Let's make (git) history!

handlers/handlerlogin.cpp

@@ -0,0 +1,118 @@
+/* Copyright (c) 2018 Albert S.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+#include <openssl/evp.h>
+#include "handlerlogin.h"
+#include "../logger.h"
+struct LoginFail
+{
+	unsigned int count;
+	time_t lastfail;
+};
+static std::map<std::string, LoginFail> loginFails;
+
+// TODO: make configurable
+bool HandlerLogin::isBanned(std::string ip)
+{
+	if(utils::hasKey(loginFails, ip))
+	{
+		LoginFail &fl = loginFails[ip];
+		return fl.count > 5 && (time(nullptr) - fl.lastfail) < 1200;
+	}
+	return false;
+}
+
+void HandlerLogin::incFailureCount(std::string ip)
+{
+	LoginFail &fl = loginFails[ip];
+	fl.count += 1;
+	fl.lastfail = time(nullptr);
+}
+
+std::vector<char> HandlerLogin::pbkdf5(std::string password, const std::vector<char> &salt)
+{
+	unsigned char hash[32];
+	const EVP_MD *sha256 = EVP_sha256();
+	const unsigned char *rawsalt = reinterpret_cast<const unsigned char *>(salt.data());
+	PKCS5_PBKDF2_HMAC(password.c_str(), password.size(), rawsalt, salt.size(), 300000, sha256, sizeof(hash), hash);
+
+	std::vector<char> result;
+
+	for(size_t i = 0; i < sizeof(hash); i++)
+	{
+
+		result.push_back(static_cast<char>(hash[i]));
+	}
+
+	return result;
+}
+
+Response HandlerLogin::handle(const Request &r)
+{
+	auto createErrorReesponse = [&]() {
+		return errorResponse("Login error", "The supplied credenetials are incorrect");
+	};
+
+	if(isBanned(r.getIp()))
+	{
+		return errorResponse("Banned", "You have been banned for too many login attempts. Try again later");
+	}
+	if(r.param("submit") == "1")
+	{
+		std::string password = r.post("password");
+		std::string username = r.post("user");
+
+		auto userDao = this->database->createUserDao();
+		std::optional<User> user = userDao->find(username);
+		if(!user)
+		{
+			return createErrorReesponse();
+		}
+
+		auto hashresult = pbkdf5(password, user.value().salt);
+		// TODO: timing attack
+		if(hashresult == user.value().password)
+		{
+			loginFails.erase(r.getIp());
+			Response r = Response::redirectTemporarily(urlProvider->index());
+			*(this->userSession) = Session(user.value());
+			return r;
+		}
+		else
+		{
+			// TODO: only if wanted by config
+			incFailureCount(r.getIp());
+			return createErrorReesponse();
+		}
+
+		// auto pbkdf5 = pbkdf5(password, user->)
+	}
+	std::string page = r.get("page");
+	if(page.empty())
+		page = "index";
+
+	TemplatePage &loginTemplatePage = this->templ->getPage("login");
+	setGeneralVars(loginTemplatePage);
+	loginTemplatePage.setVar("loginurl", urlProvider->login(page));
+	Response result;
+	result.setStatus(200);
+	result.setBody(loginTemplatePage.render());
+	return result;
+}