HandlerLogin: Use Authenticator, drop own logic
Dieser Commit ist enthalten in:
Ursprung
5693911e01
Commit
ac99894157
@ -20,53 +20,9 @@ SOFTWARE.
|
||||
*/
|
||||
#include <atomic>
|
||||
#include <mutex>
|
||||
#include <openssl/evp.h>
|
||||
#include "handlerlogin.h"
|
||||
#include "../logger.h"
|
||||
struct LoginFail
|
||||
{
|
||||
std::mutex mutex;
|
||||
std::atomic<unsigned int> count;
|
||||
time_t lastfail;
|
||||
};
|
||||
static std::map<std::string, LoginFail> loginFails;
|
||||
|
||||
// TODO: make configurable
|
||||
bool HandlerLogin::isBanned(std::string ip)
|
||||
{
|
||||
if(utils::hasKey(loginFails, ip))
|
||||
{
|
||||
LoginFail &fl = loginFails[ip];
|
||||
std::lock_guard<std::mutex> lock(fl.mutex);
|
||||
return fl.count > 5 && (time(nullptr) - fl.lastfail) < 1200;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
void HandlerLogin::incFailureCount(std::string ip)
|
||||
{
|
||||
LoginFail &fl = loginFails[ip];
|
||||
fl.count += 1;
|
||||
fl.lastfail = time(nullptr);
|
||||
}
|
||||
|
||||
std::vector<char> HandlerLogin::pbkdf5(std::string password, const std::vector<char> &salt)
|
||||
{
|
||||
unsigned char hash[32];
|
||||
const EVP_MD *sha256 = EVP_sha256();
|
||||
const unsigned char *rawsalt = reinterpret_cast<const unsigned char *>(salt.data());
|
||||
PKCS5_PBKDF2_HMAC(password.c_str(), password.size(), rawsalt, salt.size(), 300000, sha256, sizeof(hash), hash);
|
||||
|
||||
std::vector<char> result;
|
||||
|
||||
for(size_t i = 0; i < sizeof(hash); i++)
|
||||
{
|
||||
|
||||
result.push_back(static_cast<char>(hash[i]));
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
#include "../authenticator.h"
|
||||
|
||||
Response HandlerLogin::handleRequest(const Request &r)
|
||||
{
|
||||
@ -74,48 +30,35 @@ Response HandlerLogin::handleRequest(const Request &r)
|
||||
return errorResponse("Login error", "The supplied credentials are incorrect");
|
||||
};
|
||||
|
||||
if(isBanned(r.getIp()))
|
||||
{
|
||||
return errorResponse("Banned", "You have been banned for too many login attempts. Try again later");
|
||||
}
|
||||
if(r.param("submit") == "1")
|
||||
{
|
||||
std::string password = r.post("password");
|
||||
std::string username = r.post("user");
|
||||
|
||||
auto userDao = this->database->createUserDao();
|
||||
std::optional<User> user = userDao->find(username);
|
||||
if(!user)
|
||||
Authenticator authenticator(*userDao);
|
||||
|
||||
std::variant<User, AuthenticationError> authresult = authenticator.authenticate(username, password, r.getIp());
|
||||
if(std::holds_alternative<User>(authresult))
|
||||
{
|
||||
return createErrorReesponse();
|
||||
User user = std::get<User>(authresult);
|
||||
*(this->userSession) = Session(user);
|
||||
Response r = Response::redirectTemporarily(urlProvider->index());
|
||||
return r;
|
||||
}
|
||||
if(!user->enabled)
|
||||
AuthenticationError error = std::get<AuthenticationError>(authresult);
|
||||
if(error == AuthenticationError::UserDisabled)
|
||||
{
|
||||
return errorResponse("Login failed", "The user account has been disabled");
|
||||
}
|
||||
|
||||
auto hashresult = pbkdf5(password, user.value().salt);
|
||||
// TODO: timing attack
|
||||
if(hashresult == user.value().password)
|
||||
{
|
||||
loginFails.erase(r.getIp());
|
||||
Response r = Response::redirectTemporarily(urlProvider->index());
|
||||
*(this->userSession) = Session(user.value());
|
||||
return r;
|
||||
}
|
||||
else
|
||||
{
|
||||
// TODO: only if wanted by config
|
||||
incFailureCount(r.getIp());
|
||||
return createErrorReesponse();
|
||||
}
|
||||
|
||||
// auto pbkdf5 = pbkdf5(password, user->)
|
||||
return errorResponse("Login failed", "Login with supplied credentials failed");
|
||||
}
|
||||
std::string page = r.get("page");
|
||||
if(page.empty())
|
||||
{
|
||||
page = "index";
|
||||
|
||||
}
|
||||
TemplatePage &loginTemplatePage = this->templ->getPage("login");
|
||||
setGeneralVars(loginTemplatePage);
|
||||
loginTemplatePage.setVar("loginurl", urlProvider->login(page));
|
||||
@ -123,6 +66,7 @@ Response HandlerLogin::handleRequest(const Request &r)
|
||||
Response result;
|
||||
result.setStatus(200);
|
||||
result.setBody(loginTemplatePage.render());
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
|
@ -5,11 +5,6 @@
|
||||
|
||||
class HandlerLogin : public Handler
|
||||
{
|
||||
private:
|
||||
bool isBanned(std::string ip);
|
||||
void incFailureCount(std::string ip);
|
||||
std::vector<char> pbkdf5(std::string password, const std::vector<char> &salt);
|
||||
|
||||
public:
|
||||
HandlerLogin();
|
||||
Response handleRequest(const Request &r) override;
|
||||
|
Laden…
In neuem Issue referenzieren
Einen Benutzer sperren