mirror of
				https://github.com/OpenFusionProject/OpenFusion.git
				synced 2025-10-26 14:20:06 +00:00 
			
		
		
		
	Compare commits
	
		
			4 Commits
		
	
	
		
			c4eb4a481b
			...
			1.6
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| d9b6aedd5b | |||
|   | 145113062b | ||
| d717c5d74d | |||
| a6eb0e2349 | 
| @@ -17,8 +17,10 @@ acceptallcustomnames=true | ||||
| # should attempts to log into non-existent accounts | ||||
| # automatically create them? | ||||
| autocreateaccounts=true | ||||
| # support logging in with auth cookies? | ||||
| useauthcookies=false | ||||
| # list of supported authentication methods (comma-separated) | ||||
| # password = allow login type 1 with plaintext passwords | ||||
| # cookie = allow login type 2 with one-shot auth cookies | ||||
| authmethods=password | ||||
| # how often should everything be flushed to the database? | ||||
| # the default is 4 minutes | ||||
| dbsaveinterval=240 | ||||
|   | ||||
| @@ -8,7 +8,7 @@ BEGIN TRANSACTION; | ||||
| CREATE TABLE Auth ( | ||||
|     AccountID   INTEGER NOT NULL, | ||||
|     Cookie      TEXT NOT NULL, | ||||
|     Valid       INTEGER NOT NULL, | ||||
|     Expires     INTEGER DEFAULT 0 NOT NULL, | ||||
|     FOREIGN KEY(AccountID) REFERENCES Accounts(AccountID) ON DELETE CASCADE, | ||||
|     UNIQUE (AccountID) | ||||
| ); | ||||
|   | ||||
| @@ -163,7 +163,7 @@ CREATE TABLE IF NOT EXISTS RedeemedCodes ( | ||||
| CREATE TABLE IF NOT EXISTS Auth ( | ||||
|     AccountID   INTEGER NOT NULL, | ||||
|     Cookie      TEXT NOT NULL, | ||||
|     Valid       INTEGER DEFAULT 0 NOT NULL, | ||||
|     Expires     INTEGER DEFAULT 0 NOT NULL, | ||||
|     FOREIGN KEY(AccountID) REFERENCES Accounts(AccountID) ON DELETE CASCADE, | ||||
|     UNIQUE (AccountID) | ||||
| ); | ||||
|   | ||||
| @@ -53,7 +53,7 @@ namespace Database { | ||||
|  | ||||
|     void updateAccountLevel(int accountId, int accountLevel); | ||||
|  | ||||
|     // return true iff cookie is valid for the account. | ||||
|     // return true if cookie is valid for the account. | ||||
|     // invalidates the stored cookie afterwards | ||||
|     bool checkCookie(int accountId, const char *cookie); | ||||
|  | ||||
|   | ||||
| @@ -104,12 +104,12 @@ bool Database::checkCookie(int accountId, const char *tryCookie) { | ||||
|     const char* sql_get = R"( | ||||
|         SELECT Cookie | ||||
|         FROM Auth | ||||
|         WHERE AccountID = ? AND Valid = 1; | ||||
|         WHERE AccountID = ? AND Expires > ?; | ||||
|         )"; | ||||
|  | ||||
|     const char* sql_invalidate = R"( | ||||
|         UPDATE Auth | ||||
|         SET Valid = 0 | ||||
|         SET Expires = 0 | ||||
|         WHERE AccountID = ?; | ||||
|         )"; | ||||
|  | ||||
| @@ -117,6 +117,7 @@ bool Database::checkCookie(int accountId, const char *tryCookie) { | ||||
|  | ||||
|     sqlite3_prepare_v2(db, sql_get, -1, &stmt, NULL); | ||||
|     sqlite3_bind_int(stmt, 1, accountId); | ||||
|     sqlite3_bind_int(stmt, 2, getTimestamp()); | ||||
|     int rc = sqlite3_step(stmt); | ||||
|     if (rc != SQLITE_ROW) { | ||||
|         sqlite3_finalize(stmt); | ||||
| @@ -129,7 +130,8 @@ bool Database::checkCookie(int accountId, const char *tryCookie) { | ||||
|         return false; | ||||
|     } | ||||
|  | ||||
|     /* since cookies are immediately invalidated, we don't need to be concerned about | ||||
|     /* | ||||
|      * since cookies are immediately invalidated, we don't need to be concerned about | ||||
|      * timing-related side channel attacks, so strcmp is fine here | ||||
|      */ | ||||
|     bool match = (strcmp(cookie, tryCookie) == 0); | ||||
| @@ -140,7 +142,7 @@ bool Database::checkCookie(int accountId, const char *tryCookie) { | ||||
|     rc = sqlite3_step(stmt); | ||||
|     sqlite3_finalize(stmt); | ||||
|     if (rc != SQLITE_DONE) | ||||
|         std::cout << "[WARN] Database fail on consumeCookie(): " << sqlite3_errmsg(db) << std::endl; | ||||
|         std::cout << "[WARN] Database fail on checkCookie(): " << sqlite3_errmsg(db) << std::endl; | ||||
|  | ||||
|     return match; | ||||
| } | ||||
|   | ||||
| @@ -105,30 +105,20 @@ void loginFail(LoginError errorCode, std::string userLogin, CNSocket* sock) { | ||||
|  | ||||
| void CNLoginServer::login(CNSocket* sock, CNPacketData* data) { | ||||
|     auto login = (sP_CL2LS_REQ_LOGIN*)data->buf; | ||||
|     bool isCookieAuth = login->iLoginType == 2; | ||||
|  | ||||
|     std::string userLogin; | ||||
|     std::string userPassword; | ||||
|     std::string userToken; // could be password or auth cookie | ||||
|  | ||||
|     /* | ||||
|      * The std::string -> char* -> std::string maneuver should remove any | ||||
|      * trailing garbage after the null terminator. | ||||
|      */ | ||||
|     if (isCookieAuth) { | ||||
|         // username encoded in TEGid raw | ||||
|     if (login->iLoginType == (int32_t)LoginType::COOKIE) { | ||||
|         userLogin = std::string(AUTOU8(login->szCookie_TEGid).c_str()); | ||||
|  | ||||
|         // N.B. clients that use web login without proper cookies | ||||
|         // send their passwords in the cookie field | ||||
|         userPassword = std::string(AUTOU8(login->szCookie_authid).c_str()); | ||||
|         userToken = std::string(AUTOU8(login->szCookie_authid).c_str()); | ||||
|     } else { | ||||
|         userLogin = std::string(AUTOU16TOU8(login->szID).c_str()); | ||||
|         userPassword = std::string(AUTOU16TOU8(login->szPassword).c_str()); | ||||
|     } | ||||
|  | ||||
|     if (!settings::USEAUTHCOOKIES) { | ||||
|         // use normal login flow | ||||
|         isCookieAuth = false; | ||||
|         userToken = std::string(AUTOU16TOU8(login->szPassword).c_str()); | ||||
|     } | ||||
|  | ||||
|     // check username regex | ||||
| @@ -145,18 +135,42 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) { | ||||
|         return loginFail(LoginError::LOGIN_ERROR, userLogin, sock); | ||||
|     } | ||||
|  | ||||
|     // check password regex if not cookie auth | ||||
|     if (!isCookieAuth && !CNLoginServer::isPasswordGood(userPassword)) { | ||||
|         // send a custom error message | ||||
|         INITSTRUCT(sP_FE2CL_GM_REP_PC_ANNOUNCE, msg); | ||||
|         std::string text = "Invalid password\n"; | ||||
|         text += "Password has to be 8 - 32 characters long"; | ||||
|         U8toU16(text, msg.szAnnounceMsg, sizeof(msg.szAnnounceMsg)); | ||||
|         msg.iDuringTime = 10; | ||||
|         sock->sendPacket(msg, P_FE2CL_GM_REP_PC_ANNOUNCE); | ||||
|     // we only interpret the token as a cookie if cookie login was used and it's allowed. | ||||
|     // otherwise we interpret it as a password, and this maintains compatibility with | ||||
|     // the auto-login trick used on older clients | ||||
|     bool isCookieAuth = login->iLoginType == (int32_t)LoginType::COOKIE | ||||
|                         && CNLoginServer::isLoginTypeAllowed(LoginType::COOKIE); | ||||
|  | ||||
|         // we still have to send login fail to prevent softlock | ||||
|         return loginFail(LoginError::LOGIN_ERROR, userLogin, sock); | ||||
|     // password login checks | ||||
|     if (!isCookieAuth) { | ||||
|         // bail if password auth isn't allowed | ||||
|         if (!CNLoginServer::isLoginTypeAllowed(LoginType::PASSWORD)) { | ||||
|             // send a custom error message | ||||
|             INITSTRUCT(sP_FE2CL_GM_REP_PC_ANNOUNCE, msg); | ||||
|             std::string text = "Password login disabled\n"; | ||||
|             text += "This server has disabled logging in with plaintext passwords.\n"; | ||||
|             text += "Please contact an admin for assistance."; | ||||
|             U8toU16(text, msg.szAnnounceMsg, sizeof(msg.szAnnounceMsg)); | ||||
|             msg.iDuringTime = 12; | ||||
|             sock->sendPacket(msg, P_FE2CL_GM_REP_PC_ANNOUNCE); | ||||
|  | ||||
|             // we still have to send login fail to prevent softlock | ||||
|             return loginFail(LoginError::LOGIN_ERROR, userLogin, sock); | ||||
|         } | ||||
|  | ||||
|         // check regex | ||||
|         if (!CNLoginServer::isPasswordGood(userToken)) { | ||||
|             // send a custom error message | ||||
|             INITSTRUCT(sP_FE2CL_GM_REP_PC_ANNOUNCE, msg); | ||||
|             std::string text = "Invalid password\n"; | ||||
|             text += "Password has to be 8 - 32 characters long"; | ||||
|             U8toU16(text, msg.szAnnounceMsg, sizeof(msg.szAnnounceMsg)); | ||||
|             msg.iDuringTime = 10; | ||||
|             sock->sendPacket(msg, P_FE2CL_GM_REP_PC_ANNOUNCE); | ||||
|  | ||||
|             // we still have to send login fail to prevent softlock | ||||
|             return loginFail(LoginError::LOGIN_ERROR, userLogin, sock); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     Database::Account findUser = {}; | ||||
| @@ -166,18 +180,18 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) { | ||||
|     if (findUser.AccountID == 0) { | ||||
|         // don't auto-create an account if it's a cookie auth for whatever reason | ||||
|         if (settings::AUTOCREATEACCOUNTS && !isCookieAuth) | ||||
|             return newAccount(sock, userLogin, userPassword, login->iClientVerC); | ||||
|             return newAccount(sock, userLogin, userToken, login->iClientVerC); | ||||
|  | ||||
|         return loginFail(LoginError::ID_DOESNT_EXIST, userLogin, sock); | ||||
|     } | ||||
|  | ||||
|     if (isCookieAuth) { | ||||
|         const char *cookie = userPassword.c_str(); | ||||
|         const char *cookie = userToken.c_str(); | ||||
|         if (!Database::checkCookie(findUser.AccountID, cookie)) | ||||
|             return loginFail(LoginError::ID_AND_PASSWORD_DO_NOT_MATCH, userLogin, sock); | ||||
|     } else { | ||||
|         // simple password check | ||||
|         if (!CNLoginServer::isPasswordCorrect(findUser.Password, userPassword)) | ||||
|         if (!CNLoginServer::isPasswordCorrect(findUser.Password, userToken)) | ||||
|             return loginFail(LoginError::ID_AND_PASSWORD_DO_NOT_MATCH, userLogin, sock); | ||||
|     } | ||||
|  | ||||
| @@ -665,4 +679,17 @@ bool CNLoginServer::isCharacterNameGood(std::string Firstname, std::string Lastn | ||||
|     std::regex lastnamecheck(R"(((?! )(?!\.)[a-zA-Z0-9]*\.{0,1}(?!\.+ +)[a-zA-Z0-9]* {0,1}(?! +))*$)"); | ||||
|     return (std::regex_match(Firstname, firstnamecheck) && std::regex_match(Lastname, lastnamecheck)); | ||||
| } | ||||
|  | ||||
| bool CNLoginServer::isLoginTypeAllowed(LoginType loginType) { | ||||
|     // the config file specifies "comma-separated" but tbh we don't care | ||||
|     switch (loginType) { | ||||
|     case LoginType::PASSWORD: | ||||
|         return settings::AUTHMETHODS.find("password") != std::string::npos; | ||||
|     case LoginType::COOKIE: | ||||
|         return settings::AUTHMETHODS.find("cookie") != std::string::npos; | ||||
|     default: | ||||
|         break; | ||||
|     } | ||||
|     return false; | ||||
| } | ||||
| #pragma endregion | ||||
|   | ||||
| @@ -23,6 +23,11 @@ enum class LoginError { | ||||
|     UPDATED_EUALA_REQUIRED = 9 | ||||
| }; | ||||
|  | ||||
| enum class LoginType { | ||||
|     PASSWORD = 1, | ||||
|     COOKIE = 2 | ||||
| }; | ||||
|  | ||||
| // WARNING: THERE CAN ONLY BE ONE OF THESE SERVERS AT A TIME!!!!!! TODO: change loginSessions & packet handlers to be non-static | ||||
| class CNLoginServer : public CNServer { | ||||
| private: | ||||
| @@ -44,6 +49,7 @@ private: | ||||
|     static bool isPasswordCorrect(std::string actualPassword, std::string tryPassword); | ||||
|     static bool isAccountInUse(int accountId); | ||||
|     static bool isCharacterNameGood(std::string Firstname, std::string Lastname); | ||||
|     static bool isLoginTypeAllowed(LoginType loginType); | ||||
|     static void newAccount(CNSocket* sock, std::string userLogin, std::string userPassword, int32_t clientVerC); | ||||
|     // returns true if success | ||||
|     static bool exitDuplicate(int accountId); | ||||
|   | ||||
| @@ -13,7 +13,7 @@ bool settings::SANDBOX = true; | ||||
| int settings::LOGINPORT = 23000; | ||||
| bool settings::APPROVEALLNAMES = true; | ||||
| bool settings::AUTOCREATEACCOUNTS = true; | ||||
| bool settings::USEAUTHCOOKIES = false; | ||||
| std::string settings::AUTHMETHODS = "password"; | ||||
| int settings::DBSAVEINTERVAL = 240; | ||||
|  | ||||
| int settings::SHARDPORT = 23001; | ||||
| @@ -88,7 +88,7 @@ void settings::init() { | ||||
|     LOGINPORT = reader.GetInteger("login", "port", LOGINPORT); | ||||
|     APPROVEALLNAMES = reader.GetBoolean("login", "acceptallcustomnames", APPROVEALLNAMES); | ||||
|     AUTOCREATEACCOUNTS = reader.GetBoolean("login", "autocreateaccounts", AUTOCREATEACCOUNTS); | ||||
|     USEAUTHCOOKIES = reader.GetBoolean("login", "useauthcookies", USEAUTHCOOKIES); | ||||
|     AUTHMETHODS = reader.Get("login", "authmethods", AUTHMETHODS); | ||||
|     DBSAVEINTERVAL = reader.GetInteger("login", "dbsaveinterval", DBSAVEINTERVAL); | ||||
|     SHARDPORT = reader.GetInteger("shard", "port", SHARDPORT); | ||||
|     SHARDSERVERIP = reader.Get("shard", "ip", SHARDSERVERIP); | ||||
|   | ||||
| @@ -8,7 +8,7 @@ namespace settings { | ||||
|     extern int LOGINPORT; | ||||
|     extern bool APPROVEALLNAMES; | ||||
|     extern bool AUTOCREATEACCOUNTS; | ||||
|     extern bool USEAUTHCOOKIES; | ||||
|     extern std::string AUTHMETHODS; | ||||
|     extern int DBSAVEINTERVAL; | ||||
|     extern int SHARDPORT; | ||||
|     extern std::string SHARDSERVERIP; | ||||
|   | ||||
							
								
								
									
										2
									
								
								tdata
									
									
									
									
									
								
							
							
								
								
								
								
								
							
						
						
									
										2
									
								
								tdata
									
									
									
									
									
								
							 Submodule tdata updated: 8c98c83682...bdb611b092
									
								
							
							
								
								
									
										5
									
								
								vendor/bcrypt/bcrypt.c
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										5
									
								
								vendor/bcrypt/bcrypt.c
									
									
									
									
										vendored
									
									
								
							| @@ -22,13 +22,14 @@ | ||||
| #endif | ||||
| #include <errno.h> | ||||
|  | ||||
| #if defined(_WIN32) || defined(_WIN64) | ||||
| // On windows we need to generate random bytes differently. | ||||
| #if defined(_WIN32) && !defined(_WIN64) | ||||
| typedef __int32 ssize_t; | ||||
| #elif defined(_WIN32) && defined(_WIN64) | ||||
| typedef __int64 ssize_t; | ||||
| #endif | ||||
|  | ||||
| #if defined(_WIN32) || defined(_WIN64) | ||||
| // On windows we need to generate random bytes differently. | ||||
| #define BCRYPT_HASHSIZE 60 | ||||
|  | ||||
| #include "bcrypt.h" | ||||
|   | ||||
		Reference in New Issue
	
	Block a user