#!/bin/bash
set -euo pipefail

# Load helper functions
source ${HOME}/bin/script_framework.sh

# Require at least one password to be present
[ $# -lt 1 ] && fail "You need to supply at least password as argument"

# Check against online API using range request not to disclose the password hash
function check_password() {
  checksum=$(echo -n "${1}" | sha1sum | tr 'a-z' 'A-Z')
  curl -s https://api.pwnedpasswords.com/range/${checksum:0:5} |
    awk -F: "/${checksum:5:35}/{ print \$2 }" | tr -d '\n\r'
}

# Main loop to check every password
for pass in "$@"; do
  count=$(check_password "${pass}")
  if [ ${count:-0} -gt 0 ]; then
    error "Password '${pass}' was included in breaches ${count} times!"
  else
    info "Password '${pass}' was not yet found in breaches..."
  fi
done