feat: integrate PasswordHistory module and enhance password management services

- Added the `PasswordHistoryModule` to the Management, Identities, and Passwd modules for improved password history tracking.
- Updated `IdentitiesForcepasswordService` to utilize `PasswordHistoryService` for enforcing password reuse policies.
- Enhanced `PasswdService` to record password changes and assert non-reuse of passwords using the new service.
- Introduced a new command `IdentitiesPwnedCommand` for checking compromised passwords against the HIBP API.
- Updated password policy DTO to include settings for password history management and HIBP recheck configurations.
- Added UI components for managing password history settings in the web application.

Author: tacxou

apps/api/defaults/cron/identities-pwned-recheck.yml

@@ -0,0 +1,9 @@
+tasks:
+  - name: "identities-pwned-recheck"
+    description: "Re-check HIBP (pwned passwords) for stored password history fingerprints"
+    enabled: false
+    schedule: "0 3 * * *"  # Tous les jours à 03:00
+    handler: "identities-pwned-recheck"
+    options:
+      limit: 500
+

apps/api/src/management/identities/identities-forcepassword.service.ts

@@ -1,12 +1,15 @@
 import {AbstractIdentitiesService} from '~/management/identities/abstract-identities.service';
 import {Identities} from '~/management/identities/_schemas/identities.schema';
-import {BadRequestException, HttpException, Injectable} from '@nestjs/common';
+import { BadRequestException, HttpException, Inject, Injectable } from '@nestjs/common';
 import {DataStatusEnum} from '~/management/identities/_enums/data-status';
 import {ActionType} from "~/core/backends/_enum/action-type.enum";
+import { PasswordHistoryService } from '~/management/password-history/password-history.service'
 
 
 @Injectable()
 export class IdentitiesForcepasswordService extends AbstractIdentitiesService {
+  @Inject(PasswordHistoryService)
+  private readonly passwordHistory: PasswordHistoryService
 
   public async forcePassword(id: string, newPassword: string) {
     //recherche de l'identité
@@ -30,6 +33,7 @@ export class IdentitiesForcepasswordService extends AbstractIdentitiesService {
         statusCode: 400,
       });
     }
+    await this.passwordHistory.assertNotReused(identity._id, newPassword)
      //ok on envoie le changement de mdp
       try{
         const [_, response] = await this.backends.executeJob(
@@ -45,6 +49,7 @@ export class IdentitiesForcepasswordService extends AbstractIdentitiesService {
           },
         );
         if (response?.status === 0) {
+          await this.passwordHistory.recordPassword(identity._id, newPassword, 'force')
           //activation de l'identité
           await this.activation(id,DataStatusEnum.ACTIVE)
           return [_, response];

apps/api/src/management/identities/identities.command.ts

@@ -6,6 +6,9 @@ import { Identities } from "~/management/identities/_schemas/identities.schema";
 import { IdentitiesUpsertService } from "~/management/identities/identities-upsert.service";
 import { IdentitiesDoublonService } from "~/management/identities/identities-doublon.service";
 import { Types } from "mongoose";
+import axios from 'axios'
+import { PasswordHistoryService } from '~/management/password-history/password-history.service'
+import { PasswdadmService } from '~/settings/passwdadm.service'
 
 
 @SubCommand({ name: 'fingerprint' })
@@ -88,7 +91,118 @@ export class IdentitiesCancelFusionCommand extends CommandRunner {
   }
 }
 
-@Command({ name: 'identities', arguments: '<task>', subCommands: [IdentitiesFingerprintCommand, IdentitiesCancelFusionCommand] })
+@SubCommand({ name: 'pwned' })
+export class IdentitiesPwnedCommand extends CommandRunner {
+  private readonly logger = new Logger(IdentitiesPwnedCommand.name)
+
+  public constructor(
+    protected moduleRef: ModuleRef,
+  ) {
+    super()
+  }
+
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  async run(inputs: string[], options: any): Promise<void> {
+    const subTask = inputs?.[0]
+    if (subTask !== 'recheck') {
+      console.error('Usage: yarn run console identities pwned recheck [--limit=500]')
+      return
+    }
+
+    // `ModuleRef.resolve()` ne fonctionne que pour les providers transient / request-scoped.
+    // Ici on a des services singleton, on utilise donc `get()`.
+    const passwordHistory = this.moduleRef.get(PasswordHistoryService, { strict: false })
+    const passwdadm = this.moduleRef.get(PasswdadmService, { strict: false })
+
+    const policies: any = await passwdadm.getPolicies()
+    if (!policies?.pwnedRecheckEnabled) {
+      this.logger.warn('HIBP recheck is disabled by settings (pwnedRecheckEnabled=false).')
+      return
+    }
+
+    const maxAgeSeconds = Number(options?.maxAgeSeconds || policies?.pwnedRecheckMaxAgeSeconds || 0)
+    const limit = Math.max(Number(options?.limit || 500), 1)
+
+    const cutoff = Number.isFinite(maxAgeSeconds) && maxAgeSeconds > 0 ? new Date(Date.now() - maxAgeSeconds * 1000) : null
+    this.logger.debug(
+      `HIBP recheck policy: enabled=true maxAgeSeconds=${Number.isFinite(maxAgeSeconds) ? maxAgeSeconds : 'NaN'} cutoff=${cutoff ? cutoff.toISOString() : 'none'} limit=${limit}`,
+    )
+
+    const filter: any = {
+      hibpSha1Enc: { $ne: null },
+    }
+    if (cutoff) {
+      filter.$or = [{ hibpLastCheckAt: null }, { hibpLastCheckAt: { $lt: cutoff } }]
+    } else {
+      filter.$or = [{ hibpLastCheckAt: null }]
+    }
+
+    const candidates = await passwordHistory.model
+      .find(filter)
+      .sort({ hibpLastCheckAt: 1, createdAt: -1 })
+      .limit(limit)
+      .lean()
+
+    const totalWithEnc = await passwordHistory.model.countDocuments({ hibpSha1Enc: { $ne: null } })
+    const totalNeverCheckedWithEnc = await passwordHistory.model.countDocuments({ hibpSha1Enc: { $ne: null }, hibpLastCheckAt: null })
+    this.logger.log(`HIBP recheck candidates: ${candidates.length} (withEnc=${totalWithEnc}, neverCheckedWithEnc=${totalNeverCheckedWithEnc})`)
+
+    for (const entry of candidates) {
+      const enc = entry?.hibpSha1Enc
+      if (!enc) continue
+
+      let sha1: string
+      try {
+        sha1 = passwordHistory.decryptHibpSha1(enc)
+      } catch (e) {
+        this.logger.warn(`Failed to decrypt hibpSha1Enc for history <${entry._id}>: ${e?.message || e}`)
+        await passwordHistory.model.updateOne(
+          { _id: entry._id },
+          { $set: { hibpLastCheckAt: new Date(), hibpPwnCount: null } },
+        )
+        continue
+      }
+
+      const prefix = sha1.slice(0, 5)
+      const suffix = sha1.slice(5)
+
+      try {
+        const { data } = await axios.get<string>(`https://api.pwnedpasswords.com/range/${prefix}`, {
+          responseType: 'text',
+          timeout: 10_000,
+          headers: {
+            'User-Agent': 'sesame-orchestrator',
+            'Add-Padding': 'true',
+          },
+        })
+
+        let pwnCount = 0
+        const lines = String(data || '').split('\n')
+        for (const line of lines) {
+          const [s, countRaw] = line.trim().split(':')
+          if (!s || !countRaw) continue
+          if (s.toUpperCase() === suffix.toUpperCase()) {
+            pwnCount = parseInt(countRaw, 10) || 0
+            break
+          }
+        }
+
+        await passwordHistory.model.updateOne(
+          { _id: entry._id },
+          { $set: { hibpLastCheckAt: new Date(), hibpPwnCount: pwnCount } },
+        )
+
+        if (pwnCount > 0) {
+          this.logger.warn(`PWNED password detected: history=<${entry._id}> identityId=<${entry.identityId}> count=${pwnCount}`)
+        }
+      } catch (e) {
+        this.logger.warn(`HIBP range call failed for history <${entry._id}>: ${e?.message || e}`)
+      }
+    }
+  }
+}
+
+@Command({ name: 'identities', arguments: '<task>', subCommands: [IdentitiesFingerprintCommand, IdentitiesCancelFusionCommand, IdentitiesPwnedCommand] })
 export class IdentitiesCommand extends CommandRunner {
   public constructor(protected moduleRef: ModuleRef) {
     super();

apps/api/src/management/identities/identities.module.ts

@@ -25,6 +25,7 @@ import { EnsureIdentitiesIndexMiddleware } from './_middlewares/ensure-identitie
 import { AgentsModule } from '~/core/agents/agents.module';
 import { useOnCli } from '~/_common/functions/is-cli';
 import { IdentitiesCommand } from '~/management/identities/identities.command';
+import { PasswordHistoryModule } from '~/management/password-history/password-history.module';
 
 
 @Module({
@@ -40,6 +41,7 @@ import { IdentitiesCommand } from '~/management/identities/identities.command';
     FilestorageModule,
     forwardRef(() => BackendsModule),
     SettingsModule,
+    PasswordHistoryModule,
     AgentsModule,
   ],
   providers: [

apps/api/src/management/management.module.ts

@@ -5,9 +5,10 @@ import { RouterModule } from '@nestjs/core';
 import { IdentitiesModule } from './identities/identities.module';
 import { PasswdModule } from './passwd/passwd.module';
 import { LifecycleModule } from './lifecycle/lifecycle.module';
+import { PasswordHistoryModule } from './password-history/password-history.module';
 
 @Module({
-  imports: [IdentitiesModule, PasswdModule, LifecycleModule],
+  imports: [IdentitiesModule, PasswdModule, LifecycleModule, PasswordHistoryModule],
   providers: [ManagementService],
   controllers: [ManagementController],
 })

apps/api/src/management/passwd/passwd.module.ts

@@ -4,9 +4,10 @@ import { PasswdController } from './passwd.controller';
 import { BackendsModule } from '~/core/backends/backends.module';
 import { IdentitiesModule } from '../identities/identities.module';
 import { SettingsModule } from '~/settings/settings.module';
+import { PasswordHistoryModule } from '~/management/password-history/password-history.module';
 
 @Module({
-  imports: [BackendsModule, IdentitiesModule, SettingsModule],
+  imports: [BackendsModule, IdentitiesModule, SettingsModule, PasswordHistoryModule],
   controllers: [PasswdController],
   providers: [PasswdService],
 })

apps/api/src/management/passwd/passwd.service.ts

@@ -33,6 +33,7 @@ import { InitStatesEnum } from '~/management/identities/_enums/init-state.enum';
 import { MailadmService } from '~/settings/mailadm.service';
 import { DataStatusEnum } from "~/management/identities/_enums/data-status";
 import { SentMessageInfo } from 'nodemailer';
+import { PasswordHistoryService } from '~/management/password-history/password-history.service';
 
 interface TokenData {
   k: string;
@@ -60,6 +61,7 @@ export class PasswdService extends AbstractService {
     private passwdadmService: PasswdadmService,
     private smsadmService: SmsadmService,
     private mailadmService: MailadmService,
+    private readonly passwordHistory: PasswordHistoryService,
     @InjectRedis() private readonly redis: Redis,
   ) {
     super();
@@ -232,6 +234,7 @@ export class PasswdService extends AbstractService {
           statusCode: 400,
         });
       }
+      await this.passwordHistory.assertNotReused(identity._id, passwdDto.newPassword)
       //tout est ok en envoie au backend
       const result = await this.backends.executeJob(
         ActionType.IDENTITY_PASSWORD_CHANGE,
@@ -252,6 +255,7 @@ export class PasswdService extends AbstractService {
       );
       // on met actif l'identité
       await this.identities.model.updateOne({ _id: identity._id }, { dataStatus: DataStatusEnum.ACTIVE })
+      await this.passwordHistory.recordPassword(identity._id, passwdDto.newPassword, 'change')
       return result;
     } catch (e) {
       let job = undefined;
@@ -375,6 +379,7 @@ export class PasswdService extends AbstractService {
     this.logger.log('dataToken :' + tokenData);
     try {
       const identity = (await this.identities.findOne({ 'inetOrgPerson.uid': tokenData.uid })) as Identities;
+      await this.passwordHistory.assertNotReused(identity._id, data.newpassword)
       const [_, response] = await this.backends.executeJob(
         ActionType.IDENTITY_PASSWORD_RESET,
         identity._id,
@@ -395,6 +400,7 @@ export class PasswdService extends AbstractService {
         // on met actif l'identité
         identity.dataStatus = DataStatusEnum.ACTIVE;
         await identity.save()
+        await this.passwordHistory.recordPassword(identity._id, data.newpassword, 'reset')
         return [_, response];
       }
       this.logger.error('Error from backend while reseting password by code');
@@ -417,6 +423,7 @@ export class PasswdService extends AbstractService {
         state: IdentityState.SYNCED,
       })) as Identities;
 
+      await this.passwordHistory.assertNotReused(identity._id, data.newPassword)
       const [_, response] = await this.backends.executeJob(
         ActionType.IDENTITY_PASSWORD_RESET,
         identity._id,
@@ -433,6 +440,7 @@ export class PasswdService extends AbstractService {
       if (response?.status === 0) {
         await this.redis.del(data.token);
         await this.setInitState(identity, InitStatesEnum.INITIALIZED);
+        await this.passwordHistory.recordPassword(identity._id, data.newPassword, 'reset')
         return [_, response];
       }
 

apps/api/src/management/password-history/_schemas/password-history.schema.ts

@@ -0,0 +1,36 @@
+import { Prop, Schema, SchemaFactory } from '@nestjs/mongoose'
+import { Document, Types } from 'mongoose'
+
+export type PasswordHistoryDocument = PasswordHistory & Document
+
+@Schema({ versionKey: false, minimize: false, timestamps: true })
+export class PasswordHistory {
+  @Prop({ type: Types.ObjectId, required: true, index: true })
+  public identityId: Types.ObjectId
+
+  @Prop({ type: String, required: true })
+  public passwordHash: string
+
+  /**
+   * SHA-1(password) chiffré (AES-256-GCM), utilisé uniquement pour re-check HIBP en cron.
+   */
+  @Prop({ type: String, required: false, default: null })
+  public hibpSha1Enc?: string | null
+
+  @Prop({ type: Date, required: false, default: null })
+  public hibpLastCheckAt?: Date | null
+
+  @Prop({ type: Number, required: false, default: null })
+  public hibpPwnCount?: number | null
+
+  @Prop({ type: String, required: false, default: null })
+  public source?: 'change' | 'reset' | 'force' | null
+
+  @Prop({ type: Date, required: false, default: null })
+  public expiresAt?: Date | null
+}
+
+export const PasswordHistorySchema = SchemaFactory.createForClass(PasswordHistory)
+  .index({ identityId: 1, createdAt: -1 })
+  .index({ expiresAt: 1 }, { expireAfterSeconds: 0 })
+

apps/api/src/management/password-history/password-history.controller.ts

@@ -0,0 +1,72 @@
+import { Controller, Get, HttpStatus, Param, Res } from '@nestjs/common'
+import { ApiParam, ApiTags } from '@nestjs/swagger'
+import { Response } from 'express'
+import { Types } from 'mongoose'
+import { ObjectIdValidationPipe } from '~/_common/pipes/object-id-validation.pipe'
+import { UseRoles } from '~/_common/decorators/use-roles.decorator'
+import { AC_ACTIONS, AC_DEFAULT_POSSESSION } from '~/_common/types/ac-types'
+import { PasswordHistoryService } from './password-history.service'
+import { PasswdadmService } from '~/settings/passwdadm.service'
+
+@ApiTags('management/password-history')
+@Controller('password-history')
+export class PasswordHistoryController {
+  public constructor(
+    private readonly passwordHistoryService: PasswordHistoryService,
+    private readonly passwdadmService: PasswdadmService,
+  ) {}
+
+  @Get(':identityId([0-9a-fA-F]{24})')
+  @UseRoles({
+    resource: '/management/password-history',
+    action: AC_ACTIONS.READ,
+    possession: AC_DEFAULT_POSSESSION,
+  })
+  @ApiParam({ name: 'identityId', type: String })
+  public async listForIdentity(
+    @Param('identityId', ObjectIdValidationPipe) identityId: Types.ObjectId,
+    @Res() res: Response,
+  ): Promise<Response> {
+    const policies: any = await this.passwdadmService.getPolicies()
+    if (!policies?.passwordHistoryEnabled) {
+      return res.status(HttpStatus.OK).json({
+        statusCode: HttpStatus.OK,
+        data: [],
+        message: 'Historique des mots de passe désactivé par la politique',
+      })
+    }
+
+    const historyCount = Number(policies?.passwordHistoryCount || 0)
+    const limit = Number.isFinite(historyCount) && historyCount > 0 ? historyCount : 0
+
+    const rows = limit
+      ? await this.passwordHistoryService.model
+          .find({ identityId })
+          .sort({ createdAt: -1 })
+          .limit(limit)
+          .select({
+            _id: 1,
+            createdAt: 1,
+            expiresAt: 1,
+            source: 1,
+            hibpLastCheckAt: 1,
+            hibpPwnCount: 1,
+            hibpSha1Enc: 1,
+          })
+          .lean()
+      : []
+
+    const safeRows = (rows || []).map((row: any) => {
+      const hasHibpFingerprint = !!row?.hibpSha1Enc
+      const { hibpSha1Enc: _hibpSha1Enc, ...rest } = row || {}
+      return { ...rest, hasHibpFingerprint }
+    })
+
+    return res.status(HttpStatus.OK).json({
+      statusCode: HttpStatus.OK,
+      data: safeRows,
+      total: safeRows.length,
+    })
+  }
+}
+