API responded with non HTTP-200: %s - %s", hr.Status, hb)
	}

	return hb, hr, nil
}

// httpClient returns a custom http client for the HIBP Client object
func httpClient(to time.Duration) *http.Client {
	tlsConfig := &tls.Config{
		MaxVersion: tls.VersionTLS13,
		MinVersion: tls.VersionTLS12,
	}
	httpTransport := &http.Transport{TLSClientConfig: tlsConfig}
	httpClient := &http.Client{
		Transport: httpTransport,
		Timeout:   5 * time.Second,
	}
	if to.Nanoseconds() > 0 {
		httpClient.Timeout = to
	}

	return httpClient
}
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`package hibp`
Initial checkin 2021-09-19 18:10:12 +02:00
			`import (`
Introducing the breaches API So far only the "list all breaches" API is implemented, though 2021-09-21 19:46:48 +02:00			`"bytes"`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`"crypto/tls"`
Moved apiCall() from breach to hibp. Also introduced rate limit handling 2021-09-22 15:00:29 +02:00			`"fmt"`
Introducing the breaches API So far only the "list all breaches" API is implemented, though 2021-09-21 19:46:48 +02:00			`"io"`
Moved apiCall() from breach to hibp. Also introduced rate limit handling 2021-09-22 15:00:29 +02:00			`"log"`
Initial checkin 2021-09-19 18:10:12 +02:00			`"net/http"`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`"net/url"`
Initial checkin 2021-09-19 18:10:12 +02:00			`"time"`
			`)`

v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`// Version represents the version of this package`
Fixed DefaultUserAgent after clarification with Troy Hunt 2021-09-24 08:48:11 +02:00			`const Version = "1.0.1"`
Initial checkin 2021-09-19 18:10:12 +02:00
Added breaches 2021-09-21 18:21:23 +02:00			`// BaseUrl is the base URL for the majority of API calls`
			`const BaseUrl = "https://haveibeenpwned.com/api/v3"`

Added BreachedAccount() to breaches API Also added WithUserAgent() to the HIBP client for custom UA configuration 2021-09-22 13:59:22 +02:00			`// DefaultUserAgent defines the default UA string for the HTTP client`
			`// Currently the URL in the UA string is comment out, as there is a bug in the HIBP API`
			`// not allowing multiple slashes`
Fixed DefaultUserAgent after clarification with Troy Hunt 2021-09-24 08:48:11 +02:00			const DefaultUserAgent = `go-hibp v` + Version + ` (https://github.com/wneessen/go-hibp)`
Added BreachedAccount() to breaches API Also added WithUserAgent() to the HIBP client for custom UA configuration 2021-09-22 13:59:22 +02:00
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`// Client is the HIBP client object`
			`type Client struct {`
More idiomatic naming for the rate limit handling 2021-09-22 15:25:27 +02:00			`hc *http.Client // HTTP client to perform the API requests`
			`to time.Duration // HTTP client timeout`
			`ak string // HIBP API key`
			`ua string // User agent string for the HTTP client`

			`// If set to true, the HTTP client will sleep instead of failing in case the HTTP 429`
			`// rate limit hits a request`
			`rlSleep bool`
Initial checkin 2021-09-19 18:10:12 +02:00
Added breaches 2021-09-21 18:21:23 +02:00			`PwnedPassApi *PwnedPassApi // Reference to the PwnedPassApi API`
			`PwnedPassApiOpts *PwnedPasswordOptions // Additional options for the PwnedPassApi API`

Road to v1.0.0: Added Pastes API 2021-09-22 16:20:54 +02:00			`BreachApi *BreachApi // Reference to the BreachApi`
			`PasteApi *PasteApi // Reference to the PasteApi`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`}`

			`// Option is a function that is used for grouping of Client options.`
			`type Option func(*Client)`

			`// New creates and returns a new HIBP client object`
Makes no sense to return a Client pointer. Also cleaned up examples directory 2021-09-22 15:46:36 +02:00			`func New(options ...Option) Client {`
			`c := Client{}`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00
			`// Set defaults`
			`c.to = time.Second * 5`
Added breaches 2021-09-21 18:21:23 +02:00			`c.PwnedPassApiOpts = &PwnedPasswordOptions{}`
Added BreachedAccount() to breaches API Also added WithUserAgent() to the HIBP client for custom UA configuration 2021-09-22 13:59:22 +02:00			`c.ua = DefaultUserAgent`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00
			`// Set additional options`
			`for _, opt := range options {`
Added BreachedAccount() to breaches API Also added WithUserAgent() to the HIBP client for custom UA configuration 2021-09-22 13:59:22 +02:00			`if opt == nil {`
			`continue`
			`}`
Makes no sense to return a Client pointer. Also cleaned up examples directory 2021-09-22 15:46:36 +02:00			`opt(&c)`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`}`

			`// Add a http client to the Client object`
			`c.hc = httpClient(c.to)`

			`// Associate the different HIBP service APIs with the Client`
Makes no sense to return a Client pointer. Also cleaned up examples directory 2021-09-22 15:46:36 +02:00			`c.PwnedPassApi = &PwnedPassApi{hibp: &c}`
			`c.BreachApi = &BreachApi{hibp: &c}`
Road to v1.0.0: Added Pastes API 2021-09-22 16:20:54 +02:00			`c.PasteApi = &PasteApi{hibp: &c}`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00
			`return c`
			`}`

			`// WithHttpTimeout overrides the default http client timeout`
			`func WithHttpTimeout(t time.Duration) Option {`
			`return func(c *Client) {`
			`c.to = t`
			`}`
			`}`

			`// WithApiKey set the optional API key to the Client object`
			`func WithApiKey(k string) Option {`
			`return func(c *Client) {`
			`c.ak = k`
			`}`
			`}`

Added breaches 2021-09-21 18:21:23 +02:00			`// WithPwnedPadding enables padding-mode for the PwnedPasswords API client`
			`func WithPwnedPadding() Option {`
			`return func(c *Client) {`
			`c.PwnedPassApiOpts.WithPadding = true`
			`}`
			`}`

Added BreachedAccount() to breaches API Also added WithUserAgent() to the HIBP client for custom UA configuration 2021-09-22 13:59:22 +02:00			`// WithUserAgent sets a custom user agent string for the HTTP client`
			`func WithUserAgent(a string) Option {`
			`if a == "" {`
Fix code smell in WithUserAgent() option detected by SonarQube 2022-04-12 22:52:24 +02:00			`return nil`
Added BreachedAccount() to breaches API Also added WithUserAgent() to the HIBP client for custom UA configuration 2021-09-22 13:59:22 +02:00			`}`
			`return func(c *Client) {`
			`c.ua = a`
			`}`
			`}`

More idiomatic naming for the rate limit handling 2021-09-22 15:25:27 +02:00			`// WithRateLimitSleep let's the HTTP client sleep in case the API rate limiting hits (Defaults to fail)`
			`func WithRateLimitSleep() Option {`
Moved apiCall() from breach to hibp. Also introduced rate limit handling 2021-09-22 15:00:29 +02:00			`return func(c *Client) {`
More idiomatic naming for the rate limit handling 2021-09-22 15:25:27 +02:00			`c.rlSleep = true`
Moved apiCall() from breach to hibp. Also introduced rate limit handling 2021-09-22 15:00:29 +02:00			`}`
			`}`

v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`// HttpReq performs an HTTP request to the corresponding API`
Introducing the breaches API So far only the "list all breaches" API is implemented, though 2021-09-21 19:46:48 +02:00			`func (c Client) HttpReq(m, p string, q map[string]string) (http.Request, error) {`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`u, err := url.Parse(p)`
			`if err != nil {`
			`return nil, err`
			`}`

Introducing the breaches API So far only the "list all breaches" API is implemented, though 2021-09-21 19:46:48 +02:00			`if m == http.MethodGet {`
			`uq := u.Query()`
			`for k, v := range q {`
			`uq.Add(k, v)`
			`}`
			`u.RawQuery = uq.Encode()`
			`}`

v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`hr, err := http.NewRequest(m, u.String(), nil)`
Initial checkin 2021-09-19 18:10:12 +02:00			`if err != nil {`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`return nil, err`
			`}`
Introducing the breaches API So far only the "list all breaches" API is implemented, though 2021-09-21 19:46:48 +02:00
			`if m == http.MethodPost {`
			`pd := url.Values{}`
			`for k, v := range q {`
			`pd.Add(k, v)`
			`}`

			`rb := io.NopCloser(bytes.NewBufferString(pd.Encode()))`
			`hr.Body = rb`
			`}`

v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`hr.Header.Set("Accept", "application/json")`
Added BreachedAccount() to breaches API Also added WithUserAgent() to the HIBP client for custom UA configuration 2021-09-22 13:59:22 +02:00			`hr.Header.Set("user-agent", c.ua)`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`if c.ak != "" {`
Added breaches 2021-09-21 18:21:23 +02:00			`hr.Header.Set("hibp-api-key", c.ak)`
			`}`
			`if c.PwnedPassApiOpts.WithPadding {`
			`hr.Header.Set("Add-Padding", "true")`
Initial checkin 2021-09-19 18:10:12 +02:00			`}`

v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`return hr, nil`
			`}`

More idiomatic naming for the rate limit handling 2021-09-22 15:25:27 +02:00			`// HttpResBody performs the API call to the given path and returns the response body as byte array`
			`func (c Client) HttpResBody(m string, p string, q map[string]string) ([]byte, http.Response, error) {`
Moved apiCall() from breach to hibp. Also introduced rate limit handling 2021-09-22 15:00:29 +02:00			`hreq, err := c.HttpReq(m, p, q)`
			`if err != nil {`
			`return nil, nil, err`
			`}`
			`hr, err := c.hc.Do(hreq)`
			`if err != nil {`
			`return nil, hr, err`
			`}`
			`defer func() {`
			`_ = hr.Body.Close()`
			`}()`

			`hb, err := io.ReadAll(hr.Body)`
			`if err != nil {`
			`return nil, hr, err`
			`}`

More idiomatic naming for the rate limit handling 2021-09-22 15:25:27 +02:00			`if hr.StatusCode == 429 && c.rlSleep {`
Moved apiCall() from breach to hibp. Also introduced rate limit handling 2021-09-22 15:00:29 +02:00			`headerDelay := hr.Header.Get("Retry-After")`
			`delayTime, err := time.ParseDuration(headerDelay + "s")`
			`if err != nil {`
			`return nil, hr, err`
			`}`
			`log.Printf("API rate limit hit. Retrying request in %s", delayTime.String())`
			`time.Sleep(delayTime)`
More idiomatic naming for the rate limit handling 2021-09-22 15:25:27 +02:00			`return c.HttpResBody(m, p, q)`
Moved apiCall() from breach to hibp. Also introduced rate limit handling 2021-09-22 15:00:29 +02:00			`}`

			`if hr.StatusCode != 200 {`
			`return nil, hr, fmt.Errorf("API responded with non HTTP-200: %s - %s", hr.Status, hb)`
			`}`

			`return hb, hr, nil`
			`}`

v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`// httpClient returns a custom http client for the HIBP Client object`
			`func httpClient(to time.Duration) *http.Client {`
			`tlsConfig := &tls.Config{`
			`MaxVersion: tls.VersionTLS13,`
			`MinVersion: tls.VersionTLS12,`
			`}`
			`httpTransport := &http.Transport{TLSClientConfig: tlsConfig}`
			`httpClient := &http.Client{`
			`Transport: httpTransport,`
			`Timeout: 5 * time.Second,`
Initial checkin 2021-09-19 18:10:12 +02:00			`}`
v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`if to.Nanoseconds() > 0 {`
			`httpClient.Timeout = to`
Initial checkin 2021-09-19 18:10:12 +02:00			`}`

v0.1.1: Complete refactor 2021-09-21 11:21:04 +02:00			`return httpClient`
Initial checkin 2021-09-19 18:10:12 +02:00			`}`