servnest/fn/auth.php

<?php

define("USERNAME_REGEX", "^[\p{L}\p{N}_-]{1,64}$");
define("PASSWORD_REGEX", "^(?=.*[\p{Ll}])(?=.*[\p{Lu}])(?=.*[\p{N}]).{8,1024}|.{10,1024}$");

define("PLACEHOLDER_USERNAME", "lain");
define("PLACEHOLDER_PASSWORD", "••••••••••••••••••••••••");

// Password storage security
define("ALGO_PASSWORD", PASSWORD_ARGON2ID);
define("OPTIONS_PASSWORD", array(
	"memory_cost" => 65536,
	"time_cost" => 24,
	"threads" => 64,
));

function checkPasswordFormat($password) {
	if (preg_match("/" . PASSWORD_REGEX . "/u", $password) !== 1)
		output(403, 'Password malformed.');
}

function checkUsernameFormat($username) {
	if (preg_match("/" . USERNAME_REGEX . "/u", $username) !== 1)
		output(403, 'Username malformed.');
}

function hashPassword($password) {
	return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);
}

function userExist($username) {
	return isset(query('select', 'users', ['username' => $username], 'username')[0]);
}

function checkPassword($username, $password) {
	return password_verify($password, query('select', 'users', ['username' => $username], 'password')[0]);
}

function outdatedPasswordHash($username) {
	return password_needs_rehash(query('select', 'users', ['username' => $username], 'password')[0], ALGO_PASSWORD, OPTIONS_PASSWORD);
}

function changePassword($username, $password) {
	$db = new PDO('sqlite:' . DB_PATH);

	$stmt = $db->prepare("UPDATE users SET password = :password WHERE username = :username");

	$stmt->bindValue(':username', $username);
	$stmt->bindValue(':password', hashPassword($password));

	$stmt->execute();
}

function rateLimit() {
	if (PAGE_METADATA['tokens_account_cost'] ?? 0 > 0)
		rateLimitAccount(PAGE_METADATA['tokens_account_cost']);

	if (PAGE_METADATA['tokens_instance_cost'] ?? 0 > 0)
		rateLimitInstance(PAGE_METADATA['tokens_instance_cost']);
}

function rateLimitAccount($requestedTokens) {
	// Get
	$userData = query('select', 'users', ['username' => $_SESSION['username']]);
	$tokens = $userData[0]['bucket_tokens'];
	$bucketLastUpdate = $userData[0]['bucket_last_update'];

	// Compute
	$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));

	if ($requestedTokens > $tokens)
		output(453, 'Limite d\'actions par compte atteinte. Réessayez plus tard.');

	$tokens -= $requestedTokens;

	// Update
	$db = new PDO('sqlite:' . DB_PATH);
	$stmt = $db->prepare("UPDATE users SET bucket_tokens = :bucket_tokens, bucket_last_update = :bucket_last_update WHERE username = :username");
	$stmt->bindValue(':username', $_SESSION['username']);
	$stmt->bindValue(':bucket_tokens', $tokens);
	$stmt->bindValue(':bucket_last_update', time());
	$stmt->execute();
}

function rateLimitInstance($requestedTokens) {
	// Get
	$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], 'value')[0];
	$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], 'value')[0];

	// Compute
	$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));

	if ($requestedTokens > $tokens)
		output(453, 'Limite d\'actions globale atteinte. Réessayez plus tard.');

	$tokens -= $requestedTokens;

	// Update
	$db = new PDO('sqlite:' . DB_PATH);
	$stmt = $db->prepare("UPDATE params SET value = :bucket_tokens WHERE name = 'instance_bucket_tokens';");
	$stmt->bindValue(':bucket_tokens', $tokens);
	$stmt->execute();

	$stmt = $db->prepare("UPDATE params SET value = :bucket_last_update WHERE name = 'instance_bucket_last_update';");
	$stmt->bindValue(':bucket_last_update', time());
	$stmt->execute();
}
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 00:51:21 +00:00			`<?php`

Allow any unicode letter and number in user's values 2022-06-25 14:43:58 +00:00			`define("USERNAME_REGEX", "^[\p{L}\p{N}_-]{1,64}$");`
			`define("PASSWORD_REGEX", "^(?=.[\p{Ll}])(?=.[\p{Lu}])(?=.*[\p{N}]).{8,1024}\|.{10,1024}$");`
Better segmentation between services 2022-04-22 23:57:43 +00:00
Update auth forms 2022-06-10 19:14:47 +00:00			`define("PLACEHOLDER_USERNAME", "lain");`
			`define("PLACEHOLDER_PASSWORD", "••••••••••••••••••••••••");`

Better segmentation between services 2022-04-22 23:57:43 +00:00			`// Password storage security`
			`define("ALGO_PASSWORD", PASSWORD_ARGON2ID);`
			`define("OPTIONS_PASSWORD", array(`
			`"memory_cost" => 65536,`
			`"time_cost" => 24,`
			`"threads" => 64,`
			`));`

			`function checkPasswordFormat($password) {`
Allow any unicode letter and number in user's values 2022-06-25 14:43:58 +00:00			`if (preg_match("/" . PASSWORD_REGEX . "/u", $password) !== 1)`
fn success/userError/serverError > output($code) 2022-09-15 17:17:48 +00:00			`output(403, 'Password malformed.');`
Better segmentation between services 2022-04-22 23:57:43 +00:00			`}`

			`function checkUsernameFormat($username) {`
Allow any unicode letter and number in user's values 2022-06-25 14:43:58 +00:00			`if (preg_match("/" . USERNAME_REGEX . "/u", $username) !== 1)`
fn success/userError/serverError > output($code) 2022-09-15 17:17:48 +00:00			`output(403, 'Username malformed.');`
Better segmentation between services 2022-04-22 23:57:43 +00:00			`}`

Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 00:51:21 +00:00			`function hashPassword($password) {`
2 spaces > tab 2022-04-18 14:05:00 +00:00			`return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 00:51:21 +00:00			`}`

Better segmentation between services 2022-04-22 23:57:43 +00:00			`function userExist($username) {`
Add form to delete account Move service-specific deletion code to functions 2022-06-18 02:22:05 +00:00			`return isset(query('select', 'users', ['username' => $username], 'username')[0]);`
Better segmentation between services 2022-04-22 23:57:43 +00:00			`}`

Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 00:51:21 +00:00			`function checkPassword($username, $password) {`
Use the query() function more 2022-06-11 23:31:16 +00:00			`return password_verify($password, query('select', 'users', ['username' => $username], 'password')[0]);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 00:51:21 +00:00			`}`

			`function outdatedPasswordHash($username) {`
Use the query() function more 2022-06-11 23:31:16 +00:00			`return password_needs_rehash(query('select', 'users', ['username' => $username], 'password')[0], ALGO_PASSWORD, OPTIONS_PASSWORD);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 00:51:21 +00:00			`}`

			`function changePassword($username, $password) {`
2 spaces > tab 2022-04-18 14:05:00 +00:00			`$db = new PDO('sqlite:' . DB_PATH);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 00:51:21 +00:00
2 spaces > tab 2022-04-18 14:05:00 +00:00			`$stmt = $db->prepare("UPDATE users SET password = :password WHERE username = :username");`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 00:51:21 +00:00
del-http-onion.php + query() 2022-06-11 21:42:48 +00:00			`$stmt->bindValue(':username', $username);`
Use the query() function more 2022-06-11 23:31:16 +00:00			`$stmt->bindValue(':password', hashPassword($password));`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 00:51:21 +00:00
2 spaces > tab 2022-04-18 14:05:00 +00:00			`$stmt->execute();`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 00:51:21 +00:00			`}`
Token bucket rate limiting 2022-09-16 22:49:07 +00:00
			`function rateLimit() {`
			`if (PAGE_METADATA['tokens_account_cost'] ?? 0 > 0)`
			`rateLimitAccount(PAGE_METADATA['tokens_account_cost']);`

			`if (PAGE_METADATA['tokens_instance_cost'] ?? 0 > 0)`
			`rateLimitInstance(PAGE_METADATA['tokens_instance_cost']);`
			`}`

			`function rateLimitAccount($requestedTokens) {`
			`// Get`
			`$userData = query('select', 'users', ['username' => $_SESSION['username']]);`
			`$tokens = $userData[0]['bucket_tokens'];`
			`$bucketLastUpdate = $userData[0]['bucket_last_update'];`

			`// Compute`
			`$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));`

			`if ($requestedTokens > $tokens)`
			`output(453, 'Limite d\'actions par compte atteinte. Réessayez plus tard.');`

			`$tokens -= $requestedTokens;`

			`// Update`
			`$db = new PDO('sqlite:' . DB_PATH);`
			`$stmt = $db->prepare("UPDATE users SET bucket_tokens = :bucket_tokens, bucket_last_update = :bucket_last_update WHERE username = :username");`
			`$stmt->bindValue(':username', $_SESSION['username']);`
			`$stmt->bindValue(':bucket_tokens', $tokens);`
			`$stmt->bindValue(':bucket_last_update', time());`
			`$stmt->execute();`
			`}`

			`function rateLimitInstance($requestedTokens) {`
			`// Get`
			`$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], 'value')[0];`
			`$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], 'value')[0];`

			`// Compute`
			`$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));`

			`if ($requestedTokens > $tokens)`
			`output(453, 'Limite d\'actions globale atteinte. Réessayez plus tard.');`

			`$tokens -= $requestedTokens;`

			`// Update`
			`$db = new PDO('sqlite:' . DB_PATH);`
			`$stmt = $db->prepare("UPDATE params SET value = :bucket_tokens WHERE name = 'instance_bucket_tokens';");`
			`$stmt->bindValue(':bucket_tokens', $tokens);`
			`$stmt->execute();`

			`$stmt = $db->prepare("UPDATE params SET value = :bucket_last_update WHERE name = 'instance_bucket_last_update';");`
			`$stmt->bindValue(':bucket_last_update', time());`
			`$stmt->execute();`
			`}`