meta {
  name: Search password by range
  type: http
  seq: 2
}

get {
  url: https://api.pwnedpasswords.com/range/{{password_hashed_prefix}}
  body: none
  auth: inherit
}

headers {
  hibp-api-key: {{hibp-api-key}}
}

vars:pre-request {
  password: 123456
}

script:pre-request {
  const CryptoJS = require('crypto-js');
  
  const password = bru.interpolate("{{password}}");
  const password_hashed = CryptoJS.SHA1(password).toString().toUpperCase();
  const password_hashed_prefix = password_hashed.substring(0,5);
  const password_hashed_suffix = password_hashed.substring(5);
  
  bru.setVar("password_hashed_prefix", password_hashed_prefix)
  bru.setVar("password_hashed_suffix", password_hashed_suffix)
}

script:post-response {
  let data = res.getBody();
  
  const suffix = bru.getVar("password_hashed_suffix")
  const password = bru.interpolate("{{password}}");
  
  const regex = new RegExp(`^(?<hash>${suffix}):(?<occurrences>\\d*)`, "m");
  
  const match = data.match(regex)
  
  const result = match ? {
        password: password,
        found: true,
        occurrences: Number(match.groups.occurrences)
      }
    : {
        password: password,
        found: false,
        occurrences: 0
      };
  
  res.setBody(JSON.stringify(result, null, 4)) // Bug: https://github.com/usebruno/bruno/issues/4748
}

settings {
  encodeUrl: true
}

docs {
  **The password is not sent to the server!** It is hashed locally and part of the hash is sent to HIBP.
  
  See: [Searching by Range](https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange)
}