Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/jody-frankowski/hibr

Anonymously check if your passwords have been leaked in the 2009 RockYou leak. Hosted @ 🏠 with Cloudflare tunnel.
https://github.com/jody-frankowski/hibr

algosecure badger badgerdb go golang haveibeenpwned haveibeenrocked next nextjs react reactjs weakpass weakpasswords xxh xxh3 xxhash

Last synced: about 2 months ago
JSON representation

Anonymously check if your passwords have been leaked in the 2009 RockYou leak. Hosted @ 🏠 with Cloudflare tunnel.

Awesome Lists containing this project

README 

        
# Have I Been Rocked?



## Usage



```sh

docker compose up --build

```



[http://localhost:8081](http://localhost:8081)



Local development instructions are in the READMEs of the subdirectories.



## Architecture



- `back/`  Go API

- `front/` Next.js TypeScript frontend

- `rp/`    Caddy reverse proxy



### Back



Go was chosen for its simplicity and speed.



The key-value db [badger](https://github.com/hypermodeinc/badger), was used because of its speed and

the nature of the data being stored and queried (only checking the existence of a key in the dataset

is needed). The DB lives in the same Go process as the HTTP server.



If there ever were a need to share the DB between several back-end instances, the code should

easily be extractable into a separate service.

However, it wasn't given much further considerations since network queries would add some

latencies and our dataset should fit in most instance memory and hence allow for a quick and easy

horizontal-scaling, should it be needed.



The rockyou.txt file is automatically downloaded as a convenience. And for local development, an

environment variable `ROCKYOU_PATH` can be set to point the file.



When loading the DB, we check if the DB was already loaded by checking for a key's existence. If

it's not, we read the file, hash every password and store them in the DB.



The back has two routes, one for searching a whole password with its hash and another for

searching a password with its hash prefix.



The first route was the first way this service was built and is kept as an example, but isn't

used by the actual front-end.



The second route is the one used by the front-end and uses the same mechanism as the original

project ([Cloudflare, Privacy and k-Anonymity](https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity))

to anonymize the passwords queried.



The hash used is [`xxh128`](https://xxhash.com/) with a 128-bit digest.



### Front



The front uses Next.js in TypeScript.



Typescript was used for its type safety over JavaScript.



Next.js was chosen for its simplicity, quick setup, and previous knowledge of React.



[HeroUI](https://www.heroui.com/) was used for the interactive components.



### Reverse Proxy



[caddy](https://github.com/caddyserver/caddy) was used as a reverse proxy in order to

serve both the front and the api on the same address.



It also sets some HTTP cache headers and compresses responses (~50% size reduction).