Skip to content

Commit c33c910

Browse files
committed
Cache HIBP prefix responses
1 parent 7990cb4 commit c33c910

1 file changed

Lines changed: 28 additions & 18 deletions

File tree

includes/classes/Authentication/Passwords.php

Lines changed: 28 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -424,26 +424,38 @@ protected function is_password_secure( $password ): bool {
424424
$prefix = substr( $hash, 0, 5 );
425425
$suffix = substr( $hash, 5 );
426426

427-
$cached_result = wp_cache_get( $prefix . $suffix, self::HIBP_CACHE_KEY );
427+
$cache_key = 'prefix_' . $prefix;
428+
$body = wp_cache_get( $cache_key, self::HIBP_CACHE_KEY );
428429

429-
if ( false !== $cached_result || false ) { // remove || false; only used for testing
430-
return $cached_result;
430+
if ( false === $body ) {
431+
$transient_key = self::HIBP_CACHE_KEY . '_' . strtolower( $cache_key );
432+
$body = get_transient( $transient_key );
431433
}
432434

433-
$response = wp_remote_get( self::HIBP_API_URL . $prefix, [ 'user-agent' => '10up Experience WordPress Plugin' ] );
435+
if ( false === $body ) {
436+
$response = wp_remote_get(
437+
self::HIBP_API_URL . $prefix,
438+
[
439+
'timeout' => (int) apply_filters( 'tenup_experience_hibp_request_timeout', 2 ),
440+
'user-agent' => '10up Experience WordPress Plugin',
441+
]
442+
);
434443

435-
// Allow for a failed request to the HIPB API.
436-
// Don't cache the result if the request failed.
437-
if ( is_wp_error( $response ) || wp_remote_retrieve_response_code( $response ) !== 200 ) {
438-
return true;
439-
}
444+
// Allow for a failed request to the HIBP API.
445+
// Don't cache the result if the request failed.
446+
if ( is_wp_error( $response ) || wp_remote_retrieve_response_code( $response ) !== 200 ) {
447+
return true;
448+
}
440449

441-
$body = wp_remote_retrieve_body( $response );
450+
$body = wp_remote_retrieve_body( $response );
442451

443-
// Allow for a failed request to the HIPB API.
444-
// Don't cache the result if the request failed.
445-
if ( is_wp_error( $body ) ) {
446-
return true;
452+
if ( empty( $body ) ) {
453+
return true;
454+
}
455+
456+
// Cache the prefix response only. Avoid storing full password hashes.
457+
wp_cache_set( $cache_key, $body, self::HIBP_CACHE_KEY, 4 * HOUR_IN_SECONDS );
458+
set_transient( $transient_key, $body, 4 * HOUR_IN_SECONDS );
447459
}
448460

449461
$lines = explode( "\r\n", $body );
@@ -452,14 +464,12 @@ protected function is_password_secure( $password ): bool {
452464
$parts = explode( ':', $line );
453465

454466
// If the suffix is found in the response, the password may be in a breach.
455-
if ( $parts[0] === $suffix ) {
467+
if ( isset( $parts[0] ) && $parts[0] === $suffix ) {
456468
$is_password_secure = false;
469+
break;
457470
}
458471
}
459472

460-
// Cache the result for 4 hours.
461-
wp_cache_set( $prefix . $suffix, (int) $is_password_secure, self::HIBP_CACHE_KEY, 60 * 60 * 4 );
462-
463473
return $is_password_secure;
464474
}
465475
}

0 commit comments

Comments
 (0)