From da5a2e41c972ac61a48d697b5f5f0d6ac375129a Mon Sep 17 00:00:00 2001
From: groovecoder <luke.crouch@gmail.com>
Date: Fri, 1 Jun 2018 12:37:38 -0500
Subject: [PATCH 1/4] fix #143: hash email client-side before scanning

---
 hibp.js                             |  4 +--
 public/js/test.js                   | 39 ++++++++++++-----------------
 views/home.hbs                      |  2 +-
 views/partials/protect_yourself.hbs |  2 +-
 views/partials/what_to_do.hbs       |  2 +-
 5 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/hibp.js b/hibp.js
index bfef85f15..6036f31d6 100644
--- a/hibp.js
+++ b/hibp.js
@@ -5,17 +5,15 @@ const got = require("got");
 const AppConstants = require("./app-constants");
 const DBUtils = require("./db/utils");
 const pkg = require("./package.json");
-const getSha1 = require("./sha1-utils");
 
 
 const HIBP_USER_AGENT = `${pkg.name}/${pkg.version}`;
 
 
 const HIBP = {
-  async getBreachesForEmail(email) {
+  async getBreachesForEmail(sha1) {
     let foundBreaches = [];
 
-    const sha1 = getSha1(email);
     const sha1Prefix = sha1.slice(0, 6);
     const url = `${AppConstants.HIBP_STAGE_API_ROOT}/breachedaccount/range/${sha1Prefix}?code=${encodeURIComponent(AppConstants.HIBP_STAGE_API_TOKEN)}`;
     const headers = {
diff --git a/public/js/test.js b/public/js/test.js
index 1f15de46c..2d216142e 100644
--- a/public/js/test.js
+++ b/public/js/test.js
@@ -25,26 +25,6 @@ function doXHR(aURL, aBodyObj, aAlertText, aDebug=true) {
   });
 }
 
-// eslint-disable-next-line no-unused-vars
-function addUser() {
-  doXHR("/user/add",
-        { email: document.getElementById("addUserField").value })
-    .then(function() {
-      alert("A verification link has been emailed to the specified address.");
-    });
-}
-
-// eslint-disable-next-line no-unused-vars
-function removeUser() {
-  doXHR("/user/remove",
-        { email: document.getElementById("removeUserField").value });
-}
-
-// eslint-disable-next-line no-unused-vars
-// function doOauth() {
-//   window.open("/oauth/init");
-// }
-
 // function isValidEmail(val) {
 //   // https://stackoverflow.com/a/46181
 //   const re = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
@@ -60,8 +40,6 @@ function removeUser() {
 //   }
 // }
 
-
-
 function showFalseDoor(){
   const falseDoorBlurb = "<div class='section-container'><h4>Thank you for trying Firefox Monitor</h4><p>FireFox Monitor is a concept we are testing. We hope to provide the service to everyone soon.</p><p>Stay up-to-date with Firefox Monitor and other new features when you sign up for the <a href='https://www.mozilla.org/newsletter/firefox/'>Firefox newsletter.</a></p><button class='button' id='close-false-door'>Close</button></div>";
   const falseDoor = document.createElement("div");
@@ -75,9 +53,24 @@ function showFalseDoor(){
 
 }
 
+async function sha1(message) {
+  const msgBuffer = new TextEncoder("utf-8").encode(message);
+  const hashBuffer = await crypto.subtle.digest("SHA-1", msgBuffer);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashHex = hashArray.map(b => ("00" + b.toString(16)).slice(-2)).join("");
+  return hashHex;
+}
 
+async function hashEmailAndSend(emailFormSubmitEvent) {
+  emailFormSubmitEvent.preventDefault();
+  const emailForm = emailFormSubmitEvent.target;
+  for (const emailInput of emailForm.querySelectorAll("input[type=email]")) {
+    emailInput.value = await sha1(emailInput.value);
+  }
+  emailForm.submit();
+}
 
-
+document.querySelector(".email-scan").addEventListener("submit", hashEmailAndSend);
 $(document).foundation();
 
 document.querySelector("#sign-up").addEventListener("click", showFalseDoor);
diff --git a/views/home.hbs b/views/home.hbs
index 1713a7fcb..d0da88877 100644
--- a/views/home.hbs
+++ b/views/home.hbs
@@ -13,7 +13,7 @@
       Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec volutpat hendrerit !nibus.
     </p>
     <br>
-    <form action="/scan" method="post">
+    <form action="/scan" class="email-scan" method="post">
       <div class="input-group">
         <input class="input-group-field email-to-hash" type="email" name="email">
         <div class="input-group-button">
diff --git a/views/partials/protect_yourself.hbs b/views/partials/protect_yourself.hbs
index d75bde440..1c89572f9 100644
--- a/views/partials/protect_yourself.hbs
+++ b/views/partials/protect_yourself.hbs
@@ -5,7 +5,7 @@
 {{else}}
   <p class="demi">The first step to keeping your online accounts safe is knowing what you’re up against. Enter your email to find out if your accounts have been compromised.</p>
 {{/if}}
-<form action="/scan" method="post">
+<form action="/scan" class="email-scan" method="post">
     <div class="input-group">
         <input class="input-group-field email-to-hash" type="email" name="email" placeholder="Enter Email Address">
         <div class="input-group-button">
diff --git a/views/partials/what_to_do.hbs b/views/partials/what_to_do.hbs
index 4c44775a8..cdee2849e 100644
--- a/views/partials/what_to_do.hbs
+++ b/views/partials/what_to_do.hbs
@@ -16,7 +16,7 @@
     <span class="bold">Subscribe</span> for alerts from Firefox Monitor to learn sooner about your compromised accounts.
   </li>
   <li>
-    <form action="/scan" method="post">
+    <form action="/scan" class="email-scan" method="post">
       <label class="medium">Scan another email address</label>
       <div class="input-group">
         <input class="input-group-field email-to-hash" type="email" name="email" placeholder="Enter Email">

From a625cc6e0cf657394a2d4e74536286b3b024a4e8 Mon Sep 17 00:00:00 2001
From: groovecoder <luke.crouch@gmail.com>
Date: Fri, 1 Jun 2018 12:43:27 -0500
Subject: [PATCH 2/4] for #55: disable un-used routes and urls

---
 public/js/{test.js => monitor.js}   | 31 ++++++++++++++++-------------
 public/test.html                    | 17 ----------------
 routes/hibp-stubs.js                | 24 ----------------------
 routes/scan.js                      | 13 ++++++------
 server.js                           | 18 ++++++++---------
 views/home.hbs                      |  1 +
 views/layouts/default.hbs           |  2 +-
 views/partials/protect_yourself.hbs |  1 +
 views/partials/what_to_do.hbs       |  1 +
 9 files changed, 35 insertions(+), 73 deletions(-)
 rename public/js/{test.js => monitor.js} (80%)
 delete mode 100644 public/test.html
 delete mode 100644 routes/hibp-stubs.js

diff --git a/public/js/test.js b/public/js/monitor.js
similarity index 80%
rename from public/js/test.js
rename to public/js/monitor.js
index 2d216142e..734a568ab 100644
--- a/public/js/test.js
+++ b/public/js/monitor.js
@@ -2,6 +2,7 @@
 
 "use strict";
 
+/*
 function doXHR(aURL, aBodyObj, aAlertText, aDebug=true) {
   return new Promise((resolve) => {
     const xhr = new XMLHttpRequest();
@@ -25,20 +26,21 @@ function doXHR(aURL, aBodyObj, aAlertText, aDebug=true) {
   });
 }
 
-// function isValidEmail(val) {
-//   // https://stackoverflow.com/a/46181
-//   const re = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
-//   return re.test(String(val).toLowerCase());
-// }
+function isValidEmail(val) {
+  // https://stackoverflow.com/a/46181
+  const re = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
+  return re.test(String(val).toLowerCase());
+}
 
-// function enableBtnIfEmailValid(e) {
-//   const emailBtn = document.getElementById("subscribe-email-btn");
-//   if (isValidEmail(e.target.value)) {
-//     emailBtn.disabled = false;
-//   } else {
-//     emailBtn.disabled = true;
-//   }
-// }
+function enableBtnIfEmailValid(e) {
+  const emailBtn = document.getElementById("subscribe-email-btn");
+  if (isValidEmail(e.target.value)) {
+    emailBtn.disabled = false;
+  } else {
+    emailBtn.disabled = true;
+  }
+}
+*/
 
 function showFalseDoor(){
   const falseDoorBlurb = "<div class='section-container'><h4>Thank you for trying Firefox Monitor</h4><p>FireFox Monitor is a concept we are testing. We hope to provide the service to everyone soon.</p><p>Stay up-to-date with Firefox Monitor and other new features when you sign up for the <a href='https://www.mozilla.org/newsletter/firefox/'>Firefox newsletter.</a></p><button class='button' id='close-false-door'>Close</button></div>";
@@ -65,7 +67,8 @@ async function hashEmailAndSend(emailFormSubmitEvent) {
   emailFormSubmitEvent.preventDefault();
   const emailForm = emailFormSubmitEvent.target;
   for (const emailInput of emailForm.querySelectorAll("input[type=email]")) {
-    emailInput.value = await sha1(emailInput.value);
+    emailForm.querySelector("input[name=emailHash]").value = await sha1(emailInput.value);
+    emailInput.value = "";
   }
   emailForm.submit();
 }
diff --git a/public/test.html b/public/test.html
deleted file mode 100644
index 69fd3e09a..000000000
--- a/public/test.html
+++ /dev/null
@@ -1,17 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <title>blurts-server testing UI</title>
-  <script src="/js/test.js"></script>
-</head>
-
-<body>
-  <input type="text" id="addUserField" /><input type="submit" value="Add User" onclick="addUser()" /><br/>
-  <input type="submit" value="Add User Using FxA" onclick="doOauth()"/><br/>
-  <input type="text" id="removeUserField" /><input type="submit" value="Remove User" onclick="removeUser()" /><br/>
-  <br/>
-  <h1>Response dump:</h1>
-  <div id="responseDump" />
-</body>
-</html>
diff --git a/routes/hibp-stubs.js b/routes/hibp-stubs.js
deleted file mode 100644
index b78f8aa63..000000000
--- a/routes/hibp-stubs.js
+++ /dev/null
@@ -1,24 +0,0 @@
-"use strict";
-
-const express = require("express");
-const bodyParser = require("body-parser");
-
-const DBUtils = require("../db/utils");
-
-
-const router = express.Router();
-const urlEncodedParser = bodyParser.urlencoded({ extended: false });
-
-router.get("/api/v3/breachedaccount/range/:hashPrefix", urlEncodedParser, async (req, res) => {
-  const hashPrefix = req.params.hashPrefix;
-
-  const foundEntries = await DBUtils.getBreachesForHashPrefix(hashPrefix);
-
-  if (!foundEntries.length) {
-    res.status(404).send("Not Found");
-  } else {
-    res.render("range", {foundEntries});
-  }
-});
-
-module.exports = router;
diff --git a/routes/scan.js b/routes/scan.js
index 025c2fc15..0f3c1ad99 100644
--- a/routes/scan.js
+++ b/routes/scan.js
@@ -12,25 +12,24 @@ const urlEncodedParser = bodyParser.urlencoded({ extended: false });
 
 
 router.post("/", urlEncodedParser, async (req, res) => {
-  const email = req.body.email;
+  const emailHash = req.body.emailHash;
   let foundBreaches = [];
 
   if (!req.session.scanResults) {
     req.session.scanResults = {};
   }
 
-  if (email) {
-    if (req.session.scanResults[email]) {
-      foundBreaches = req.session.scanResults[email];
+  if (emailHash) {
+    if (req.session.scanResults[emailHash]) {
+      foundBreaches = req.session.scanResults[emailHash];
     } else {
-      foundBreaches = await HIBP.getBreachesForEmail(email);
-      req.session.scanResults[email] = foundBreaches;
+      foundBreaches = await HIBP.getBreachesForEmail(emailHash);
+      req.session.scanResults[emailHash] = foundBreaches;
     }
   }
 
   res.render("scan", {
     title: "Firefox Breach Alerts: Scan Results",
-    email: email,
     foundBreaches: foundBreaches,
   });
 });
diff --git a/server.js b/server.js
index 8d8dc38a5..8ba6cd268 100644
--- a/server.js
+++ b/server.js
@@ -7,15 +7,14 @@ const hbs = require("express-hbs");
 const helmet = require("helmet");
 const sessions = require("client-sessions");
 
-const EmailUtils = require("./email-utils");
+// const EmailUtils = require("./email-utils");
 const HBSHelpers = require("./hbs-helpers");
 
 const DockerflowRoutes = require("./routes/dockerflow");
-const HIBPRoutes = require("./routes/hibp-stubs");
 const HomeRoutes = require("./routes/home");
-const OAuthRoutes = require("./routes/oauth");
 const ScanRoutes = require("./routes/scan");
-const UserRoutes = require("./routes/user");
+// const OAuthRoutes = require("./routes/oauth");
+// const UserRoutes = require("./routes/user");
 
 
 const app = express();
@@ -70,15 +69,14 @@ app.use(sessions({
 
 app.use("/", HomeRoutes);
 app.use("/", DockerflowRoutes);
-app.use("/hibp", HIBPRoutes);
-app.use("/oauth", OAuthRoutes);
 app.use("/scan", ScanRoutes);
-app.use("/user", UserRoutes);
+// app.use("/oauth", OAuthRoutes);
+// app.use("/user", UserRoutes);
 
-EmailUtils.init().then(() => {
+// EmailUtils.init().then(() => {
   const listener = app.listen(AppConstants.PORT, () => {
     console.info(`Listening on ${listener.address().port}`);
   });
-}).catch(error => {
+/* }).catch(error => {
   console.error(error);
-});
+}); */
diff --git a/views/home.hbs b/views/home.hbs
index d0da88877..1a6da5ae0 100644
--- a/views/home.hbs
+++ b/views/home.hbs
@@ -16,6 +16,7 @@
     <form action="/scan" class="email-scan" method="post">
       <div class="input-group">
         <input class="input-group-field email-to-hash" type="email" name="email">
+        <input type="hidden" name="emailHash">
         <div class="input-group-button">
           <input id="submit-email" type="submit" class="button" value="Scan">
         </div>
diff --git a/views/layouts/default.hbs b/views/layouts/default.hbs
index 70392c449..9f22b65d7 100644
--- a/views/layouts/default.hbs
+++ b/views/layouts/default.hbs
@@ -9,7 +9,7 @@
     <link rel="stylesheet" href="/css/app.css">
     <script type="text/javascript" src="/js/vendor/jquery.js" defer></script>
     <script type="text/javascript" src="/js/vendor/foundation.min.js" defer></script>
-    <script type="text/javascript" src="/js/test.js" defer></script>
+    <script type="text/javascript" src="/js/monitor.js" defer></script>
   </head>
   <body>
     <header class ="top-bar">
diff --git a/views/partials/protect_yourself.hbs b/views/partials/protect_yourself.hbs
index 1c89572f9..874afb0d1 100644
--- a/views/partials/protect_yourself.hbs
+++ b/views/partials/protect_yourself.hbs
@@ -8,6 +8,7 @@
 <form action="/scan" class="email-scan" method="post">
     <div class="input-group">
         <input class="input-group-field email-to-hash" type="email" name="email" placeholder="Enter Email Address">
+        <input type="hidden" name="emailHash">
         <div class="input-group-button">
             <img src="img/Search.svg" alt="search icon" />
             <input id="submit-email" type="submit" class="button" value="Search">
diff --git a/views/partials/what_to_do.hbs b/views/partials/what_to_do.hbs
index cdee2849e..b783a0480 100644
--- a/views/partials/what_to_do.hbs
+++ b/views/partials/what_to_do.hbs
@@ -20,6 +20,7 @@
       <label class="medium">Scan another email address</label>
       <div class="input-group">
         <input class="input-group-field email-to-hash" type="email" name="email" placeholder="Enter Email">
+        <input type="hidden" name="emailHash">
         <div class="input-group-button">
           <img src="img/Search.svg" alt="search icon" />
           <input id="submit-email" type="submit" class="button" value="">

From 85bd40288d84d360ea7bb18b64023b5c062b8ffe Mon Sep 17 00:00:00 2001
From: groovecoder <luke.crouch@gmail.com>
Date: Fri, 1 Jun 2018 13:46:58 -0500
Subject: [PATCH 3/4] for #55: remove un-used range view

---
 views/range.hbs | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 views/range.hbs

diff --git a/views/range.hbs b/views/range.hbs
deleted file mode 100644
index 55c86ca24..000000000
--- a/views/range.hbs
+++ /dev/null
@@ -1,5 +0,0 @@
-{{#if foundEntries }}
-    {{#each foundEntries }}
-{{ sha1 }}:{{#each breaches }}{{ name }}{{#unless @last}},{{/unless}}{{/each}}
-    {{/each }}
-{{/if }}

From f7d4a907f5525fdbe522571bde7b5dfd3a48549b Mon Sep 17 00:00:00 2001
From: groovecoder <luke.crouch@gmail.com>
Date: Wed, 6 Jun 2018 07:15:48 -0500
Subject: [PATCH 4/4] for #143: don't include plain emails in POST forms

---
 views/home.hbs                      | 2 +-
 views/partials/protect_yourself.hbs | 2 +-
 views/partials/what_to_do.hbs       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/views/home.hbs b/views/home.hbs
index 1a6da5ae0..aa42b2791 100644
--- a/views/home.hbs
+++ b/views/home.hbs
@@ -15,7 +15,7 @@
     <br>
     <form action="/scan" class="email-scan" method="post">
       <div class="input-group">
-        <input class="input-group-field email-to-hash" type="email" name="email">
+        <input class="input-group-field email-to-hash" type="email">
         <input type="hidden" name="emailHash">
         <div class="input-group-button">
           <input id="submit-email" type="submit" class="button" value="Scan">
diff --git a/views/partials/protect_yourself.hbs b/views/partials/protect_yourself.hbs
index 874afb0d1..a8588721d 100644
--- a/views/partials/protect_yourself.hbs
+++ b/views/partials/protect_yourself.hbs
@@ -7,7 +7,7 @@
 {{/if}}
 <form action="/scan" class="email-scan" method="post">
     <div class="input-group">
-        <input class="input-group-field email-to-hash" type="email" name="email" placeholder="Enter Email Address">
+        <input class="input-group-field email-to-hash" type="email" placeholder="Enter Email Address">
         <input type="hidden" name="emailHash">
         <div class="input-group-button">
             <img src="img/Search.svg" alt="search icon" />
diff --git a/views/partials/what_to_do.hbs b/views/partials/what_to_do.hbs
index b783a0480..46b9bf953 100644
--- a/views/partials/what_to_do.hbs
+++ b/views/partials/what_to_do.hbs
@@ -19,7 +19,7 @@
     <form action="/scan" class="email-scan" method="post">
       <label class="medium">Scan another email address</label>
       <div class="input-group">
-        <input class="input-group-field email-to-hash" type="email" name="email" placeholder="Enter Email">
+        <input class="input-group-field email-to-hash" type="email" placeholder="Enter Email">
         <input type="hidden" name="emailHash">
         <div class="input-group-button">
           <img src="img/Search.svg" alt="search icon" />