137 linhas
3.7 KiB
C++
137 linhas
3.7 KiB
C++
/* Copyright (c) 2018 Albert S.
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
of this software and associated documentation files (the "Software"), to deal
|
|
in the Software without restriction, including without limitation the rights
|
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
copies of the Software, and to permit persons to whom the Software is
|
|
furnished to do so, subject to the following conditions:
|
|
|
|
The above copyright notice and this permission notice shall be included in all
|
|
copies or substantial portions of the Software.
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
SOFTWARE.
|
|
*/
|
|
#include <atomic>
|
|
#include <mutex>
|
|
#include <openssl/evp.h>
|
|
#include "handlerlogin.h"
|
|
#include "../logger.h"
|
|
struct LoginFail
|
|
{
|
|
std::mutex mutex;
|
|
std::atomic<unsigned int> count;
|
|
time_t lastfail;
|
|
};
|
|
static std::map<std::string, LoginFail> loginFails;
|
|
|
|
//TODO: make configurable
|
|
bool HandlerLogin::isBanned(std::string ip)
|
|
{
|
|
if(utils::hasKey(loginFails, ip))
|
|
{
|
|
LoginFail &fl = loginFails[ip];
|
|
std::lock_guard<std::mutex> lock(fl.mutex);
|
|
return fl.count > 5 && (time(nullptr) - fl.lastfail) < 1200;
|
|
|
|
}
|
|
return false;
|
|
}
|
|
|
|
void HandlerLogin::incFailureCount(std::string ip)
|
|
{
|
|
LoginFail &fl = loginFails[ip];
|
|
fl.count+=1;
|
|
fl.lastfail = time(nullptr);
|
|
}
|
|
|
|
std::vector<char> HandlerLogin::pbkdf5(std::string password, const std::vector<char> &salt)
|
|
{
|
|
unsigned char hash[32];
|
|
const EVP_MD *sha256 = EVP_sha256();
|
|
const unsigned char *rawsalt = reinterpret_cast<const unsigned char *>(salt.data());
|
|
PKCS5_PBKDF2_HMAC(password.c_str(), password.size(), rawsalt, salt.size(), 300000, sha256, sizeof(hash), hash);
|
|
|
|
std::vector<char> result;
|
|
|
|
for(size_t i = 0; i < sizeof(hash); i++)
|
|
{
|
|
|
|
result.push_back(static_cast<char>(hash[i]));
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
|
|
Response HandlerLogin::handleRequest(const Request &r)
|
|
{
|
|
auto createErrorReesponse = [&]() { return errorResponse("Login error", "The supplied credenetials are incorrect"); };
|
|
|
|
if(isBanned(r.getIp()))
|
|
{
|
|
return errorResponse("Banned", "You have been banned for too many login attempts. Try again later");
|
|
}
|
|
if(r.param("submit") == "1")
|
|
{
|
|
std::string password = r.post("password");
|
|
std::string username = r.post("user");
|
|
|
|
auto userDao = this->database->createUserDao();
|
|
std::optional<User> user = userDao->find(username);
|
|
if(!user)
|
|
{
|
|
return createErrorReesponse();
|
|
}
|
|
if(!user->enabled)
|
|
{
|
|
return errorResponse("Login failed", "The user account has been disabled");
|
|
}
|
|
|
|
auto hashresult = pbkdf5(password, user.value().salt);
|
|
//TODO: timing attack
|
|
if(hashresult == user.value().password)
|
|
{
|
|
loginFails.erase(r.getIp());
|
|
Response r = Response::redirectTemporarily(urlProvider->index());
|
|
*(this->userSession) = Session(user.value());
|
|
return r;
|
|
|
|
}
|
|
else
|
|
{
|
|
//TODO: only if wanted by config
|
|
incFailureCount(r.getIp());
|
|
return createErrorReesponse();
|
|
}
|
|
|
|
|
|
// auto pbkdf5 = pbkdf5(password, user->)
|
|
|
|
|
|
|
|
}
|
|
std::string page = r.get("page");
|
|
if(page.empty())
|
|
page = "index";
|
|
|
|
TemplatePage &loginTemplatePage = this->templ->getPage("login");
|
|
setGeneralVars(loginTemplatePage);
|
|
loginTemplatePage.setVar("loginurl", urlProvider->login(page));
|
|
Response result;
|
|
result.setStatus(200);
|
|
result.setBody(loginTemplatePage.render());
|
|
return result;
|
|
}
|
|
|
|
bool HandlerLogin::canAccess(const Permissions &perms)
|
|
{
|
|
return true;
|
|
}
|