mattevans / pwned-passwords Goto Github PK

Hi! I've built a little CLI tool on top of your library. Hope that's not a problem https://github.com/apiarian/hibp .

I just read, Troy Hunt blog post about Pwned Passwords, wanted to use it and saw your lib : great job you will save me time.
However I did some code review and saw you are using http.DefaultClient as http client : be careful that DefaultClient has no timeout by default so it make your lib dependant on https://api.pwnedpasswords.com server response. Although pwnedpassword is a well backed API and it will not hang request every day I think it's preferable to avoid the risk and use a custom http.client just to set a timeout.
See this and cloudflare guide to timeout.

I suggest a 3 minutes timeout, because this is the value that may be added to the http.DefaultClient in future Go release
... or maybe add the possibility to pass the wanted timeout value to hibp.NewClient()

It would be nice to have the number of times a password was pwned returned rather than just a true/false value as to whether it was actually pwned.

Then we could add an IsPwned method to the PwnedStore struct to allow a user to use the old behaviour if this was desired.

I'm happy to make this change if it's something you would accept?