From da5a2e41c972ac61a48d697b5f5f0d6ac375129a Mon Sep 17 00:00:00 2001
From: groovecoder <luke.crouch@gmail.com>
Date: Fri, 1 Jun 2018 12:37:38 -0500
Subject: [PATCH] fix #143: hash email client-side before scanning

---
 hibp.js                             |  4 +--
 public/js/test.js                   | 39 ++++++++++++-----------------
 views/home.hbs                      |  2 +-
 views/partials/protect_yourself.hbs |  2 +-
 views/partials/what_to_do.hbs       |  2 +-
 5 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/hibp.js b/hibp.js
index bfef85f15..6036f31d6 100644
--- a/hibp.js
+++ b/hibp.js
@@ -5,17 +5,15 @@ const got = require("got");
 const AppConstants = require("./app-constants");
 const DBUtils = require("./db/utils");
 const pkg = require("./package.json");
-const getSha1 = require("./sha1-utils");
 
 
 const HIBP_USER_AGENT = `${pkg.name}/${pkg.version}`;
 
 
 const HIBP = {
-  async getBreachesForEmail(email) {
+  async getBreachesForEmail(sha1) {
     let foundBreaches = [];
 
-    const sha1 = getSha1(email);
     const sha1Prefix = sha1.slice(0, 6);
     const url = `${AppConstants.HIBP_STAGE_API_ROOT}/breachedaccount/range/${sha1Prefix}?code=${encodeURIComponent(AppConstants.HIBP_STAGE_API_TOKEN)}`;
     const headers = {
diff --git a/public/js/test.js b/public/js/test.js
index 1f15de46c..2d216142e 100644
--- a/public/js/test.js
+++ b/public/js/test.js
@@ -25,26 +25,6 @@ function doXHR(aURL, aBodyObj, aAlertText, aDebug=true) {
   });
 }
 
-// eslint-disable-next-line no-unused-vars
-function addUser() {
-  doXHR("/user/add",
-        { email: document.getElementById("addUserField").value })
-    .then(function() {
-      alert("A verification link has been emailed to the specified address.");
-    });
-}
-
-// eslint-disable-next-line no-unused-vars
-function removeUser() {
-  doXHR("/user/remove",
-        { email: document.getElementById("removeUserField").value });
-}
-
-// eslint-disable-next-line no-unused-vars
-// function doOauth() {
-//   window.open("/oauth/init");
-// }
-
 // function isValidEmail(val) {
 //   // https://stackoverflow.com/a/46181
 //   const re = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
@@ -60,8 +40,6 @@ function removeUser() {
 //   }
 // }
 
-
-
 function showFalseDoor(){
   const falseDoorBlurb = "<div class='section-container'><h4>Thank you for trying Firefox Monitor</h4><p>FireFox Monitor is a concept we are testing. We hope to provide the service to everyone soon.</p><p>Stay up-to-date with Firefox Monitor and other new features when you sign up for the <a href='https://www.mozilla.org/newsletter/firefox/'>Firefox newsletter.</a></p><button class='button' id='close-false-door'>Close</button></div>";
   const falseDoor = document.createElement("div");
@@ -75,9 +53,24 @@ function showFalseDoor(){
 
 }
 
+async function sha1(message) {
+  const msgBuffer = new TextEncoder("utf-8").encode(message);
+  const hashBuffer = await crypto.subtle.digest("SHA-1", msgBuffer);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashHex = hashArray.map(b => ("00" + b.toString(16)).slice(-2)).join("");
+  return hashHex;
+}
 
+async function hashEmailAndSend(emailFormSubmitEvent) {
+  emailFormSubmitEvent.preventDefault();
+  const emailForm = emailFormSubmitEvent.target;
+  for (const emailInput of emailForm.querySelectorAll("input[type=email]")) {
+    emailInput.value = await sha1(emailInput.value);
+  }
+  emailForm.submit();
+}
 
-
+document.querySelector(".email-scan").addEventListener("submit", hashEmailAndSend);
 $(document).foundation();
 
 document.querySelector("#sign-up").addEventListener("click", showFalseDoor);
diff --git a/views/home.hbs b/views/home.hbs
index 1713a7fcb..d0da88877 100644
--- a/views/home.hbs
+++ b/views/home.hbs
@@ -13,7 +13,7 @@
       Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec volutpat hendrerit !nibus.
     </p>
     <br>
-    <form action="/scan" method="post">
+    <form action="/scan" class="email-scan" method="post">
       <div class="input-group">
         <input class="input-group-field email-to-hash" type="email" name="email">
         <div class="input-group-button">
diff --git a/views/partials/protect_yourself.hbs b/views/partials/protect_yourself.hbs
index d75bde440..1c89572f9 100644
--- a/views/partials/protect_yourself.hbs
+++ b/views/partials/protect_yourself.hbs
@@ -5,7 +5,7 @@
 {{else}}
   <p class="demi">The first step to keeping your online accounts safe is knowing what you’re up against. Enter your email to find out if your accounts have been compromised.</p>
 {{/if}}
-<form action="/scan" method="post">
+<form action="/scan" class="email-scan" method="post">
     <div class="input-group">
         <input class="input-group-field email-to-hash" type="email" name="email" placeholder="Enter Email Address">
         <div class="input-group-button">
diff --git a/views/partials/what_to_do.hbs b/views/partials/what_to_do.hbs
index 4c44775a8..cdee2849e 100644
--- a/views/partials/what_to_do.hbs
+++ b/views/partials/what_to_do.hbs
@@ -16,7 +16,7 @@
     <span class="bold">Subscribe</span> for alerts from Firefox Monitor to learn sooner about your compromised accounts.
   </li>
   <li>
-    <form action="/scan" method="post">
+    <form action="/scan" class="email-scan" method="post">
       <label class="medium">Scan another email address</label>
       <div class="input-group">
         <input class="input-group-field email-to-hash" type="email" name="email" placeholder="Enter Email">