Cache HIBP prefix responses#230
Open
dknauss wants to merge 1 commit into
Open
Conversation
dknauss
force-pushed
the
pr/hibp-timeout-prefix-cache
branch
from
July 5, 2026 02:44
c33c910 to
3b5b7ca
Compare
dknauss
force-pushed
the
pr/hibp-timeout-prefix-cache
branch
from
July 5, 2026 02:59
3b5b7ca to
edb0680
Compare
dknauss
marked this pull request as ready for review
July 5, 2026 03:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of the Change
Improves the Have I Been Pwned password check by caching the k-anonymity prefix response and setting an explicit request timeout.
Previously the result was cached per full password hash, which avoids repeat checks for the same password but does not reuse the HIBP range response for different passwords sharing the same prefix. This change caches the prefix response in object cache and a transient, then checks the local suffix list for the submitted password hash.
The HTTP request now also has a short default timeout, filterable with
tenup_experience_hibp_request_timeout.Benefits
Possible Drawbacks
The prefix response may be reused for up to four hours. This is appropriate for reducing repeated external calls, but it means newly-added HIBP entries for an already-cached prefix may not be seen until the cache expires.
Verification Process
php -l includes/classes/Authentication/Passwords.phpcomposer run lintgit diff --checkChangelog Entry
Checklist:
A note on tests
This change has unit-testable logic, but the plugin currently ships no test harness (no PHPUnit or e2e setup; CI runs lint only), so there's nothing here to add coverage to. I'm happy to contribute a minimal test setup plus coverage for this in a separate PR if that's welcome.
AI assistance was used in drafting and reviewing this change; final authorship and verification are mine.