feat: enhance password recheck functionality and HIBP key validation

- Introduced new settings in the password policy DTO for handling actions on compromised passwords during HIBP rechecks, allowing options for 'none', 'notify', or 'expire'.
- Updated the PasswdadmController to validate the HIBP key status before enabling rechecks, ensuring proper configuration.
- Enhanced the IdentitiesPwnedCommand to notify users or expire passwords based on the new policy settings.
- Modified the password policy UI to include options for the new actions and display HIBP key status, improving user experience and security awareness.

Author: tacxou

apps/api/src/management/identities/identities.command.ts

@@ -9,6 +9,11 @@ import { Types } from "mongoose";
 import axios from 'axios'
 import { PasswordHistoryService } from '~/management/password-history/password-history.service'
 import { PasswdadmService } from '~/settings/passwdadm.service'
+import { IdentitiesForcepasswordService } from '~/management/identities/identities-forcepassword.service'
+import { IdentitiesCrudService } from '~/management/identities/identities-crud.service'
+import { MailerService } from '@nestjs-modules/mailer'
+import { MailadmService } from '~/settings/mailadm.service'
+import { get } from 'radash'
 
 
 @SubCommand({ name: 'fingerprint' })
@@ -113,6 +118,10 @@ export class IdentitiesPwnedCommand extends CommandRunner {
     // Ici on a des services singleton, on utilise donc `get()`.
     const passwordHistory = this.moduleRef.get(PasswordHistoryService, { strict: false })
     const passwdadm = this.moduleRef.get(PasswdadmService, { strict: false })
+    const identities = this.moduleRef.get(IdentitiesCrudService, { strict: false })
+    const forcePwd = this.moduleRef.get(IdentitiesForcepasswordService, { strict: false })
+    const mailer = this.moduleRef.get(MailerService, { strict: false })
+    const mailadm = this.moduleRef.get(MailadmService, { strict: false })
 
     const policies: any = await passwdadm.getPolicies()
     if (!policies?.pwnedRecheckEnabled) {
@@ -194,6 +203,43 @@ export class IdentitiesPwnedCommand extends CommandRunner {
 
         if (pwnCount > 0) {
           this.logger.warn(`PWNED password detected: history=<${entry._id}> identityId=<${entry.identityId}> count=${pwnCount}`)
+
+          const action = (policies?.pwnedRecheckAction || 'none') as 'none' | 'notify' | 'expire'
+          if (action === 'expire') {
+            try {
+              await forcePwd.needToChangePassword(String(entry.identityId))
+              this.logger.warn(`PWNED action applied: expire password identityId=<${entry.identityId}>`)
+            } catch (e) {
+              this.logger.warn(`PWNED action failed (expire) for identityId=<${entry.identityId}>: ${e?.message || e}`)
+            }
+          } else if (action === 'notify') {
+            try {
+              const identity = await identities.model.findById(entry.identityId).lean()
+              const mailAttribute = String(policies?.emailAttribute || '')
+              const email = mailAttribute ? (get(identity as any, mailAttribute) as string) : null
+              if (!email) {
+                this.logger.warn(`PWNED notify skipped: no email (attribute=<${mailAttribute || 'n/a'}>) for identityId=<${entry.identityId}>`)
+              } else {
+                const smtpParams = await mailadm.getParams()
+                const subject = 'Alerte sécurité : mot de passe compromis'
+                const text =
+                  `Bonjour,\n\n` +
+                  `Un re-check de sécurité (HIBP) indique que votre mot de passe apparaît dans des fuites connues (occurrences: ${pwnCount}).\n` +
+                  `Nous vous recommandons de le changer dès que possible.\n\n` +
+                  `Ceci est une notification : votre accès n'est pas bloqué.\n`
+
+                await mailer.sendMail({
+                  from: smtpParams?.sender,
+                  to: email,
+                  subject,
+                  text,
+                })
+                this.logger.warn(`PWNED action applied: notified user identityId=<${entry.identityId}>`)
+              }
+            } catch (e) {
+              this.logger.warn(`PWNED action failed (notify) for identityId=<${entry.identityId}>: ${e?.message || e}`)
+            }
+          }
         }
       } catch (e) {
         this.logger.warn(`HIBP range call failed for history <${entry._id}>: ${e?.message || e}`)

apps/api/src/settings/_dto/password-policy.dto.ts

@@ -62,6 +62,14 @@ export class PasswordPoliciesDto {
   @ApiProperty({ example: 604800, description: 'Age max (secondes) avant re-check HIBP en cron', type: Number })
   public pwnedRecheckMaxAgeSeconds: number = 60 * 60 * 24 * 7;
 
+  @IsString()
+  @ApiProperty({
+    example: 'none',
+    description: "Action à effectuer si un mot de passe est détecté comme compromis via le re-check HIBP ('none' | 'notify' | 'expire')",
+    type: String,
+  })
+  public pwnedRecheckAction: 'none' | 'notify' | 'expire' = 'none';
+
   @IsBoolean()
   @ApiProperty({ example: true, description: 'Mote de passe peut etre reinitialisé par sms', type: Boolean })
   public resetBySms: boolean = false;

apps/api/src/settings/passwdadm.controller.ts

@@ -1,15 +1,19 @@
-import { Body, Controller, Get, HttpStatus, Logger, Post, Res } from '@nestjs/common'
+import { BadRequestException, Body, Controller, Get, HttpStatus, Logger, Post, Res } from '@nestjs/common'
 import { ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger'
 import { Response } from 'express'
 import { PasswordPoliciesDto } from '~/settings/_dto/password-policy.dto'
 import { PasswdadmService } from './passwdadm.service'
 import { UseRoles } from '~/_common/decorators/use-roles.decorator'
 import { AC_ACTIONS, AC_DEFAULT_POSSESSION } from '~/_common/types/ac-types'
+import { ConfigService } from '@nestjs/config'
 
 @Controller('settings/passwdadm')
 @ApiTags('settings')
 export class PasswdadmController {
-  public constructor(private passwdadmService: PasswdadmService) {}
+  public constructor(
+    private passwdadmService: PasswdadmService,
+    private configService: ConfigService,
+  ) {}
 
   @Post('setpolicies')
   @UseRoles({
@@ -20,6 +24,12 @@ export class PasswdadmController {
   @ApiOperation({ summary: 'enregistre la police de mdp' })
   @ApiResponse({ status: HttpStatus.OK })
   public async setPolicies(@Body() body: PasswordPoliciesDto, @Res() res: Response): Promise<Response> {
+    if (body?.pwnedRecheckEnabled) {
+      const status = this.getHibpKeyStatus()
+      if (!status.valid) {
+        throw new BadRequestException(status.reason || 'Clé SESAME_PASSWORD_HISTORY_HIBP_KEY invalide')
+      }
+    }
     const data = await this.passwdadmService.setPolicies(body);
 
     return res.status(HttpStatus.OK).json({ data });
@@ -38,4 +48,34 @@ export class PasswdadmController {
 
     return res.status(HttpStatus.OK).json({ data });
   }
+
+  @Get('hibp-keystatus')
+  @UseRoles({
+    resource: '/settings/passwdadm',
+    action: AC_ACTIONS.READ,
+    possession: AC_DEFAULT_POSSESSION,
+  })
+  @ApiOperation({ summary: 'Retourne le statut de validité de la clé de chiffrement HIBP' })
+  @ApiResponse({ status: HttpStatus.OK })
+  public async hibpKeyStatus(@Res() res: Response): Promise<Response> {
+    return res.status(HttpStatus.OK).json({ data: this.getHibpKeyStatus() })
+  }
+
+  private getHibpKeyStatus(): { valid: boolean; reason: string | null } {
+    const raw = (this.configService.get<string>('SESAME_PASSWORD_HISTORY_HIBP_KEY') || '').trim()
+    if (!raw) {
+      return { valid: false, reason: 'Clé manquante (SESAME_PASSWORD_HISTORY_HIBP_KEY)' }
+    }
+
+    if (/^[0-9a-fA-F]{64}$/.test(raw)) {
+      return { valid: true, reason: null }
+    }
+
+    const buf = Buffer.from(raw, 'base64')
+    if (buf.length !== 32) {
+      return { valid: false, reason: 'Clé invalide (base64) : doit décoder en 32 bytes' }
+    }
+
+    return { valid: true, reason: null }
+  }
 }

apps/web/src/pages/settings/password-policy.vue

@@ -83,13 +83,15 @@
           hint="Utilise l'API de pwned pour vérifier si le mot de passe a été compromis dans une fuite de données"
         )
         q-toggle.col-12.col-sm-6.col-md-4.col-lg-3(
-          :disable='!hasPermission("/settings/passwdadm", "update")'
+          :disable='!hasPermission("/settings/passwdadm", "update") || !hibpKeyStatus.valid'
           dense
           v-model="payload.pwnedRecheckEnabled"
           color="teal"
-          label="Re-check HIBP (tâche planifiée)"
-          hint="Active le re-check HIBP (cron) via une empreinte SHA-1 chiffrée stockée dans l'historique des mots de passe"
+          label="Stockage des empreintes HIBP (Pwned Passwords)"
+          hint="Active le stockage des empreintes SHA-1 chiffrées dans l'historique des mots de passe"
         )
+          q-tooltip.text-body2(anchor="top middle" self="bottom middle" v-if="!hibpKeyStatus.valid")
+            span(v-text="hibpKeyStatus.reason || 'Clé SESAME_PASSWORD_HISTORY_HIBP_KEY invalide'")
         q-toggle.col-12.col-sm-6.col-md-4.col-lg-3(
           :disable='!hasPermission("/settings/passwdadm", "update")'
           dense
@@ -137,6 +139,17 @@
           hint="Re-check uniquement si la dernière vérification est plus ancienne que ce délai"
           dense
         )
+        q-select.col-12.col-sm-6.col-md-5.col-lg-4(
+          :disable='!hasPermission("/settings/passwdadm", "update")'
+          outlined
+          dense
+          emit-value
+          map-options
+          v-model="payload.pwnedRecheckAction"
+          :options="pwnedActions"
+          label="Action si mot de passe compromis lors du re-check HIBP"
+          hint="« Notifier » avertit l'utilisateur sans le bloquer. « Expirer » force un changement au prochain usage."
+        )
       q-separator.q-my-lg
       .row.q-col-gutter-md
         q-input.col-12.col-md-6(
@@ -185,6 +198,7 @@ type PasswordPolicySettings = {
   checkPwned: boolean
   pwnedRecheckEnabled: boolean
   pwnedRecheckMaxAgeSeconds: number
+  pwnedRecheckAction: 'none' | 'notify' | 'expire'
   resetBySms: boolean
   emailAttribute: string
   mobileAttribute: string
@@ -204,6 +218,12 @@ export default defineComponent({
     const { handleError } = useErrorHandling()
     const { hasPermission } = useAccessControl()
 
+    const pwnedActions = [
+      { label: 'Ne rien faire', value: 'none' },
+      { label: "Notifier l'utilisateur", value: 'notify' },
+      { label: 'Expirer le mot de passe', value: 'expire' },
+    ] as const
+
     const payload = ref({
       len: 8,
       hasUpperCase: 0,
@@ -213,6 +233,7 @@ export default defineComponent({
       checkPwned: false,
       pwnedRecheckEnabled: false,
       pwnedRecheckMaxAgeSeconds: 60 * 60 * 24 * 7,
+      pwnedRecheckAction: 'none',
       resetBySms: false,
       emailAttribute: '',
       mobileAttribute: '',
@@ -223,6 +244,7 @@ export default defineComponent({
       initTokenTTL: 0,
     })
     const validations = ref({} as Record<string, any>)
+    const hibpKeyStatus = ref<{ valid: boolean; reason: string | null }>({ valid: true, reason: null })
 
     const {
       data: result,
@@ -232,6 +254,13 @@ export default defineComponent({
     } = await useHttp<{ data: PasswordPolicySettings }>(`/settings/passwdadm/getpolicies`, {
       method: 'GET',
     })
+
+    const { data: keyStatusResult } = await useHttp<{ data: { valid: boolean; reason: string | null } }>(`/settings/passwdadm/hibp-keystatus`, {
+      method: 'GET',
+    })
+    if (keyStatusResult.value?.data) {
+      hibpKeyStatus.value = keyStatusResult.value.data
+    }
     if (error.value) {
       handleError({
         error: error.value,
@@ -242,8 +271,14 @@ export default defineComponent({
       validations.value = {}
     }
 
+    if (!hibpKeyStatus.value.valid) {
+      payload.value.pwnedRecheckEnabled = false
+    }
+
     return {
       payload,
+      pwnedActions,
+      hibpKeyStatus,
       handleError,
       pending,
       refresh,