2021-08-05 00:51:21 +00:00
|
|
|
<?php
|
|
|
|
|
|
2022-10-09 21:36:35 +00:00
|
|
|
const USERNAME_REGEX = '^[\p{L}\p{N}_-]{1,64}$';
|
|
|
|
|
const PASSWORD_REGEX = '^(?=.*[\p{Ll}])(?=.*[\p{Lu}])(?=.*[\p{N}]).{8,1024}|.{10,1024}$';
|
2022-04-22 23:57:43 +00:00
|
|
|
|
2022-10-09 21:36:35 +00:00
|
|
|
const PLACEHOLDER_USERNAME = 'lain';
|
|
|
|
|
const PLACEHOLDER_PASSWORD = '••••••••••••••••••••••••';
|
2022-06-10 19:14:47 +00:00
|
|
|
|
2022-04-22 23:57:43 +00:00
|
|
|
// Password storage security
|
2022-10-09 21:36:35 +00:00
|
|
|
const ALGO_PASSWORD = PASSWORD_ARGON2ID;
|
|
|
|
|
const OPTIONS_PASSWORD = [
|
2022-11-20 14:11:54 +00:00
|
|
|
'memory_cost' => 65536,
|
|
|
|
|
'time_cost' => 4,
|
|
|
|
|
'threads' => 64,
|
2022-10-09 21:36:35 +00:00
|
|
|
];
|
2022-04-22 23:57:43 +00:00
|
|
|
|
|
|
|
|
function checkPasswordFormat($password) {
|
2022-11-20 17:17:03 +00:00
|
|
|
if (preg_match('/' . PASSWORD_REGEX . '/Du', $password) !== 1)
|
2022-09-15 17:17:48 +00:00
|
|
|
output(403, 'Password malformed.');
|
2022-04-22 23:57:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function checkUsernameFormat($username) {
|
2022-11-20 17:17:03 +00:00
|
|
|
if (preg_match('/' . USERNAME_REGEX . '/Du', $username) !== 1)
|
2022-09-15 17:17:48 +00:00
|
|
|
output(403, 'Username malformed.');
|
2022-04-22 23:57:43 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-05 00:51:21 +00:00
|
|
|
function hashPassword($password) {
|
2022-04-18 14:05:00 +00:00
|
|
|
return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);
|
2021-08-05 00:51:21 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-22 23:57:43 +00:00
|
|
|
function userExist($username) {
|
2022-06-18 02:22:05 +00:00
|
|
|
return isset(query('select', 'users', ['username' => $username], 'username')[0]);
|
2022-04-22 23:57:43 +00:00
|
|
|
}
|
|
|
|
|
|
2021-08-05 00:51:21 +00:00
|
|
|
function checkPassword($username, $password) {
|
2022-06-11 23:31:16 +00:00
|
|
|
return password_verify($password, query('select', 'users', ['username' => $username], 'password')[0]);
|
2021-08-05 00:51:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function outdatedPasswordHash($username) {
|
2022-06-11 23:31:16 +00:00
|
|
|
return password_needs_rehash(query('select', 'users', ['username' => $username], 'password')[0], ALGO_PASSWORD, OPTIONS_PASSWORD);
|
2021-08-05 00:51:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function changePassword($username, $password) {
|
2022-04-18 14:05:00 +00:00
|
|
|
$db = new PDO('sqlite:' . DB_PATH);
|
2021-08-05 00:51:21 +00:00
|
|
|
|
2022-11-20 14:11:54 +00:00
|
|
|
$stmt = $db->prepare('UPDATE users SET password = :password WHERE username = :username');
|
2021-08-05 00:51:21 +00:00
|
|
|
|
2022-06-11 21:42:48 +00:00
|
|
|
$stmt->bindValue(':username', $username);
|
2022-06-11 23:31:16 +00:00
|
|
|
$stmt->bindValue(':password', hashPassword($password));
|
2021-08-05 00:51:21 +00:00
|
|
|
|
2022-04-18 14:05:00 +00:00
|
|
|
$stmt->execute();
|
2021-08-05 00:51:21 +00:00
|
|
|
}
|
2022-09-16 22:49:07 +00:00
|
|
|
|
|
|
|
|
function rateLimit() {
|
|
|
|
|
if (PAGE_METADATA['tokens_account_cost'] ?? 0 > 0)
|
|
|
|
|
rateLimitAccount(PAGE_METADATA['tokens_account_cost']);
|
|
|
|
|
|
|
|
|
|
if (PAGE_METADATA['tokens_instance_cost'] ?? 0 > 0)
|
|
|
|
|
rateLimitInstance(PAGE_METADATA['tokens_instance_cost']);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function rateLimitAccount($requestedTokens) {
|
|
|
|
|
// Get
|
|
|
|
|
$userData = query('select', 'users', ['username' => $_SESSION['username']]);
|
|
|
|
|
$tokens = $userData[0]['bucket_tokens'];
|
|
|
|
|
$bucketLastUpdate = $userData[0]['bucket_last_update'];
|
|
|
|
|
|
|
|
|
|
// Compute
|
|
|
|
|
$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));
|
|
|
|
|
|
|
|
|
|
if ($requestedTokens > $tokens)
|
|
|
|
|
output(453, 'Limite d\'actions par compte atteinte. Réessayez plus tard.');
|
|
|
|
|
|
|
|
|
|
$tokens -= $requestedTokens;
|
|
|
|
|
|
|
|
|
|
// Update
|
|
|
|
|
$db = new PDO('sqlite:' . DB_PATH);
|
2022-11-20 14:11:54 +00:00
|
|
|
$stmt = $db->prepare('UPDATE users SET bucket_tokens = :bucket_tokens, bucket_last_update = :bucket_last_update WHERE username = :username');
|
2022-09-16 22:49:07 +00:00
|
|
|
$stmt->bindValue(':username', $_SESSION['username']);
|
|
|
|
|
$stmt->bindValue(':bucket_tokens', $tokens);
|
|
|
|
|
$stmt->bindValue(':bucket_last_update', time());
|
|
|
|
|
$stmt->execute();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function rateLimitInstance($requestedTokens) {
|
|
|
|
|
// Get
|
|
|
|
|
$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], 'value')[0];
|
|
|
|
|
$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], 'value')[0];
|
|
|
|
|
|
|
|
|
|
// Compute
|
|
|
|
|
$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));
|
|
|
|
|
|
|
|
|
|
if ($requestedTokens > $tokens)
|
|
|
|
|
output(453, 'Limite d\'actions globale atteinte. Réessayez plus tard.');
|
|
|
|
|
|
|
|
|
|
$tokens -= $requestedTokens;
|
|
|
|
|
|
|
|
|
|
// Update
|
|
|
|
|
$db = new PDO('sqlite:' . DB_PATH);
|
|
|
|
|
$stmt = $db->prepare("UPDATE params SET value = :bucket_tokens WHERE name = 'instance_bucket_tokens';");
|
|
|
|
|
$stmt->bindValue(':bucket_tokens', $tokens);
|
|
|
|
|
$stmt->execute();
|
|
|
|
|
|
|
|
|
|
$stmt = $db->prepare("UPDATE params SET value = :bucket_last_update WHERE name = 'instance_bucket_last_update';");
|
|
|
|
|
$stmt->bindValue(':bucket_last_update', time());
|
|
|
|
|
$stmt->execute();
|
|
|
|
|
}
|
