Security Review Flags Critical Gap: HIBP k-Anonymity Implementation Lacks Proof-of-Correctness Unit Test

A security review of a breached password detection feature has identified a critical missing safeguard: the implementation of the HIBP (Have I Been Pwned) k-anonymity protocol lacks a unit test to verify its correctness. This gap is not a minor oversight; the k-anonymity guarantee is the sole technical barrier preventing user passwords from being transmitted in full to a third-party service. Without a test proving the implementation is correct, the system harbors a latent critical credential exposure vulnerability.

The review, focused on the `lib/breach-check.ts` file, mandates that a unit test be created to mock the HIBP API endpoint and rigorously assert specific security boundaries. The test must confirm that any HTTP request to HIBP contains only a truncated, 5-character uppercase hexadecimal prefix of a SHA-1 hash (e.g., `/range/21BD1`). Crucially, it must prove that neither the full SHA-1 hash nor the plaintext password is ever included in the request URL, headers, or body. All comparison of the full hash suffix against the HIBP response list must be performed locally on the server side.

This requirement underscores a fundamental security principle: trust must be verified, not assumed. The absence of this test means the system's core privacy mechanism—designed to check passwords against breach databases without revealing them—operates on faith in its own code. A flawed implementation would silently defeat the entire security model, directly exposing user credentials. The review specifies using a known-breached password like 'password' to validate that the end-to-end detection logic functions correctly under the enforced k-anonymity constraints.