feat(security): add pwned password validation

[AlexProgrammerDE]

Successor of #2642 because for some reason it was closed unmerged and I didn't get a reply from the maintainers so far. Will update the code to be mergable this evening.

[Xephi]

Successor of #2642 because for some reason it was closed unmerged and I didn't get a reply from the maintainers so far. Will update the code to be mergable this evening.

#2960

Thanks for your contribution, actually it needs some changes to be mergeable yes :)

[Xephi]

Sorry @AlexProgrammerDE , completely reworked the plugin :D

[AlexProgrammerDE]

@Xephi PR is ready for merge/review

[Copilot]

Pull request overview

Adds an optional HaveIBeenPwned “Pwned Passwords” range-API check to AuthMe’s password validation so servers can reject commonly breached passwords during registration / password changes.

Changes:

• Introduces PwnedPasswordService to query the HIBP range API and parse breach counts.
• Extends ValidationService.validatePassword to optionally reject passwords above a configurable breach-count threshold.
• Adds message key + English translation and unit tests covering service + validation behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
authme-core/src/main/java/fr/xephi/authme/service/PwnedPasswordService.java	New service performing HIBP range API request and parsing response into a pwned-count result.
authme-core/src/main/java/fr/xephi/authme/service/ValidationService.java	Wires the pwned-password check into password validation behind a settings flag + threshold.
authme-core/src/main/java/fr/xephi/authme/settings/properties/SecuritySettings.java	Adds config toggles for enabling the check and setting the breach-count threshold.
authme-core/src/main/java/fr/xephi/authme/message/MessageKey.java	Adds a new message key + placeholder for breach count.
authme-core/src/main/resources/messages/messages_en.yml	Adds the English message text for the new validation error.
authme-core/src/test/java/fr/xephi/authme/service/PwnedPasswordServiceTest.java	New unit tests for parsing + request prefix behavior + failure behavior.
authme-core/src/test/java/fr/xephi/authme/service/ValidationServiceTest.java	Adds tests for threshold behavior and “unavailable API” behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

validatePassword now performs a synchronous network call to the HIBP API (pwnedPasswordService.getPwnedCount). This method is invoked directly on the command thread in some flows (e.g., RegisterAdminCommand calls validatePassword before any async handoff), and also when useAsyncTasks is disabled, which can block the server thread for up to the configured HTTP timeouts. Consider moving the pwned-password query to an async step (or providing an async validation API) so password validation cannot stall the main thread.

[Copilot]

getPwnedCount relies on HashUtils.sha1(password), but HashUtils.hash uses message.getBytes() without an explicit charset, so the SHA-1 can differ across platforms for non-ASCII passwords. For interoperability with the HIBP API and consistent behavior across JVMs/OSes, ensure the SHA-1 is computed over a fixed charset (typically UTF-8), either by updating HashUtils or by hashing with an explicit charset here.

[Xephi]

Thanks copilot :D
We need to be thread-safe :)