Use native browser hashing for pwnedPasswords check

hhvrc · hhvrc · commit b07c64b59da4 · 2025-05-28T15:16:25.000+02:00
diff --git a/src/lib/api/pwnedPasswords.ts b/src/lib/api/pwnedPasswords.ts
@@ -1,13 +1,12 @@
-import SHA1 from 'crypto-js/sha1';
+import { HashString } from "$lib/utils/crypto";
 
 export async function checkPwnedCount(password: string): Promise<number> {
   if (!password) {
     throw new Error('Password cannot be empty');
   }
 
-  const hash = SHA1(password).toString();
+  const hash = await HashString(password, 'SHA-1');
   const hashPrefix = hash.substring(0, 5);
-  const hashSuffix = hash.substring(5).toUpperCase();
 
   let raw: string;
   try {
@@ -18,6 +17,7 @@ export async function checkPwnedCount(password: string): Promise<number> {
     throw new Error('Error while fetching pwned passwords range');
   }
 
+  const hashSuffix = hash.substring(5).toUpperCase();
   const match = raw.split('\n').find((line) => line.startsWith(hashSuffix));
 
   if (match) {
diff --git a/src/lib/utils/crypto.ts b/src/lib/utils/crypto.ts
@@ -0,0 +1,8 @@
+const EncodeString = (input: string) => new TextEncoder().encode(input);
+const ArrayBufferToHex = (buffer: ArrayBuffer) => Array.from(new Uint8Array(buffer)).map((b) => b.toString(16).padStart(2, '0')).join('');
+
+export async function HashString(input: string, hashtype: 'SHA-1' | 'SHA-256'): Promise<string> {
+  const data = EncodeString(input);
+  const hashBuffer = await crypto.subtle.digest(hashtype, data);
+  return ArrayBufferToHex(hashBuffer);
+}
