// Package hibp provides Go binding to all 3 APIs of the "Have I Been Pwned" by Troy Hunt package hibp import ( "bytes" "crypto/tls" "errors" "fmt" "io" "log" "net/http" "net/url" "time" ) // Version represents the version of this package const Version = "1.0.5" // BaseURL is the base URL for the majority of API calls const BaseURL = "https://haveibeenpwned.com/api/v3" // DefaultUserAgent defines the default UA string for the HTTP client // Currently the URL in the UA string is comment out, as there is a bug in the HIBP API // not allowing multiple slashes const DefaultUserAgent = `go-hibp/` + Version + ` (+https://github.com/wneessen/go-hibp)` // DefaultTimeout is the default timeout value for the HTTP client const DefaultTimeout = time.Second * 5 // List of common errors var ( // ErrNoAccountID is returned if no account ID is given to the corresponding API method ErrNoAccountID = errors.New("no account ID given") // ErrNoName is returned if no name is given to the corresponding API method ErrNoName = errors.New("no name given") // ErrNonPositiveResponse should be returned if a HTTP request failed with a non HTTP-200 status ErrNonPositiveResponse = errors.New("non HTTP-200 response for HTTP request") ) // Client is the HIBP client object type Client struct { hc *http.Client // HTTP client to perform the API requests to time.Duration // HTTP client timeout ak string // HIBP API key ua string // User agent string for the HTTP client // If set to true, the HTTP client will sleep instead of failing in case the HTTP 429 // rate limit hits a request rlSleep bool PwnedPassAPI *PwnedPassAPI // Reference to the PwnedPassAPI API PwnedPassAPIOpts *PwnedPasswordOptions // Additional options for the PwnedPassAPI API BreachAPI *BreachAPI // Reference to the BreachAPI PasteAPI *PasteAPI // Reference to the PasteAPI } // Option is a function that is used for grouping of Client options. type Option func(*Client) // New creates and returns a new HIBP client object func New(options ...Option) Client { c := Client{} // Set defaults c.to = DefaultTimeout c.PwnedPassAPIOpts = &PwnedPasswordOptions{} c.ua = DefaultUserAgent // Set additional options for _, opt := range options { if opt == nil { continue } opt(&c) } // Add a http client to the Client object c.hc = httpClient(c.to) // Associate the different HIBP service APIs with the Client c.PwnedPassAPI = &PwnedPassAPI{hibp: &c} c.BreachAPI = &BreachAPI{hibp: &c} c.PasteAPI = &PasteAPI{hibp: &c} return c } // WithHTTPTimeout overrides the default http client timeout func WithHTTPTimeout(t time.Duration) Option { return func(c *Client) { c.to = t } } // WithAPIKey set the optional API key to the Client object func WithAPIKey(k string) Option { return func(c *Client) { c.ak = k } } // WithPwnedPadding enables padding-mode for the PwnedPasswords API client func WithPwnedPadding() Option { return func(c *Client) { c.PwnedPassAPIOpts.WithPadding = true } } // WithUserAgent sets a custom user agent string for the HTTP client func WithUserAgent(a string) Option { if a == "" { return nil } return func(c *Client) { c.ua = a } } // WithRateLimitSleep let's the HTTP client sleep in case the API rate limiting hits (Defaults to fail) func WithRateLimitSleep() Option { return func(c *Client) { c.rlSleep = true } } // HTTPReq performs an HTTP request to the corresponding API func (c *Client) HTTPReq(m, p string, q map[string]string) (*http.Request, error) { u, err := url.Parse(p) if err != nil { return nil, err } if m == http.MethodGet { uq := u.Query() for k, v := range q { uq.Add(k, v) } u.RawQuery = uq.Encode() } hr, err := http.NewRequest(m, u.String(), nil) if err != nil { return nil, err } if m == http.MethodPost { pd := url.Values{} for k, v := range q { pd.Add(k, v) } rb := io.NopCloser(bytes.NewBufferString(pd.Encode())) hr.Body = rb } hr.Header.Set("Accept", "application/json") hr.Header.Set("user-agent", c.ua) if c.ak != "" { hr.Header.Set("hibp-api-key", c.ak) } if c.PwnedPassAPIOpts.WithPadding { hr.Header.Set("Add-Padding", "true") } return hr, nil } // HTTPResBody performs the API call to the given path and returns the response body as byte array func (c *Client) HTTPResBody(m string, p string, q map[string]string) ([]byte, *http.Response, error) { hreq, err := c.HTTPReq(m, p, q) if err != nil { return nil, nil, err } hr, err := c.hc.Do(hreq) if err != nil { return nil, hr, err } defer func() { _ = hr.Body.Close() }() hb, err := io.ReadAll(hr.Body) if err != nil { return nil, hr, err } if hr.StatusCode == 429 && c.rlSleep { headerDelay := hr.Header.Get("Retry-After") delayTime, err := time.ParseDuration(headerDelay + "s") if err != nil { return nil, hr, err } log.Printf("API rate limit hit. Retrying request in %s", delayTime.String()) time.Sleep(delayTime) return c.HTTPResBody(m, p, q) } if hr.StatusCode != 200 { return nil, hr, fmt.Errorf("HTTP %s: %w", hr.Status, ErrNonPositiveResponse) } return hb, hr, nil } // httpClient returns a custom http client for the HIBP Client object func httpClient(to time.Duration) *http.Client { tc := &tls.Config{ MaxVersion: tls.VersionTLS13, MinVersion: tls.VersionTLS12, } ht := &http.Transport{TLSClientConfig: tc} hc := &http.Client{ Transport: ht, Timeout: DefaultTimeout, } if to.Nanoseconds() > 0 { hc.Timeout = to } return hc }