icawebdesign / hibp-php
PHP library for accessing the Have I Been Pwned API.
Installs: 24 105
Dependents: 1
Suggesters: 0
Security: 0
Stars: 22
Watchers: 4
Forks: 4
Open Issues: 0
Requires
- php: ^8.1||^8.2||^8.3
- ext-json: *
- guzzlehttp/guzzle: ^7.5
- guzzlehttp/psr7: ^2.4
- illuminate/collections: ^8.0||^9.43||^10.0||^11.0
- nesbot/carbon: ^2.63||^3.0
- psr/http-message: ^1.0||^2.0
- symfony/yaml: ^6.1||^7.0
Requires (Dev)
- orchestra/testbench: ^6.4||^7.22||^8.0||^9.0
- phpstan/phpstan: ^1.4.6
- phpstan/phpstan-mockery: ^1.1.0
- phpstan/phpstan-phpunit: ^1.0.0
- phpunit/phpunit: ^10.0||^11.0
- squizlabs/php_codesniffer: ^3.5
This package is auto-updated.
Last update: 2024-04-18 23:20:09 UTC
README
HIBP-PHP is a composer library for accessing the Have I Been Pwned and Pwned Passwords APIs (currently v3).
The HIBP API now requires an API Key that needs to be purchased at the HIBP site for any lookups that use an email address. This currently means that if you're only using this package for lookups from the PwnedPassword section of the API, then an API key isn't required.
Version 5.x has dropped support for older PHP versions (< 7.4). If you still need a version of this package to run on an older PHP version, then please use the icawebdesign/hibp-php:^4.0 tag, though the 4.x branch will no longer receive updates.
Version 6.x now requires PHP 8.1+. If you need to support previous versions of PHP, please use the icawebdesign/hibp-php:^5.0 tag. This version however, will only receive security fixes.
Requirements
- PHP 8.1+
Installation
composer require icawebdesign/hibp-php:"^6.0"
ReadOnly properties
Now that we're targetting a minimum of PHP 8.1, this gives us the ability to utilise ReadOnly properties in objects. With this, entity getters have been removed and properties can now be accessed directly on the object.
Usage examples for Breach Sites data
Get all breach sites
use Icawebdesign\Hibp\Breach\Breach; use Icawebdesign\Hibp\HibpHttp; $breach = new Breach(new HibpHttp($apiKey)); $breachSites = $breach->getAllBreachSites();
This will return a Collection of BreachSiteEntity objects.
Or we can filter for a domain the breach was listed in:
use Icawebdesign\Hibp\Breach\Breach; use Icawebdesign\Hibp\HibpHttp; $breach = new Breach(new HibpHttp($apiKey)); $breachSites = $breach->getAllBreachSites('adobe.com');
This will return a Collection of BreachSiteEntity objects.
Get single breach site
use Icawebdesign\Hibp\Breach\Breach; use Icawebdesign\Hibp\HibpHttp; $breach = new Breach(new HibpHttp($apiKey)); $breachSite = $breach->getBreach('adobe');
This will return a single BreachSiteEntity.
Get list of data classes for breach sites
use Icawebdesign\Hibp\Breach\Breach; use Icawebdesign\Hibp\HibpHttp; $breach = new Breach(new HibpHttp($apiKey)); $dataClasses = $breach->getAllDataClasses();
This will return an array of Data Classes, eg;
[ "Account balances", "Address book contacts", "Age groups", "Ages", ... ]
Get data for a breached email account
use Icawebdesign\Hibp\Breach\Breach; use Icawebdesign\Hibp\HibpHttp; $breach = new Breach(new HibpHttp($apiKey)); $data = $breach->getBreachedAccount('test@example.com');
We can retrieve unverified accounts too by specifying true for the second param (not retrieved by default):
use Icawebdesign\Hibp\Breach\Breach; use Icawebdesign\Hibp\HibpHttp; $breach = new Breach(new HibpHttp($apiKey)); $data = $breach->getBreachedAccount('test@example.com', includeUnverified: true);
We can also filter results back to a specific breached domain by adding a domain as the 3rd param
use Icawebdesign\Hibp\Breach\Breach; use Icawebdesign\Hibp\HibpHttp; $breach = new Breach(new HibpHttp($apiKey)); $data = $breach->getBreachedAccount( 'test@example.com', includeUnverified: true, domainFilter: 'adobe.com', );
These calls will return a Collection of BreachSiteEntity objects.
Usage examples for Pwned Passwords
The PwnedPasswd methods can now take a second param of an array to specify GuzzleHttp request options.
Get number of times the start of a hash appears in the system matching against a full hash
use Icawebdesign\Hibp\Password\PwnedPassword; use Icawebdesign\Hibp\HibpHttp; $pwnedPassword = new PwnedPassword(new HibpHttp($apiKey)); $count = $pwnedPassword->rangeFromHash('5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8');
This will return an int of the count.
You can also check against NTLM hashes:
use Icawebdesign\Hibp\Password\PwnedPassword; use Icawebdesign\Hibp\HibpHttp; $pwnedPassword = new PwnedPassword(new HibpHttp($apiKey)); $count = $pwnedPassword->ntlmRangeFromHash('8846F7EAEE8FB117AD06BDD830B7586C');
Get number of times the start of a hash appears in the system as above, but with padded values to help prevent fingerprinting
use Icawebdesign\Hibp\Password\PwnedPassword; use Icawebdesign\Hibp\HibpHttp; $pwnedPassword = new PwnedPassword(new HibpHttp($apiKey)); $hashData = $pwnedPassword->paddedRangeDataFromHash('5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8');
You can also check against NTLM hashes:
use Icawebdesign\Hibp\Password\PwnedPassword; use Icawebdesign\Hibp\HibpHttp; $pwnedPassword = new PwnedPassword(new HibpHttp($apiKey)); $hashData = $pwnedPassword->paddedNtlmRangeDataFromHash('5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8');
This will return a Collection of PwnedPassword model objects.
Get a collection of hash data from a start of a hash and matching against a full hash
use Icawebdesign\Hibp\Password\PwnedPassword; use Icawebdesign\Hibp\HibpHttp; $pwnedPassword = new PwnedPassword(new HibpHttp($apiKey)); $hashData = $pwnedPassword->rangeDataFromHash('5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8');
This will return a Collection of PwnedPassword model objects.
Get a collection of hash data from a start of a hash and matching against a full hash as above, but with padded values to help prevent fingerprinting
use Icawebdesign\Hibp\Password\PwnedPassword; use Icawebdesign\Hibp\HibpHttp; $pwnedPassword = new PwnedPassword(new HibpHttp($apiKey)); $hashData = $pwnedPassword->paddedRangeDataFromHash('5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'); // Strip padded values from results $hashData = PwnedPassword::stripZeroMatchesData($hashData, '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8');
This will return a Collection of PwnedPassword model objects.
Usage examples for Paste lists
Get a collection of pastes that a specified email account has appeared in
use Icawebdesign\Hibp\Paste\Paste; use Icawebdesign\Hibp\HibpHttp; $paste = new Paste(new HibpHttp($apiKey)); $data = $paste->lookup('test@example.com');
This will return a Collection of PasteEntity objects.
Laravel specifics
If using the package within a Laravel application, you can use the provided facades.
First, you need to add your HIBP API key to your .env file, or your preferred method for adding values to your server environment variables.
HIBP_API_KEY=abcdefgh123456789
You can then use the facades to call the relevant methods:
// Breach use Icawebdesign\Hibp\Facades\Breach; $breachSites = Breach::getAllBreachSites(); // Paste use Icawebdesign\Hibp\Facades\Paste; $paste = Paste::lookup('test@example.com'); // PwnedPassword use Icawebdesign\Hibp\Facades\PwnedPassword; $count = PwnedPassword::rangeFromHash('5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8');
Changelog
Please see CHANGELOG for more information what has changed recently.
Contributing
Please see CONTRIBUTING for details.
Security
If you discover any security related issues, please email ian.h@digiserv.net instead of using the issue tracker.
Credits
Thank you to Artem Fomenko for being the first external contributor to the package providing request options for Guzzle for the PwnedPassword methods.
License
The MIT License (MIT). Please see License File for more information.