From 38aad4f7bedfb4279ecb385e036b1d84f3d59483 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Garc=C3=ADa?= Date: Sun, 10 Nov 2024 23:59:06 +0100 Subject: [PATCH] Limit HIBP to authed users --- src/api/core/mod.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/api/core/mod.rs b/src/api/core/mod.rs index 4ac6b777..1638afe5 100644 --- a/src/api/core/mod.rs +++ b/src/api/core/mod.rs @@ -135,13 +135,13 @@ async fn put_eq_domains(data: Json, headers: Headers, conn: DbC } #[get("/hibp/breach?")] -async fn hibp_breach(username: &str) -> JsonResult { - let username: String = url::form_urlencoded::byte_serialize(username.as_bytes()).collect(); - let url = format!( - "https://haveibeenpwned.com/api/v3/breachedaccount/{username}?truncateResponse=false&includeUnverified=false" - ); - +async fn hibp_breach(username: &str, _headers: Headers) -> JsonResult { if let Some(api_key) = crate::CONFIG.hibp_api_key() { + let username: String = url::form_urlencoded::byte_serialize(username.as_bytes()).collect(); + let url = format!( + "https://haveibeenpwned.com/api/v3/breachedaccount/{username}?truncateResponse=false&includeUnverified=false" + ); + let res = make_http_request(Method::GET, &url)?.header("hibp-api-key", api_key).send().await?; // If we get a 404, return a 404, it means no breached accounts