Merge 810ccffd9e into 52833f7fb3

config.ini

@@ -17,10 +17,8 @@ acceptallcustomnames=true
 # should attempts to log into non-existent accounts
 # automatically create them?
 autocreateaccounts=true
-# list of supported authentication methods (comma-separated)
+# support logging in with auth cookies?
-# password = allow login type 1 with plaintext passwords
+useauthcookies=false
-# cookie = allow login type 2 with one-shot auth cookies
-authmethods=password
 # how often should everything be flushed to the database?
 # the default is 4 minutes
 dbsaveinterval=240

sql/migration4.sql

@@ -8,7 +8,7 @@ BEGIN TRANSACTION;
 CREATE TABLE Auth (
     AccountID   INTEGER NOT NULL,
     Cookie      TEXT NOT NULL,
-    Expires     INTEGER DEFAULT 0 NOT NULL,
+    Valid       INTEGER NOT NULL,
     FOREIGN KEY(AccountID) REFERENCES Accounts(AccountID) ON DELETE CASCADE,
     UNIQUE (AccountID)
 );

sql/tables.sql

@@ -163,7 +163,7 @@ CREATE TABLE IF NOT EXISTS RedeemedCodes (
 CREATE TABLE IF NOT EXISTS Auth (
     AccountID   INTEGER NOT NULL,
     Cookie      TEXT NOT NULL,
-    Expires     INTEGER DEFAULT 0 NOT NULL,
+    Valid       INTEGER DEFAULT 0 NOT NULL,
     FOREIGN KEY(AccountID) REFERENCES Accounts(AccountID) ON DELETE CASCADE,
     UNIQUE (AccountID)
 );

src/db/Database.hpp

@@ -53,7 +53,7 @@ namespace Database {
 
     void updateAccountLevel(int accountId, int accountLevel);
 
-    // return true if cookie is valid for the account.
+    // return true iff cookie is valid for the account.
     // invalidates the stored cookie afterwards
     bool checkCookie(int accountId, const char *cookie);
 

src/db/login.cpp

@@ -104,12 +104,12 @@ bool Database::checkCookie(int accountId, const char *tryCookie) {
     const char* sql_get = R"(
         SELECT Cookie
         FROM Auth
-        WHERE AccountID = ? AND Expires > ?;
+        WHERE AccountID = ? AND Valid = 1;
         )";
 
     const char* sql_invalidate = R"(
         UPDATE Auth
-        SET Expires = 0
+        SET Valid = 0
         WHERE AccountID = ?;
         )";
 
@@ -117,7 +117,6 @@ bool Database::checkCookie(int accountId, const char *tryCookie) {
 
     sqlite3_prepare_v2(db, sql_get, -1, &stmt, NULL);
     sqlite3_bind_int(stmt, 1, accountId);
-    sqlite3_bind_int(stmt, 2, getTimestamp());
     int rc = sqlite3_step(stmt);
     if (rc != SQLITE_ROW) {
         sqlite3_finalize(stmt);
@@ -130,8 +129,7 @@ bool Database::checkCookie(int accountId, const char *tryCookie) {
         return false;
     }
 
-    /*
+    /* since cookies are immediately invalidated, we don't need to be concerned about
-     * since cookies are immediately invalidated, we don't need to be concerned about
      * timing-related side channel attacks, so strcmp is fine here
      */
     bool match = (strcmp(cookie, tryCookie) == 0);
@@ -142,7 +140,7 @@ bool Database::checkCookie(int accountId, const char *tryCookie) {
     rc = sqlite3_step(stmt);
     sqlite3_finalize(stmt);
     if (rc != SQLITE_DONE)
-        std::cout << "[WARN] Database fail on checkCookie(): " << sqlite3_errmsg(db) << std::endl;
+        std::cout << "[WARN] Database fail on consumeCookie(): " << sqlite3_errmsg(db) << std::endl;
 
     return match;
 }

src/servers/CNLoginServer.cpp

@@ -105,20 +105,30 @@ void loginFail(LoginError errorCode, std::string userLogin, CNSocket* sock) {
 
 void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
     auto login = (sP_CL2LS_REQ_LOGIN*)data->buf;
+    bool isCookieAuth = login->iLoginType == 2;
 
     std::string userLogin;
-    std::string userToken; // could be password or auth cookie
+    std::string userPassword;
 
     /*
      * The std::string -> char* -> std::string maneuver should remove any
      * trailing garbage after the null terminator.
      */
-    if (login->iLoginType == (int32_t)LoginType::COOKIE) {
+    if (isCookieAuth) {
+        // username encoded in TEGid raw
         userLogin = std::string(AUTOU8(login->szCookie_TEGid).c_str());
-        userToken = std::string(AUTOU8(login->szCookie_authid).c_str());
+
+        // N.B. clients that use web login without proper cookies
+        // send their passwords in the cookie field
+        userPassword = std::string(AUTOU8(login->szCookie_authid).c_str());
     } else {
         userLogin = std::string(AUTOU16TOU8(login->szID).c_str());
-        userToken = std::string(AUTOU16TOU8(login->szPassword).c_str());
+        userPassword = std::string(AUTOU16TOU8(login->szPassword).c_str());
+    }
+
+    if (!settings::USEAUTHCOOKIES) {
+        // use normal login flow
+        isCookieAuth = false;
     }
 
     // check username regex
@@ -135,42 +145,18 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
         return loginFail(LoginError::LOGIN_ERROR, userLogin, sock);
     }
 
-    // we only interpret the token as a cookie if cookie login was used and it's allowed.
+    // check password regex if not cookie auth
-    // otherwise we interpret it as a password, and this maintains compatibility with
+    if (!isCookieAuth && !CNLoginServer::isPasswordGood(userPassword)) {
-    // the auto-login trick used on older clients
+        // send a custom error message
-    bool isCookieAuth = login->iLoginType == (int32_t)LoginType::COOKIE
+        INITSTRUCT(sP_FE2CL_GM_REP_PC_ANNOUNCE, msg);
-                        && CNLoginServer::isLoginTypeAllowed(LoginType::COOKIE);
+        std::string text = "Invalid password\n";
+        text += "Password has to be 8 - 32 characters long";
+        U8toU16(text, msg.szAnnounceMsg, sizeof(msg.szAnnounceMsg));
+        msg.iDuringTime = 10;
+        sock->sendPacket(msg, P_FE2CL_GM_REP_PC_ANNOUNCE);
 
-    // password login checks
+        // we still have to send login fail to prevent softlock
-    if (!isCookieAuth) {
+        return loginFail(LoginError::LOGIN_ERROR, userLogin, sock);
-        // bail if password auth isn't allowed
-        if (!CNLoginServer::isLoginTypeAllowed(LoginType::PASSWORD)) {
-            // send a custom error message
-            INITSTRUCT(sP_FE2CL_GM_REP_PC_ANNOUNCE, msg);
-            std::string text = "Password login disabled\n";
-            text += "This server has disabled logging in with plaintext passwords.\n";
-            text += "Please contact an admin for assistance.";
-            U8toU16(text, msg.szAnnounceMsg, sizeof(msg.szAnnounceMsg));
-            msg.iDuringTime = 12;
-            sock->sendPacket(msg, P_FE2CL_GM_REP_PC_ANNOUNCE);
-
-            // we still have to send login fail to prevent softlock
-            return loginFail(LoginError::LOGIN_ERROR, userLogin, sock);
-        }
-
-        // check regex
-        if (!CNLoginServer::isPasswordGood(userToken)) {
-            // send a custom error message
-            INITSTRUCT(sP_FE2CL_GM_REP_PC_ANNOUNCE, msg);
-            std::string text = "Invalid password\n";
-            text += "Password has to be 8 - 32 characters long";
-            U8toU16(text, msg.szAnnounceMsg, sizeof(msg.szAnnounceMsg));
-            msg.iDuringTime = 10;
-            sock->sendPacket(msg, P_FE2CL_GM_REP_PC_ANNOUNCE);
-
-            // we still have to send login fail to prevent softlock
-            return loginFail(LoginError::LOGIN_ERROR, userLogin, sock);
-        }
     }
 
     Database::Account findUser = {};
@@ -180,18 +166,18 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
     if (findUser.AccountID == 0) {
         // don't auto-create an account if it's a cookie auth for whatever reason
         if (settings::AUTOCREATEACCOUNTS && !isCookieAuth)
-            return newAccount(sock, userLogin, userToken, login->iClientVerC);
+            return newAccount(sock, userLogin, userPassword, login->iClientVerC);
 
         return loginFail(LoginError::ID_DOESNT_EXIST, userLogin, sock);
     }
 
     if (isCookieAuth) {
-        const char *cookie = userToken.c_str();
+        const char *cookie = userPassword.c_str();
         if (!Database::checkCookie(findUser.AccountID, cookie))
             return loginFail(LoginError::ID_AND_PASSWORD_DO_NOT_MATCH, userLogin, sock);
     } else {
         // simple password check
-        if (!CNLoginServer::isPasswordCorrect(findUser.Password, userToken))
+        if (!CNLoginServer::isPasswordCorrect(findUser.Password, userPassword))
             return loginFail(LoginError::ID_AND_PASSWORD_DO_NOT_MATCH, userLogin, sock);
     }
 
@@ -679,17 +665,4 @@ bool CNLoginServer::isCharacterNameGood(std::string Firstname, std::string Lastn
     std::regex lastnamecheck(R"(((?! )(?!\.)[a-zA-Z0-9]*\.{0,1}(?!\.+ +)[a-zA-Z0-9]* {0,1}(?! +))*$)");
     return (std::regex_match(Firstname, firstnamecheck) && std::regex_match(Lastname, lastnamecheck));
 }
-
-bool CNLoginServer::isLoginTypeAllowed(LoginType loginType) {
-    // the config file specifies "comma-separated" but tbh we don't care
-    switch (loginType) {
-    case LoginType::PASSWORD:
-        return settings::AUTHMETHODS.find("password") != std::string::npos;
-    case LoginType::COOKIE:
-        return settings::AUTHMETHODS.find("cookie") != std::string::npos;
-    default:
-        break;
-    }
-    return false;
-}
 #pragma endregion

src/servers/CNLoginServer.hpp

@@ -23,11 +23,6 @@ enum class LoginError {
     UPDATED_EUALA_REQUIRED = 9
 };
 
-enum class LoginType {
-    PASSWORD = 1,
-    COOKIE = 2
-};
-
 // WARNING: THERE CAN ONLY BE ONE OF THESE SERVERS AT A TIME!!!!!! TODO: change loginSessions & packet handlers to be non-static
 class CNLoginServer : public CNServer {
 private:
@@ -49,7 +44,6 @@ private:
     static bool isPasswordCorrect(std::string actualPassword, std::string tryPassword);
     static bool isAccountInUse(int accountId);
     static bool isCharacterNameGood(std::string Firstname, std::string Lastname);
-    static bool isLoginTypeAllowed(LoginType loginType);
     static void newAccount(CNSocket* sock, std::string userLogin, std::string userPassword, int32_t clientVerC);
     // returns true if success
     static bool exitDuplicate(int accountId);

src/settings.cpp

@@ -13,7 +13,7 @@ bool settings::SANDBOX = true;
 int settings::LOGINPORT = 23000;
 bool settings::APPROVEALLNAMES = true;
 bool settings::AUTOCREATEACCOUNTS = true;
-std::string settings::AUTHMETHODS = "password";
+bool settings::USEAUTHCOOKIES = false;
 int settings::DBSAVEINTERVAL = 240;
 
 int settings::SHARDPORT = 23001;
@@ -88,7 +88,7 @@ void settings::init() {
     LOGINPORT = reader.GetInteger("login", "port", LOGINPORT);
     APPROVEALLNAMES = reader.GetBoolean("login", "acceptallcustomnames", APPROVEALLNAMES);
     AUTOCREATEACCOUNTS = reader.GetBoolean("login", "autocreateaccounts", AUTOCREATEACCOUNTS);
-    AUTHMETHODS = reader.Get("login", "authmethods", AUTHMETHODS);
+    USEAUTHCOOKIES = reader.GetBoolean("login", "useauthcookies", USEAUTHCOOKIES);
     DBSAVEINTERVAL = reader.GetInteger("login", "dbsaveinterval", DBSAVEINTERVAL);
     SHARDPORT = reader.GetInteger("shard", "port", SHARDPORT);
     SHARDSERVERIP = reader.Get("shard", "ip", SHARDSERVERIP);

src/settings.hpp

@@ -8,7 +8,7 @@ namespace settings {
     extern int LOGINPORT;
     extern bool APPROVEALLNAMES;
     extern bool AUTOCREATEACCOUNTS;
-    extern std::string AUTHMETHODS;
+    extern bool USEAUTHCOOKIES;
     extern int DBSAVEINTERVAL;
     extern int SHARDPORT;
     extern std::string SHARDSERVERIP;

vendor/bcrypt/bcrypt.c

@@ -22,14 +22,13 @@
 #endif
 #include <errno.h>
 
+#if defined(_WIN32) || defined(_WIN64)
+// On windows we need to generate random bytes differently.
 #if defined(_WIN32) && !defined(_WIN64)
 typedef __int32 ssize_t;
 #elif defined(_WIN32) && defined(_WIN64)
 typedef __int64 ssize_t;
 #endif
-
-#if defined(_WIN32) || defined(_WIN64)
-// On windows we need to generate random bytes differently.
 #define BCRYPT_HASHSIZE 60
 
 #include "bcrypt.h"