Password checker

composer.json

@@ -41,7 +41,8 @@
         "slim/twig-view": "^2.2",
         "techwilk/twig-linewrap": "^1.0",
         "techwilk/twig-slim-csrf": "^1.0",
-        "twig/extensions": "^1.4"
+        "twig/extensions": "^1.4",
+        "divineomega/password_exposed": "^2.3"
     },
     "autoload": {
         "psr-4": {
@@ -65,4 +66,4 @@
             "Tests\\": "tests/"
         }
     }
-}
+}

generated-classes/TechWilk/Rota/User.php

@@ -3,6 +3,9 @@
 namespace TechWilk\Rota;
 
 use DateTime;
+use DivineOmega\PasswordExposed\PasswordExposedChecker;
+use DivineOmega\PasswordExposed\PasswordStatus;
+use Exception;
 use Propel\Runtime\ActiveQuery\Criteria;
 use TechWilk\Rota\Authoriser\UserAuthoriser;
 use TechWilk\Rota\Base\User as BaseUser;
@@ -68,10 +71,16 @@ public function setPassword($v)
             $v = (string) $v;
         }
 
+        $exposedChecker = new PasswordExposedChecker();
+
+        if ($exposedChecker->passwordExposed($v) === PasswordStatus::EXPOSED) {
+            throw new Exception('Password exposed in recent data breach.');
+        }
+
         if (!password_verify($v, $this->password)) {
             $bcrypt_options = [
-        'cost' => 12,
-      ];
+                'cost' => 12,
+            ];
             $this->password = password_hash($v, PASSWORD_BCRYPT, $bcrypt_options);
 
             $this->modifiedColumns[UserTableMap::COL_PASSWORD] = true;

src/classes/Controller/UserController.php

@@ -2,6 +2,7 @@
 
 namespace TechWilk\Rota\Controller;
 
+use Exception;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use TechWilk\Rota\Crypt;
@@ -186,8 +187,14 @@ public function postUserPasswordChange(ServerRequestInterface $request, Response
             return $this->view->render($response, 'user-password.twig', ['user' => $u, 'message' => $message]);
         }
 
-        $u->setPassword($new);
-        $u->save();
+        try {
+            $u->setPassword($new);
+            $u->save();
+        } catch (Exception $e) {
+            $message = 'Password has been exposed in a recent data breach. For your safety, we check all passwords against data breaches from other organisations and prevent you from using passwords which have been leaked. If you use this password for any other account, we strongly advise you change it immediately.';
+
+            return $this->view->render($response, 'user-password.twig', ['user' => $u, 'message' => $message]);
+        }
 
         return $response->withStatus(303)->withHeader('Location', $this->router->pathFor('user', ['id' => $u->getId()]));
     }