servnest/fn/auth.php

199 lines
6 KiB
PHP
Raw Normal View History

2023-07-17 19:15:18 +00:00
<?php declare(strict_types=1);
2022-11-26 20:45:48 +00:00
const USERNAME_REGEX = '^.{1,1024}$';
2022-10-09 21:36:35 +00:00
const PASSWORD_REGEX = '^(?=.*[\p{Ll}])(?=.*[\p{Lu}])(?=.*[\p{N}]).{8,1024}|.{10,1024}$';
2022-04-22 23:57:43 +00:00
2022-10-09 21:36:35 +00:00
const PLACEHOLDER_USERNAME = 'lain';
const PLACEHOLDER_PASSWORD = '••••••••••••••••••••••••';
2022-06-10 19:14:47 +00:00
2022-04-22 23:57:43 +00:00
// Password storage security
2022-10-09 21:36:35 +00:00
const ALGO_PASSWORD = PASSWORD_ARGON2ID;
const OPTIONS_PASSWORD = [
'memory_cost' => 65536,
'time_cost' => 4,
'threads' => 64,
2022-10-09 21:36:35 +00:00
];
2022-04-22 23:57:43 +00:00
2023-06-19 22:36:58 +00:00
function checkUsernameFormat(string $username): void {
if (preg_match('/' . USERNAME_REGEX . '/Du', $username) !== 1)
output(403, 'Username malformed.');
}
2023-06-19 22:36:58 +00:00
function checkPasswordFormat(string $password): void {
if (preg_match('/' . PASSWORD_REGEX . '/Du', $password) !== 1)
output(403, 'Password malformed.');
2022-04-22 23:57:43 +00:00
}
2023-06-19 22:36:58 +00:00
function hashUsername(string $username): string {
return base64_encode(sodium_crypto_pwhash(32, $username, hex2bin(query('select', 'params', ['name' => 'username_salt'], 'value')[0]), 2**10, 2**14, SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13));
2022-04-22 23:57:43 +00:00
}
2023-06-19 22:36:58 +00:00
function hashPassword(string $password): string {
2022-04-18 14:05:00 +00:00
return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);
}
2023-06-19 22:36:58 +00:00
function usernameExists(string $username): bool {
return isset(query('select', 'users', ['username' => $username], 'id')[0]);
2022-04-22 23:57:43 +00:00
}
2023-06-19 22:36:58 +00:00
function checkPassword(string $id, string $password): bool {
return password_verify($password, query('select', 'users', ['id' => $id], 'password')[0]);
}
2023-06-19 22:36:58 +00:00
function outdatedPasswordHash(string $id): bool {
return password_needs_rehash(query('select', 'users', ['id' => $id], 'password')[0], ALGO_PASSWORD, OPTIONS_PASSWORD);
}
2023-06-19 22:36:58 +00:00
function changePassword(string $id, string $password): void {
2022-12-13 16:38:54 +00:00
DB->prepare('UPDATE users SET password = :password WHERE id = :id')
->execute([':password' => hashPassword($password), ':id' => $id]);
}
2022-09-16 22:49:07 +00:00
2023-06-19 22:36:58 +00:00
function stopSession(): void {
if (session_status() === PHP_SESSION_ACTIVE)
session_destroy();
}
2023-06-19 22:36:58 +00:00
function logout(): never {
stopSession();
header('Clear-Site-Data: "*"');
redir();
}
2023-06-19 22:36:58 +00:00
function setupDisplayUsername(string $display_username): void {
$nonce = random_bytes(24);
$key = sodium_crypto_aead_xchacha20poly1305_ietf_keygen();
$cyphertext = sodium_crypto_aead_xchacha20poly1305_ietf_encrypt(
htmlspecialchars($display_username),
2023-02-07 21:25:16 +00:00
'',
$nonce,
$key
);
$_SESSION['display-username-nonce'] = $nonce;
setcookie(
'display-username-decryption-key',
base64_encode($key),
[
'expires' => time() + 432000,
'path' => CONF['common']['prefix'] . '/',
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
]
);
$_SESSION['display-username-cyphertext'] = $cyphertext;
}
2023-06-19 22:36:58 +00:00
function authDeleteUser(string $user_id): void {
$user_services = explode(',', query('select', 'users', ['id' => $user_id], 'services')[0]);
foreach (SERVICES_USER as $service)
if (in_array($service, $user_services, true) AND CONF['common']['services'][$service] !== 'enabled')
output(503, sprintf(_('Your account can\'t be deleted because the %s service is currently unavailable.'), '<em>' . PAGES[$service]['index']['title'] . '</em>'));
if (in_array('reg', $user_services, true))
foreach (query('select', 'registry', ['username' => $user_id], 'domain') as $domain)
regDeleteDomain($domain, $user_id);
2023-06-26 02:13:52 +00:00
if (in_array('ns', $user_services, true))
foreach (query('select', 'zones', ['username' => $user_id], 'zone') as $zone)
nsDeleteZone($zone, $user_id);
if (in_array('ht', $user_services, true)) {
foreach (query('select', 'sites', ['username' => $user_id]) as $site)
htDeleteSite($site['address'], $site['type'], $user_id);
exescape([
CONF['ht']['sudo_path'],
'-u',
CONF['ht']['tor_user'],
'--',
CONF['ht']['rm_path'],
'-r',
'--',
CONF['ht']['tor_keys_path'] . '/' . $user_id,
], result_code: $code);
if ($code !== 0)
output(500, 'Can\'t remove Tor keys directory.');
removeDirectory(CONF['ht']['tor_config_path'] . '/' . $user_id);
exescape([
CONF['ht']['sudo_path'],
'-u',
CONF['ht']['sftpgo_user'],
'--',
CONF['ht']['rm_path'],
'-r',
'--',
CONF['ht']['ht_path'] . '/fs/' . $user_id
], result_code: $code);
if ($code !== 0)
output(500, 'Can\'t remove user\'s directory.');
query('delete', 'ssh-keys', ['username' => $user_id]);
}
query('delete', 'users', ['id' => $user_id]);
}
2023-06-19 22:36:58 +00:00
function rateLimit(): void {
if ((PAGE_METADATA['tokens_account_cost'] ?? 0) > 0)
2022-09-16 22:49:07 +00:00
rateLimitAccount(PAGE_METADATA['tokens_account_cost']);
if ((PAGE_METADATA['tokens_instance_cost'] ?? 0) > 0)
2022-09-16 22:49:07 +00:00
rateLimitInstance(PAGE_METADATA['tokens_instance_cost']);
}
const MAX_ACCOUNT_TOKENS = 86400;
2023-06-19 22:36:58 +00:00
function rateLimitAccount(int $requestedTokens): int {
2022-09-16 22:49:07 +00:00
// Get
$userData = query('select', 'users', ['id' => $_SESSION['id']]);
2022-09-16 22:49:07 +00:00
$tokens = $userData[0]['bucket_tokens'];
$bucketLastUpdate = $userData[0]['bucket_last_update'];
// Compute
$tokens = min(MAX_ACCOUNT_TOKENS, $tokens + (time() - $bucketLastUpdate));
2022-09-16 22:49:07 +00:00
if ($requestedTokens > 0) {
if ($requestedTokens > $tokens)
output(453, _('Account rate limit reached, try again later.'));
2022-09-16 22:49:07 +00:00
$tokens -= $requestedTokens;
2022-09-16 22:49:07 +00:00
// Update
DB->prepare('UPDATE users SET bucket_tokens = :bucket_tokens, bucket_last_update = :bucket_last_update WHERE id = :id')
->execute([
':bucket_tokens' => $tokens,
':bucket_last_update' => time(),
':id' => $_SESSION['id']
]);
}
return $tokens;
2022-09-16 22:49:07 +00:00
}
2023-06-19 22:36:58 +00:00
function rateLimitInstance(int $requestedTokens): void {
2022-09-16 22:49:07 +00:00
// Get
$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], 'value')[0];
$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], 'value')[0];
// Compute
$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));
if ($requestedTokens > $tokens)
output(453, _('Global rate limit reached, try again later.'));
2022-09-16 22:49:07 +00:00
$tokens -= $requestedTokens;
// Update
2022-12-13 16:38:54 +00:00
DB->prepare("UPDATE params SET value = :bucket_tokens WHERE name = 'instance_bucket_tokens';")
->execute([':bucket_tokens' => $tokens]);
2022-09-16 22:49:07 +00:00
2022-12-13 16:38:54 +00:00
DB->prepare("UPDATE params SET value = :bucket_last_update WHERE name = 'instance_bucket_last_update';")
->execute([':bucket_last_update' => time()]);
2022-09-16 22:49:07 +00:00
}