Merge c29899f2b9 into 52833f7fb3

.github/workflows/push-docker-image.yml

@@ -3,7 +3,6 @@ name: Push Docker Image
 on:
   release:
     types: [published]
-  workflow_dispatch:
 
 jobs:
   push-docker-image:
@@ -29,8 +28,6 @@ jobs:
         with:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
       - name: Build and push the Docker image
         uses: docker/build-push-action@v5
         with:

Makefile

@@ -133,8 +133,6 @@ HDR=$(CHDR) $(CXXHDR)
 all: $(SERVER)
 
 windows: $(SERVER)
-nosandbox: $(SERVER)
-nolandlock: $(SERVER)
 
 # assign Windows-specific values if targeting Windows
 windows : CC=$(WIN_CC)
@@ -144,9 +142,6 @@ windows : CXXFLAGS=$(WIN_CXXFLAGS)
 windows : LDFLAGS=$(WIN_LDFLAGS)
 windows : SERVER=$(WIN_SERVER)
 
-nosandbox : CFLAGS+=-DCONFIG_NOSANDBOX=1
-nolandlock : CFLAGS+=-DCONFIG_NOLANDLOCK=1
-
 .SUFFIXES: .o .c .cpp .h .hpp
 
 .c.o:
@@ -168,7 +163,7 @@ version.h:
 
 src/main.o: version.h
 
-.PHONY: all windows nosandbox nolandlock clean nuke
+.PHONY: all windows clean nuke
 
 # only gets rid of OpenFusion objects, so we don't need to
 # recompile the libs every time

README.md

@@ -1,35 +1,34 @@
-<p align="center"><img width="640" src="res/openfusion-hero.png" alt="OpenFusion Logo"></p>
+<p align="center"><img width="640" src="res/openfusion-hero.png" alt=""></p>
 
 <p align="center">
     <a href="https://github.com/OpenFusionProject/OpenFusion/releases/latest"><img src="https://img.shields.io/github/v/release/OpenFusionProject/OpenFusion" alt="Current Release"></a>
     <a href="https://github.com/OpenFusionProject/OpenFusion/actions/workflows/check-builds.yaml"><img src="https://github.com/OpenFusionProject/OpenFusion/actions/workflows/check-builds.yaml/badge.svg" alt="Workflow"></a>
-    <a href="https://hub.docker.com/repository/docker/openfusion/openfusion/"><img src="https://badgen.net/docker/pulls/openfusion/openfusion?icon=docker&label=pulls"></a>
     <a href="https://discord.gg/DYavckB"><img src="https://img.shields.io/badge/chat-on%20discord-7289da.svg?logo=discord" alt="Discord"></a>
     <a href="https://github.com/OpenFusionProject/OpenFusion/blob/master/LICENSE.md"><img src="https://img.shields.io/github/license/OpenFusionProject/OpenFusion" alt="License"></a>
 </p>
 
-OpenFusion is a reverse-engineered server for FusionFall. It primarily targets versions `beta-20100104` and `beta-20111013` of the original game, with [limited support](https://openfusion.dev/docs/reference/fusionfall-version-support/) for others.
+OpenFusion is a reverse-engineered server for FusionFall. It primarily targets versions `beta-20100104` and `beta-20111013` of the original game, with [limited support](https://github.com/OpenFusionProject/OpenFusion/wiki/FusionFall-Version-Support) for others.
 
 ## Usage
 
 ### Getting Started
 #### Method A: Installer (Easiest)
-1. Download the client installer by clicking [here](https://github.com/OpenFusionProject/OpenFusion/releases/download/1.6/OpenFusionClient-1.6-Installer.exe) - choose to run the file.
+1. Download the client installer by clicking [here](https://github.com/OpenFusionProject/OpenFusion/releases/download/1.5.2/OpenFusionClient-1.5.2-Installer.exe) - choose to run the file.
 2. After a few moments, the client should open: you will be given a choice between two public servers by default. Select the one you wish to play and click connect.
 3. To create an account, simply enter the details you wish to use at the login screen then click Log In. Do *not* click register, as this will just lead to a blank screen.
 4. Make a new character, and enjoy the game! Your progress will be saved automatically, and you can resume playing by entering the login details you used in step 3.
 
 #### Method B: Standalone .zip file
-1. Download the client from [here](https://github.com/OpenFusionProject/OpenFusion/releases/download/1.6/OpenFusionClient-1.6.zip).
+1. Download the client from [here](https://github.com/OpenFusionProject/OpenFusion/releases/download/1.5.2/OpenFusionClient-1.5.2.zip).
 2. Extract it to a folder of your choice. Note: if you are upgrading from an older version, it is preferable to start with a fresh folder rather than overwriting a previous install.
 3. Run OpenFusionClient.exe - you will be given a choice between two public servers by default. Select the one you wish to play and click connect.
 4. To create an account, simply enter the details you wish to use at the login screen then click Log In. Do *not* click register, as this will just lead to a blank screen.
 5. Make a new character, and enjoy the game! Your progress will be saved automatically, and you can resume playing by entering the login details you used in step 4.
 
-Instructions for getting the client to run on Linux through Wine can be found [here](https://openfusion.dev/docs/guides/running-on-linux/).
+Instructions for getting the client to run on Linux through Wine can be found [here](https://github.com/OpenFusionProject/OpenFusion/wiki/Running-the-game-client-on-Linux).
 
 ### Hosting a server
-1. Grab `OpenFusionServer-1.6-Original.zip` or `OpenFusionServer-1.6-Academy.zip` from [here](https://github.com/OpenFusionProject/OpenFusion/releases/tag/1.6).
+1. Grab `OpenFusionServer-1.5-Original.zip` or `OpenFusionServer-1.5-Academy.zip` from [here](https://github.com/OpenFusionProject/OpenFusion/releases/tag/1.5.2).
 2. Extract it to a folder of your choice, then run `winfusion.exe` (Windows) or `fusion` (Linux) to start the server.
 3. Add a new server to the client's list:
     1. For Description, enter anything you want. This is what will show up in the server list.
@@ -80,17 +79,17 @@ This just works if you're all under the same LAN, but if you want to play over t
 
 ## Compiling 
 
-OpenFusion has one external dependency: SQLite. The oldest compatible version is `3.33.0`. You can install it on Windows using `vcpkg`, and on Unix/Linux using your distribution's package manager. For a more indepth guide on how to set up vcpkg, [read this guide](https://openfusion.dev/docs/development/installing-sqlite-on-windows-using-vcpkg/).
+OpenFusion has one external dependency: SQLite. The oldest compatible version is `3.33.0`. You can install it on Windows using `vcpkg`, and on Unix/Linux using your distribution's package manager. For a more indepth guide on how to set up vcpkg, [read this guide on the wiki](https://github.com/OpenFusionProject/OpenFusion/wiki/Installing-SQLite-on-Windows-using-vcpkg).
 
 You have two choices for compiling OpenFusion: the included Makefile and the included CMakeLists file.
 
 ### Makefile
 
-A detailed compilation guide is available for Windows users on the website [using MinGW-w64 and MSYS2](https://openfusion.dev/docs/development/compilation-on-windows-msys2-mingw/). Otherwise, to compile it for the current platform you're on, just run `make` with the correct build tools installed (currently make and clang).
+A detailed compilation guide is available for Windows users in the wiki [using MinGW-w64 and MSYS2](https://github.com/OpenFusionProject/OpenFusion/wiki/Compilation-on-Windows). Otherwise, to compile it for the current platform you're on, just run `make` with the correct build tools installed (currently make and clang).
 
 ### CMake
 
-A detailed guide is available [in our documentation](https://openfusion.dev/docs/development/compilation-with-cmake-or-visual-studio/) for people using regular old CMake or the version of CMake that comes with Visual Studio. TL;DR: `cmake -B build`
+A detailed guide is available [on the wiki](https://github.com/OpenFusionProject/OpenFusion/wiki/Compilation-with-CMake-or-Visual-Studio) for people using regular old CMake or the version of CMake that comes with Visual Studio. tl;dr: `cmake -B build`
 
 ## Contributing
 
@@ -108,4 +107,4 @@ Meanwhile the Academy server is more meant for legitimate playthroughs (default
 
 When hosting a local server, you will have access to all commands by default (account level 1).
 
-For a list of available commands, see [this page](https://openfusion.dev/docs/reference/ingame-command-list/).
+For a list of available commands, see [this wiki page](https://github.com/OpenFusionProject/OpenFusion/wiki/Ingame-Command-list).

config.ini

@@ -17,10 +17,8 @@ acceptallcustomnames=true
 # should attempts to log into non-existent accounts
 # automatically create them?
 autocreateaccounts=true
-# list of supported authentication methods (comma-separated)
-# password = allow login type 1 with plaintext passwords
-# cookie = allow login type 2 with one-shot auth cookies
-authmethods=password
+# support logging in with auth cookies?
+useauthcookies=false
 # how often should everything be flushed to the database?
 # the default is 4 minutes
 dbsaveinterval=240

sql/migration4.sql

@@ -8,7 +8,7 @@ BEGIN TRANSACTION;
 CREATE TABLE Auth (
     AccountID   INTEGER NOT NULL,
     Cookie      TEXT NOT NULL,
-    Expires     INTEGER DEFAULT 0 NOT NULL,
+    Valid       INTEGER NOT NULL,
     FOREIGN KEY(AccountID) REFERENCES Accounts(AccountID) ON DELETE CASCADE,
     UNIQUE (AccountID)
 );

sql/tables.sql

@@ -163,7 +163,7 @@ CREATE TABLE IF NOT EXISTS RedeemedCodes (
 CREATE TABLE IF NOT EXISTS Auth (
     AccountID   INTEGER NOT NULL,
     Cookie      TEXT NOT NULL,
-    Expires     INTEGER DEFAULT 0 NOT NULL,
+    Valid       INTEGER DEFAULT 0 NOT NULL,
     FOREIGN KEY(AccountID) REFERENCES Accounts(AccountID) ON DELETE CASCADE,
     UNIQUE (AccountID)
 );

src/Abilities.cpp

@@ -368,6 +368,7 @@ void Abilities::useNPCSkill(EntityRef npc, int skillID, std::vector<ICombatant*>
     SkillData* skill = &SkillTable[skillID];
 
     std::vector<SkillResult> results = handleSkill(skill, 0, src, affected);
+    if(results.empty()) return; // no effect; no need for confirmation packets
 
     // lazy validation since skill results might be different sizes
     if (!validOutVarPacket(sizeof(sP_FE2CL_NPC_SKILL_HIT), results.size(), MAX_SKILLRESULT_SIZE)) {

src/core/CNStructs.hpp

@@ -40,7 +40,6 @@
 
 // wrapper for U16toU8
 #define ARRLEN(x) (sizeof(x)/sizeof(*x))
-#define AUTOU8(x) std::string((char*)x, ARRLEN(x))
 #define AUTOU16TOU8(x) U16toU8(x, ARRLEN(x)) 
 
 // TODO: rewrite U16toU8 & U8toU16 to not use codecvt

src/db/Database.hpp

@@ -53,7 +53,7 @@ namespace Database {
 
     void updateAccountLevel(int accountId, int accountLevel);
 
-    // return true if cookie is valid for the account.
+    // return true iff cookie is valid for the account.
     // invalidates the stored cookie afterwards
     bool checkCookie(int accountId, const char *cookie);
 

src/db/login.cpp

@@ -104,12 +104,12 @@ bool Database::checkCookie(int accountId, const char *tryCookie) {
     const char* sql_get = R"(
         SELECT Cookie
         FROM Auth
-        WHERE AccountID = ? AND Expires > ?;
+        WHERE AccountID = ? AND Valid = 1;
         )";
 
     const char* sql_invalidate = R"(
         UPDATE Auth
-        SET Expires = 0
+        SET Valid = 0
         WHERE AccountID = ?;
         )";
 
@@ -117,7 +117,6 @@ bool Database::checkCookie(int accountId, const char *tryCookie) {
 
     sqlite3_prepare_v2(db, sql_get, -1, &stmt, NULL);
     sqlite3_bind_int(stmt, 1, accountId);
-    sqlite3_bind_int(stmt, 2, getTimestamp());
     int rc = sqlite3_step(stmt);
     if (rc != SQLITE_ROW) {
         sqlite3_finalize(stmt);
@@ -130,8 +129,7 @@ bool Database::checkCookie(int accountId, const char *tryCookie) {
         return false;
     }
 
-    /*
-     * since cookies are immediately invalidated, we don't need to be concerned about
+    /* since cookies are immediately invalidated, we don't need to be concerned about
      * timing-related side channel attacks, so strcmp is fine here
      */
     bool match = (strcmp(cookie, tryCookie) == 0);
@@ -142,7 +140,7 @@ bool Database::checkCookie(int accountId, const char *tryCookie) {
     rc = sqlite3_step(stmt);
     sqlite3_finalize(stmt);
     if (rc != SQLITE_DONE)
-        std::cout << "[WARN] Database fail on checkCookie(): " << sqlite3_errmsg(db) << std::endl;
+        std::cout << "[WARN] Database fail on consumeCookie(): " << sqlite3_errmsg(db) << std::endl;
 
     return match;
 }

src/main.cpp

@@ -49,7 +49,6 @@ CNShardServer *shardServer = nullptr;
 std::thread *shardThread = nullptr;
 
 void startShard(CNShardServer* server) {
-    sandbox_thread_start();
     server->start();
 }
 
@@ -151,8 +150,6 @@ int main() {
         /* not reached */
     }
 
-    sandbox_init();
-
     std::cout << "[INFO] Starting Server Threads..." << std::endl;
     CNLoginServer loginServer(settings::LOGINPORT);
     shardServer = new CNShardServer(settings::SHARDPORT);
@@ -160,7 +157,6 @@ int main() {
     shardThread = new std::thread(startShard, (CNShardServer*)shardServer);
 
     sandbox_start();
-    sandbox_thread_start();
 
     loginServer.start();
 

src/sandbox/Sandbox.hpp

@@ -4,16 +4,11 @@
 #if defined(__linux__) || defined(__OpenBSD__)
 
 # if !defined(CONFIG_NOSANDBOX)
-void sandbox_init();
 void sandbox_start();
-void sandbox_thread_start();
 # else
 
 #include <iostream>
 
-inline void sandbox_init() {}
-inline void sandbox_thread_start() {}
-
 inline void sandbox_start() {
     std::cout << "[WARN] Built without a sandbox" << std::endl;
 }
@@ -22,7 +17,5 @@ inline void sandbox_start() {
 
 #else
 // stub for unsupported platforms
-inline void sandbox_init() {}
 inline void sandbox_start() {}
-inline void sandbox_thread_start() {}
 #endif

src/sandbox/openbsd.cpp

@@ -13,9 +13,6 @@ static void eunveil(const char *path, const char *permissions) {
         err(1, "unveil");
 }
 
-void sandbox_init() {}
-void sandbox_thread_start() {}
-
 void sandbox_start() {
     /*
      * There shouldn't ever be a reason to disable this one, but might as well

src/sandbox/seccomp.cpp

@@ -4,9 +4,6 @@
 #include "settings.hpp"
 
 #include <stdlib.h>
-#include <fcntl.h>
-
-#include <filesystem>
 
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
@@ -20,10 +17,6 @@
 #include <linux/audit.h>
 #include <linux/net.h> // for socketcall() args
 
-#ifndef CONFIG_NOLANDLOCK
-#include <linux/landlock.h>
-#endif
-
 /*
  * Macros adapted from https://outflux.net/teach-seccomp/
  * Relevant license:
@@ -61,7 +54,7 @@
     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
 
 #define KILL_PROCESS \
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
+    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_PROCESS)
 
 /*
  * Macros adapted from openssh's sandbox-seccomp-filter.c
@@ -304,201 +297,25 @@ static sock_fprog prog = {
     ARRLEN(filter), filter
 };
 
-// Our own wrapper for the seccomp() syscall.
+// our own wrapper for the seccomp() syscall
 int seccomp(unsigned int operation, unsigned int flags, void *args) {
     return syscall(__NR_seccomp, operation, flags, args);
 }
 
-#ifndef CONFIG_NOLANDLOCK
-
-// Support compilation on systems that only have older Landlock headers.
-#ifndef LANDLOCK_ACCESS_FS_REFER
-#define LANDLOCK_ACCESS_FS_REFER 0
-#endif
-#ifndef LANDLOCK_ACCESS_FS_TRUNCATE
-#define LANDLOCK_ACCESS_FS_TRUNCATE 0
-#endif
-
-struct landlock_ruleset_attr ruleset_attr = {
-    .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE
-        | LANDLOCK_ACCESS_FS_WRITE_FILE
-        | LANDLOCK_ACCESS_FS_READ_DIR
-        | LANDLOCK_ACCESS_FS_MAKE_REG
-        | LANDLOCK_ACCESS_FS_MAKE_DIR
-        | LANDLOCK_ACCESS_FS_MAKE_SYM
-        | LANDLOCK_ACCESS_FS_MAKE_SOCK
-        | LANDLOCK_ACCESS_FS_MAKE_FIFO
-        | LANDLOCK_ACCESS_FS_MAKE_BLOCK
-        | LANDLOCK_ACCESS_FS_REMOVE_FILE
-        | LANDLOCK_ACCESS_FS_REMOVE_DIR
-        | LANDLOCK_ACCESS_FS_TRUNCATE
-        | LANDLOCK_ACCESS_FS_REFER
-};
-
-uint64_t landlock_perms = LANDLOCK_ACCESS_FS_READ_FILE
-    | LANDLOCK_ACCESS_FS_WRITE_FILE
-    | LANDLOCK_ACCESS_FS_TRUNCATE
-    | LANDLOCK_ACCESS_FS_MAKE_REG
-    | LANDLOCK_ACCESS_FS_REMOVE_FILE;
-
-int landlock_fd;
-bool landlock_supported;
-
-/*
- * Our own wrappers for Landlock syscalls.
- */
-
-int landlock_create_ruleset(const struct landlock_ruleset_attr *attr, size_t size, uint32_t flags) {
-    return syscall(__NR_landlock_create_ruleset, attr, size, flags);
-}
-
-int landlock_add_rule(int ruleset_fd, enum landlock_rule_type rule_type, const void *rule_attr, uint32_t flags) {
-    return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr, flags);
-}
-
-int landlock_restrict_self(int ruleset_fd, uint32_t flags) {
-    return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
-}
-
-static void landlock_path(std::string path, uint32_t perms) {
-    struct landlock_path_beneath_attr path_beneath = {
-        .allowed_access = perms
-    };
-
-    path_beneath.parent_fd = open(path.c_str(), O_PATH|O_CLOEXEC);
-    if (path_beneath.parent_fd < 0) {
-        perror(path.c_str());
-        exit(1);
-    }
-
-    if (landlock_add_rule(landlock_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0)) {
-        perror("landlock_add_rule");
-        exit(1);
-    }
-
-    close(path_beneath.parent_fd);
-}
-
-static bool landlock_detect() {
-    int abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
-
-    if (abi < 0) {
-        if (errno == ENOSYS || errno == EOPNOTSUPP) {
-            std::cout << "[WARN] No Landlock support on this system" << std::endl;
-            return false;
-        }
-        perror("landlock_create_ruleset");
-        exit(1);
-    }
-
-    std::cout << "[INFO] Landlock ABI version: " << abi << std::endl;
-
-    switch (abi) {
-    case 1:
-        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
-        landlock_perms &= ~LANDLOCK_ACCESS_FS_REFER;
-        // fallthrough
-    case 2:
-        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
-        landlock_perms &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
-    }
-
-    return true;
-}
-
-static void landlock_init() {
-    std::cout << "[INFO] Setting up Landlock sandbox..." << std::endl;
-
-    landlock_supported = landlock_detect();
-
-    if (!landlock_supported)
-        return;
-
-    landlock_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
-    if (landlock_fd < 0) {
-        perror("landlock_create_ruleset");
-        exit(1);
-    }
-
-    std::string dbdir = std::filesystem::path(settings::DBPATH).parent_path();
-
-    // for the DB files (we can't rely on them being in the working directory)
-    landlock_path(dbdir == "" ? "." : dbdir, landlock_perms);
-    // for writing the gruntwork file
-    landlock_path(settings::TDATADIR, landlock_perms);
-    // for passowrd salting during account creation
-    landlock_path("/dev/urandom", LANDLOCK_ACCESS_FS_READ_FILE);
-    // for core dumps, optionally
-    if (settings::SANDBOXEXTRAPATH != "")
-        landlock_path(settings::SANDBOXEXTRAPATH, landlock_perms);
-}
-
-#endif // !CONFIG_NOLANDLOCK
-
-static void sigsys_handler(int signo, siginfo_t *info, void *context) {
-    // report the unhandled syscall
-    std::cout << "[FATAL] Unhandled syscall " << info->si_syscall
-       << " at " << std::hex << info->si_call_addr << " on arch " << info->si_arch << std::endl;
-
-    std::cout << "If you're unsure why this is happening, please read https://openfusion.dev/docs/development/the-sandbox/" << std::endl
-              << "for more information and possibly open an issue at https://github.com/OpenFusionProject/OpenFusion/issues to report"
-              << " needed changes in our seccomp filter." << std::endl;
-
-    exit(1);
-}
-
-void sandbox_init() {
+void sandbox_start() {
     if (!settings::SANDBOX) {
         std::cout << "[WARN] Running without a sandbox" << std::endl;
         return;
     }
 
-    // listen to SIGSYS to report unhandled syscalls
-    struct sigaction sa = {};
-
-    sa.sa_flags = SA_SIGINFO;
-    sa.sa_sigaction = sigsys_handler;
-
-    if (sigaction(SIGSYS, &sa, NULL) < 0) {
-        perror("sigaction");
-        exit(1);
-    }
-
-#ifndef CONFIG_NOLANDLOCK
-    landlock_init();
-#else
-    std::cout << "[WARN] Built without Landlock" << std::endl;
-#endif
-}
-
-void sandbox_start() {
-    if (!settings::SANDBOX)
-        return;
-
     std::cout << "[INFO] Starting seccomp-bpf sandbox..." << std::endl;
 
-    // Sandboxing starts in sandbox_thread_start().
-}
-
-void sandbox_thread_start() {
-    if (!settings::SANDBOX)
-        return;
-
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
         perror("prctl");
         exit(1);
     }
 
-#ifndef CONFIG_NOLANDLOCK
-    if (landlock_supported) {
-        if (landlock_restrict_self(landlock_fd, 0)) {
-            perror("landlock_restrict_self");
-            exit(1);
-        }
-    }
-#endif
-
-    if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog) < 0) {
+    if (seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog) < 0) {
         perror("seccomp");
         exit(1);
     }

src/servers/CNLoginServer.cpp

@@ -105,20 +105,29 @@ void loginFail(LoginError errorCode, std::string userLogin, CNSocket* sock) {
 
 void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
     auto login = (sP_CL2LS_REQ_LOGIN*)data->buf;
+    bool isCookieAuth = login->iLoginType == 2;
 
     std::string userLogin;
-    std::string userToken; // could be password or auth cookie
+    std::string userPassword;
+    if (isCookieAuth) {
+        // username encoded in TEGid raw
+        userLogin = std::string((char*)login->szCookie_TEGid);
 
-    /*
-     * The std::string -> char* -> std::string maneuver should remove any
-     * trailing garbage after the null terminator.
-     */
-    if (login->iLoginType == (int32_t)LoginType::COOKIE) {
-        userLogin = std::string(AUTOU8(login->szCookie_TEGid).c_str());
-        userToken = std::string(AUTOU8(login->szCookie_authid).c_str());
+        // clients that use web login but without proper cookies
+        // send their passwords instead, so store that
+        userPassword = std::string((char*)login->szCookie_authid);
     } else {
+        /*
+         * The std::string -> char* -> std::string maneuver should remove any
+         * trailing garbage after the null terminator.
+         */
         userLogin = std::string(AUTOU16TOU8(login->szID).c_str());
-        userToken = std::string(AUTOU16TOU8(login->szPassword).c_str());
+        userPassword = std::string(AUTOU16TOU8(login->szPassword).c_str());
+    }
+
+    if (!settings::USEAUTHCOOKIES) {
+        // use normal login flow
+        isCookieAuth = false;
     }
 
     // check username regex
@@ -135,42 +144,18 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
         return loginFail(LoginError::LOGIN_ERROR, userLogin, sock);
     }
 
-    // we only interpret the token as a cookie if cookie login was used and it's allowed.
-    // otherwise we interpret it as a password, and this maintains compatibility with
-    // the auto-login trick used on older clients
-    bool isCookieAuth = login->iLoginType == (int32_t)LoginType::COOKIE
-                        && CNLoginServer::isLoginTypeAllowed(LoginType::COOKIE);
+    // check password regex if not cookie auth
+    if (!isCookieAuth && !CNLoginServer::isPasswordGood(userPassword)) {
+        // send a custom error message
+        INITSTRUCT(sP_FE2CL_GM_REP_PC_ANNOUNCE, msg);
+        std::string text = "Invalid password\n";
+        text += "Password has to be 8 - 32 characters long";
+        U8toU16(text, msg.szAnnounceMsg, sizeof(msg.szAnnounceMsg));
+        msg.iDuringTime = 10;
+        sock->sendPacket(msg, P_FE2CL_GM_REP_PC_ANNOUNCE);
 
-    // password login checks
-    if (!isCookieAuth) {
-        // bail if password auth isn't allowed
-        if (!CNLoginServer::isLoginTypeAllowed(LoginType::PASSWORD)) {
-            // send a custom error message
-            INITSTRUCT(sP_FE2CL_GM_REP_PC_ANNOUNCE, msg);
-            std::string text = "Password login disabled\n";
-            text += "This server has disabled logging in with plaintext passwords.\n";
-            text += "Please contact an admin for assistance.";
-            U8toU16(text, msg.szAnnounceMsg, sizeof(msg.szAnnounceMsg));
-            msg.iDuringTime = 12;
-            sock->sendPacket(msg, P_FE2CL_GM_REP_PC_ANNOUNCE);
-
-            // we still have to send login fail to prevent softlock
-            return loginFail(LoginError::LOGIN_ERROR, userLogin, sock);
-        }
-
-        // check regex
-        if (!CNLoginServer::isPasswordGood(userToken)) {
-            // send a custom error message
-            INITSTRUCT(sP_FE2CL_GM_REP_PC_ANNOUNCE, msg);
-            std::string text = "Invalid password\n";
-            text += "Password has to be 8 - 32 characters long";
-            U8toU16(text, msg.szAnnounceMsg, sizeof(msg.szAnnounceMsg));
-            msg.iDuringTime = 10;
-            sock->sendPacket(msg, P_FE2CL_GM_REP_PC_ANNOUNCE);
-
-            // we still have to send login fail to prevent softlock
-            return loginFail(LoginError::LOGIN_ERROR, userLogin, sock);
-        }
+        // we still have to send login fail to prevent softlock
+        return loginFail(LoginError::LOGIN_ERROR, userLogin, sock);
     }
 
     Database::Account findUser = {};
@@ -180,18 +165,18 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
     if (findUser.AccountID == 0) {
         // don't auto-create an account if it's a cookie auth for whatever reason
         if (settings::AUTOCREATEACCOUNTS && !isCookieAuth)
-            return newAccount(sock, userLogin, userToken, login->iClientVerC);
+            return newAccount(sock, userLogin, userPassword, login->iClientVerC);
 
         return loginFail(LoginError::ID_DOESNT_EXIST, userLogin, sock);
     }
 
     if (isCookieAuth) {
-        const char *cookie = userToken.c_str();
+        const char *cookie = reinterpret_cast<const char*>(login->szCookie_authid);
         if (!Database::checkCookie(findUser.AccountID, cookie))
             return loginFail(LoginError::ID_AND_PASSWORD_DO_NOT_MATCH, userLogin, sock);
     } else {
         // simple password check
-        if (!CNLoginServer::isPasswordCorrect(findUser.Password, userToken))
+        if (!CNLoginServer::isPasswordCorrect(findUser.Password, userPassword))
             return loginFail(LoginError::ID_AND_PASSWORD_DO_NOT_MATCH, userLogin, sock);
     }
 
@@ -679,17 +664,4 @@ bool CNLoginServer::isCharacterNameGood(std::string Firstname, std::string Lastn
     std::regex lastnamecheck(R"(((?! )(?!\.)[a-zA-Z0-9]*\.{0,1}(?!\.+ +)[a-zA-Z0-9]* {0,1}(?! +))*$)");
     return (std::regex_match(Firstname, firstnamecheck) && std::regex_match(Lastname, lastnamecheck));
 }
-
-bool CNLoginServer::isLoginTypeAllowed(LoginType loginType) {
-    // the config file specifies "comma-separated" but tbh we don't care
-    switch (loginType) {
-    case LoginType::PASSWORD:
-        return settings::AUTHMETHODS.find("password") != std::string::npos;
-    case LoginType::COOKIE:
-        return settings::AUTHMETHODS.find("cookie") != std::string::npos;
-    default:
-        break;
-    }
-    return false;
-}
 #pragma endregion

src/servers/CNLoginServer.hpp

@@ -23,11 +23,6 @@ enum class LoginError {
     UPDATED_EUALA_REQUIRED = 9
 };
 
-enum class LoginType {
-    PASSWORD = 1,
-    COOKIE = 2
-};
-
 // WARNING: THERE CAN ONLY BE ONE OF THESE SERVERS AT A TIME!!!!!! TODO: change loginSessions & packet handlers to be non-static
 class CNLoginServer : public CNServer {
 private:
@@ -49,7 +44,6 @@ private:
     static bool isPasswordCorrect(std::string actualPassword, std::string tryPassword);
     static bool isAccountInUse(int accountId);
     static bool isCharacterNameGood(std::string Firstname, std::string Lastname);
-    static bool isLoginTypeAllowed(LoginType loginType);
     static void newAccount(CNSocket* sock, std::string userLogin, std::string userPassword, int32_t clientVerC);
     // returns true if success
     static bool exitDuplicate(int accountId);

src/settings.cpp

@@ -9,12 +9,11 @@
 // defaults :)
 int settings::VERBOSITY = 1;
 bool settings::SANDBOX = true;
-std::string settings::SANDBOXEXTRAPATH = "";
 
 int settings::LOGINPORT = 23000;
 bool settings::APPROVEALLNAMES = true;
 bool settings::AUTOCREATEACCOUNTS = true;
-std::string settings::AUTHMETHODS = "password";
+bool settings::USEAUTHCOOKIES = false;
 int settings::DBSAVEINTERVAL = 240;
 
 int settings::SHARDPORT = 23001;
@@ -86,11 +85,10 @@ void settings::init() {
 
     VERBOSITY = reader.GetInteger("", "verbosity", VERBOSITY);
     SANDBOX = reader.GetBoolean("", "sandbox", SANDBOX);
-    SANDBOXEXTRAPATH = reader.Get("", "sandboxextrapath", SANDBOXEXTRAPATH);
     LOGINPORT = reader.GetInteger("login", "port", LOGINPORT);
     APPROVEALLNAMES = reader.GetBoolean("login", "acceptallcustomnames", APPROVEALLNAMES);
     AUTOCREATEACCOUNTS = reader.GetBoolean("login", "autocreateaccounts", AUTOCREATEACCOUNTS);
-    AUTHMETHODS = reader.Get("login", "authmethods", AUTHMETHODS);
+    USEAUTHCOOKIES = reader.GetBoolean("login", "useauthcookies", USEAUTHCOOKIES);
     DBSAVEINTERVAL = reader.GetInteger("login", "dbsaveinterval", DBSAVEINTERVAL);
     SHARDPORT = reader.GetInteger("shard", "port", SHARDPORT);
     SHARDSERVERIP = reader.Get("shard", "ip", SHARDSERVERIP);

src/settings.hpp

@@ -5,11 +5,10 @@
 namespace settings {
     extern int VERBOSITY;
     extern bool SANDBOX;
-    extern std::string SANDBOXEXTRAPATH;
     extern int LOGINPORT;
     extern bool APPROVEALLNAMES;
     extern bool AUTOCREATEACCOUNTS;
-    extern std::string AUTHMETHODS;
+    extern bool USEAUTHCOOKIES;
     extern int DBSAVEINTERVAL;
     extern int SHARDPORT;
     extern std::string SHARDSERVERIP;

vendor/bcrypt/bcrypt.c

@@ -22,14 +22,13 @@
 #endif
 #include <errno.h>
 
+#if defined(_WIN32) || defined(_WIN64)
+// On windows we need to generate random bytes differently.
 #if defined(_WIN32) && !defined(_WIN64)
 typedef __int32 ssize_t;
 #elif defined(_WIN32) && defined(_WIN64)
 typedef __int64 ssize_t;
 #endif
-
-#if defined(_WIN32) || defined(_WIN64)
-// On windows we need to generate random bytes differently.
 #define BCRYPT_HASHSIZE 60
 
 #include "bcrypt.h"
@@ -38,9 +37,8 @@ typedef __int64 ssize_t;
 #include <wincrypt.h> /* CryptAcquireContext, CryptGenRandom */
 #else
 #include "bcrypt.h"
-#endif
-
 #include "ow-crypt.h"
+#endif
 
 #define RANDBYTES (16)