Update to API v3

_config/injector.yml

@@ -4,3 +4,6 @@ Name: HaveIBeenPwnedInjector
 SilverStripe\Core\Injector\Injector:
   SilverStripe\Security\MemberAuthenticator\LoginHandler:
     class: Firesphere\HaveIBeenPwned\Controllers\LoginHandler
+  Firesphere\HaveIBeenPwned\Services\HaveIBeenPwnedService:
+    properties:
+      hibp_api_key: '`HIBP_API_KEY`'

readme.md

@@ -37,6 +37,16 @@ PHP 5.6+
 
 # Configuration
 
+
+Making calls to the Have I Been Pwned API requires a key. There's [a full blog post on why here](https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api).
+
+To configure this module to use the key, define an environment variable on your server or your .env:
+
+```dotenv
+HIBP_API_KEY="MYAPIKEY1234567898765431"
+```
+
+Other configurations can be done in YML:
 ```yaml
 
 ---
@@ -52,7 +62,6 @@ Only:
 ---
 Firesphere\HaveIBeenPwned\Services\HaveIBeenPwnedService:
   allow_pwnd: true
-
 ```
 
 ## Parameters

src/services/HaveIBeenPwnedService.php

@@ -21,7 +21,7 @@ class HaveIBeenPwnedService
     /**
      * Api endpoint emails
      */
-    const PWND_URL = 'https://haveibeenpwned.com/api/';
+    const PWND_URL = 'https://haveibeenpwned.com/api/v3';
 
     /**
      * API endpoint passwords
@@ -31,7 +31,7 @@ class HaveIBeenPwnedService
     /**
      * API Version
      */
-    const API_VERSION = '2';
+    const API_VERSION = '3';
 
     /**
      * Useragent
@@ -121,6 +121,7 @@ private function checkList($result, $shaEnd)
     public function checkPwnedEmail($member)
     {
         $this->args['base_uri'] = static::PWND_URL;
+        $api_key = $this->hibp_api_key;
         $uniqueField = Member::config()->get('unique_identifier_field');
         $account = $member->{$uniqueField};
 
@@ -133,7 +134,8 @@ public function checkPwnedEmail($member)
             [
                 'headers' => [
                     'user-agent'  => static::USER_AGENT,
-                    'api-version' => static::API_VERSION
+                    'api-version' => static::API_VERSION,
+                    'hibp-api-key' => $api_key
                 ]
             ]
         );

tests/unit/LoginHandlerTest.php

@@ -11,6 +11,7 @@
 use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Control\Session;
 use SilverStripe\Core\Config\Config;
+use SilverStripe\Core\Environment;
 use SilverStripe\Core\Injector\Injector;
 use SilverStripe\Dev\SapphireTest;
 use SilverStripe\Security\Authenticator;
@@ -119,12 +120,25 @@ public function testDoLogin()
         $this->assertContains('You can read more here', $passwordForm->getMessage());
 
         // Default Admin is always allowed
-        $response = $this->handler->doLogin(['Email' => 'admin', 'Password' => 'password'], $form, $request);
+        $admin = Environment::getEnv('SS_DEFAULT_ADMIN_USERNAME');
 
+        $password = Environment::getEnv('SS_DEFAULT_ADMIN_PASSWORD');
         $this->assertEquals(302, $response->getStatusCode());
+
         $this->assertNotContains('lostpassword', $response->getHeader('location'));
+        //don't run the test if default admin or password are missing
         $member = Security::getCurrentUser();
-        $this->assertTrue(DefaultAdminService::isDefaultAdmin($member->Email));
+        if (!$admin || !$password) {
+            $this->assertTrue(DefaultAdminService::isDefaultAdmin($member->Email));
+            $this->markTestSkipped();
+        } else {
+            $response = $this->handler->doLogin(['Email' => $admin, 'Password' => $password], $form, $request);
+
+            $this->assertEquals(302, $response->getStatusCode());
+            $this->assertNotContains('lostpassword', $response->getHeader('location'));
+            $member = Security::getCurrentUser();
+            $this->assertTrue(DefaultAdminService::isDefaultAdmin($member->Email));
+        }
     }
 
     protected function setUp()

tests/unit/MemberExtensionTest.php

@@ -22,7 +22,12 @@ public function testUpdateCMSFields()
         $fields = $this->member->getCMSFields();
 
         $this->assertInstanceOf(ReadonlyField::class, $fields->dataFieldByName('PasswordIsPwnd'));
-        $this->assertNotContains('If the error says that you "have been Pwnd", ', $fields->forTemplate());
+        $this->assertNull($fields->fieldByName('Root.HaveIBeenPwned'));
+        $this->assertNull(
+            $fields->findOrMakeTab('Root.HaveIBeenPwned')
+                ->Fields()
+                ->fieldByName('Helptext')
+        );
         $this->assertNull($fields->fieldByName('Root.HaveIBeenPwned'));
         $this->assertInstanceOf(CheckboxField::class, $fields->dataFieldByName('PwndDisabled'));
 
@@ -38,9 +43,23 @@ public function testUpdateCMSFields()
         $this->assertInstanceOf(Tab::class, $fields->fieldByName('Root.HaveIBeenPwned'));
         $this->assertInstanceOf(ReadonlyField::class, $fields->dataFieldByName('BreachedSites'));
 
-        $this->assertContains('Known breaches', $fields->forTemplate());
+        $this->assertNotNull($fields->dataFieldByName('BreachedSites'));
         $this->assertContains('If the error says that you "have been Pwnd", ', $fields->forTemplate());
-    }
+        $this->assertEquals('Known breaches', $fields->dataFieldByName('BreachedSites')->Title());
+
+        $this->assertNotNull(
+            $fields->findOrMakeTab('Root.HaveIBeenPwned')
+                ->Fields()
+                ->fieldByName('Helptext')
+        );
+
+        $this->assertContains(
+            'If the error says that you "have been Pwnd", ',
+            $fields->findOrMakeTab('Root.HaveIBeenPwned')
+                ->Fields()
+                ->fieldByName('Helptext')
+                ->getContent()
+        );    }
 
     protected function setUp()
     {