Description
The new NotCompromisedPasswordValidator is a very nice feature which greatly improves the security of user accounts.

Having a look at the source file for pwnedpasswords.com (pwned-passwords-sha1-ordered-by-count-v4.txt), providing the same basic API for range check endpoints is quite trivial.

Making the API endpoint configurable instead of a hardcoded constant (NotCompromisedPasswordValidator::RANGE_API) would allow to use the password compromise check in intranets without requiring internet access for the validation. Only the range API server would need to periodically refresh its data source.

In addition, integration testing and easier development using a minimal API server just providing a few known hashes would be possible, see #30871.

If you also think the feature might be useful, I can provide a PR.

Example

// src/Entity/User.php
namespace App\Entity;

use Symfony\Component\Validator\Constraints as Assert;

class User
{
    // ...

    /**
     * @Assert\NotCompromisedPassword (
     *     rangeApi = "https://password-check.internal.example.com"
     * )
     */
    protected $rawPassword;
}