A defensive security EdgeWorker that validates username/password combinations against a HarperDB database to detect and prevent the use of known compromised credentials.
The NoMoreLeaks EdgeWorker acts as middleware that intercepts login requests, generates SHA-256 hashes of username/password combinations, and validates them against a database of known compromised credentials. This helps organizations prevent account takeover attacks by blocking authentication attempts using leaked credentials.
- Real-time Credential Validation: Validates login attempts against known compromised credentials
- Multiple Content-Type Support: Handles both JSON and form-urlencoded request bodies
- Secure Hash Generation: Creates SHA-256 hashes of normalized username/password combinations
- HarperDB Integration: Queries HarperDB via subWorkers for efficient credential lookups
- Positive Match Reporting: Reports successful logins with known compromised credentials
- Header Security: Automatically removes unsafe headers from requests/responses
Client Request → EdgeWorker → Hash Generation → HarperDB Lookup → Origin Server
↓
Positive Match Reporting (if compromised credentials found)
- Akamai EdgeWorkers environment
- HarperDB instance configured with compromised credentials
- Basic authentication credentials for HarperDB access
- Clone the repository:
git clone https://github.com/jjgrinwis/ew-nomoreleaks-master-harperdb.git
cd ew-nomoreleaks-master-harperdb- Install dependencies:
npm install- Configure the EdgeWorker by editing
constants.ts:
export const UNAME = "username"; // JSON path to username field
export const PASSWD = "password"; // JSON path to password field
export const KNOWN_KEY_URL = "https://your-harperdb-endpoint/ew-knownkey";
export const POSITIVE_MATCH_URL = "https://your-harperdb-endpoint/positiveMatch";- Set the environment variable in your delivery configuration:
PMUSER_AUTH_HEADER = "Basic <base64-encoded-credentials>"
# Build the EdgeWorker
npm run build
# Deploy to staging
npm run activate-edgeworker
# Deploy to production
npm run activate-edgeworker-prodThe EdgeWorker supports flexible JSON path mapping for username and password fields:
// Simple fields
export const UNAME = "username";
export const PASSWD = "password";
// Nested fields
export const UNAME = "user.email";
export const PASSWD = "credentials.password";
// Array elements
export const UNAME = "users[0].email";Configure your HarperDB endpoints in constants.ts:
- KNOWN_KEY_URL: Endpoint for hash lookup queries
- POSITIVE_MATCH_URL: Endpoint for reporting positive matches
The EdgeWorker processes requests in the following order:
- Content-Type Detection: Supports
application/jsonandapplication/x-www-form-urlencoded - Credential Extraction: Uses configured field paths to extract username/password
- Normalization: Converts username to lowercase and applies NFC normalization
- Hash Generation: Creates SHA-256 hash of normalized credentials
- Database Lookup: Queries HarperDB for hash existence
- Request Forwarding: Forwards request to origin with security headers
- Match Reporting: Reports positive matches asynchronously
Content-Type:application/jsonorapplication/x-www-form-urlencodedPragma:akamai-x-ew-debug-rp,akamai-x-ew-subworkers,akamai-x-ew-debug-subs(for debugging)
x-nomoreleaks:trueif compromised credentials detected,falseotherwise
Expected response from HarperDB lookup:
{
"id": {
"timestamp": 1747393156429,
"positiveMatch": false,
"id": "2415aa96-ef6d-4ee6-bf1f-d69072d52b02"
}
}npm run build: Build TypeScript and create deployment packagenpm run build-ts: Compile TypeScript onlynpm run activate-edgeworker: Deploy to stagingnpm run activate-edgeworker-prod: Deploy to productionnpm run generate-token: Generate authentication tokennpm run list-groups: List EdgeWorker groups
Test the EdgeWorker with httpie:
http POST https://your-endpoint.com/login \
Content-Type:application/json \
username=test@example.com \
password=testpasswordOr with form data:
http --form POST https://your-endpoint.com/login \
username=test@example.com \
password=testpasswordEnable debug logging by adding the Pragma header:
Pragma: akamai-x-ew-debug-rp,akamai-x-ew-subworkers,akamai-x-ew-debug-subs
- Credential Normalization: Usernames are normalized to lowercase and NFC to prevent encoding bypasses
- Hash Security: Only first 5 characters of hashes are logged for security
- Header Sanitization: Unsafe headers are automatically removed from requests/responses
- Non-blocking Operation: Positive match reporting is fire-and-forget to avoid impacting user experience
- Efficient Hashing: Uses Web Crypto API for optimal performance
- Asynchronous Processing: Database lookups and reporting are non-blocking
- Minimal Overhead: Lightweight implementation with minimal impact on request latency
- Content-Type not detected: Ensure requests include proper Content-Type headers
- Hash lookup failures: Verify HarperDB endpoint configuration and authentication
- Build failures: Check TypeScript compilation and dependencies
The EdgeWorker logs the following information:
- Generated hash prefixes (first 5 characters)
- HarperDB lookup results
- Error conditions and debugging information
- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
Copyright 2024 Akamai Technologies, Inc. Licensed under the Apache License, Version 2.0.
For issues and questions:
- Check the troubleshooting guide
- Review EdgeWorker logs for error details
- Consult Akamai EdgeWorkers documentation