Use a hash as internal username

fn/auth.php

@@ -1,6 +1,6 @@
 <?php
 
-const USERNAME_REGEX = '^[\p{L}\p{N}_-]{1,64}$';
+const USERNAME_REGEX = '^.{1,1024}$';
 const PASSWORD_REGEX = '^(?=.*[\p{Ll}])(?=.*[\p{Lu}])(?=.*[\p{N}]).{8,1024}|.{10,1024}$';
 
 const PLACEHOLDER_USERNAME = 'lain';

pages/auth/index.php

@@ -14,7 +14,7 @@
 	<dd>
 		C'est le type de compte par défaut, avec des fonctionnalités limitées pour éviter les abus&nbsp;:
 		<ul>
-			<li>Peut être supprimé n'importe quand</li>
+			<li>Risque d'être supprimé n'importe quand</li>
 			<li><?= ((CONF['ht']['user_quota_testing'] >> 30) >= 1) ? CONF['ht']['user_quota_testing'] >> 30 . ' ' . linkToDocs('units', '<abbr title="gibioctet">Gio</abbr>') : CONF['ht']['user_quota_testing'] >> 20 . ' ' . linkToDocs('units', '<abbr title="mébioctet">Mio</abbr>') ?> de SFTP</li>
 			<li>Certificat Let's Encrypt de test</li>
 		</ul>

pages/auth/login.php

@@ -5,17 +5,20 @@ if (processForm(false)) {
 
 	checkUsernameFormat($_POST['username']);
 
-	if (userExist($_POST['username']) !== true)
+	$internal_username = hash('sha256', $_POST['username']);
+
+	if (userExist($internal_username) !== true)
 		output(403, 'Connexion impossible : ce compte n\'existe pas.');
 
-	if (checkPassword($_POST['username'], $_POST['password']) !== true)
+	if (checkPassword($internal_username, $_POST['password']) !== true)
 		output(403, 'Connexion impossible : clé de passe invalide.');
 
-	$_SESSION['username'] = $_POST['username'];
-	$_SESSION['type'] = query('select', 'users', ['username' => $_POST['username']], 'type')[0];
+	$_SESSION['username'] = $internal_username;
+	$_SESSION['display-username'] = htmlspecialchars($_POST['username']);
+	$_SESSION['type'] = query('select', 'users', ['username' => $internal_username], 'type')[0];
 
-	if (outdatedPasswordHash($_SESSION['username']))
-		changePassword($_SESSION['username'], $_POST['password']);
+	if (outdatedPasswordHash($internal_username))
+		changePassword($internal_username, $_POST['password']);
 
 	redir();
 }
@@ -26,7 +29,7 @@ if (processForm(false)) {
 
 <form method="post">
 	<label for="username">Identifiant</label><br>
-	<input required="" minlength="1" maxlength="64" pattern="<?= USERNAME_REGEX ?>" id="username" name="username" type="text" placeholder="<?= PLACEHOLDER_USERNAME ?>">
+	<input required="" minlength="1" maxlength="1024" pattern="<?= USERNAME_REGEX ?>" id="username" name="username" type="text" placeholder="<?= PLACEHOLDER_USERNAME ?>">
 	<br>
 
 	<label for="password">Clé de passe</label><br>

pages/auth/register.php

@@ -5,13 +5,15 @@ if (processForm(false)) {
 
 	checkUsernameFormat($_POST['username']);
 
-	if (userExist($_POST['username']) !== false)
+	$internal_username = hash('sha256', $_POST['username']);
+
+	if (userExist($internal_username) !== false)
 		output(403, 'Ce nom de compte est déjà utilisé.');
 
 	rateLimit();
 
 	insert('users', [
-		'username' => $_POST['username'],
+		'username' => $internal_username,
 		'password' => hashPassword($_POST['password']),
 		'registration_date' => date('Y-m-d H:i:s'),
 		'bucket_tokens' => 0,
@@ -21,22 +23,23 @@ if (processForm(false)) {
 
 	// Setup SFTP directory
 	umask(0002);
-	if (mkdir(CONF['ht']['ht_path'] . '/' . $_POST['username'], 0775) !== true)
+	if (mkdir(CONF['ht']['ht_path'] . '/' . $internal_username, 0775) !== true)
 		output(500, 'Can\'t create user directory.');
-	exec(CONF['ht']['sudo_path'] . ' ' . CONF['ht']['chgrp_path'] . ' ' . CONF['ht']['sftpgo_group'] . ' ' . CONF['ht']['ht_path'] . '/' . $_POST['username'] . ' --no-dereference', result_code: $code);
+	exec(CONF['ht']['sudo_path'] . ' ' . CONF['ht']['chgrp_path'] . ' ' . CONF['ht']['sftpgo_group'] . ' ' . CONF['ht']['ht_path'] . '/' . $internal_username . ' --no-dereference', result_code: $code);
 	if ($code !== 0)
 		output(500, 'Can\'t change user directory group.');
 
 	// Setup Tor config directory
-	if (mkdir(CONF['ht']['tor_config_path'] . '/' . $_POST['username'], 0755) !== true)
+	if (mkdir(CONF['ht']['tor_config_path'] . '/' . $internal_username, 0755) !== true)
 		output(500, 'Can\'t create Tor config directory.');
 
 	// Setup Tor keys directory
-	exec(CONF['ht']['sudo_path'] . ' -u ' . CONF['ht']['tor_user'] . ' ' . CONF['ht']['mkdir_path'] . ' --mode=0700 ' . CONF['ht']['tor_keys_path'] . '/' . $_POST['username'], result_code: $code);
+	exec(CONF['ht']['sudo_path'] . ' -u ' . CONF['ht']['tor_user'] . ' ' . CONF['ht']['mkdir_path'] . ' --mode=0700 ' . CONF['ht']['tor_keys_path'] . '/' . $internal_username, result_code: $code);
 	if ($code !== 0)
 		output(500, 'Can\'t create Tor keys directory.');
 
-	$_SESSION['username'] = $_POST['username'];
+	$_SESSION['username'] = $internal_username;
+	$_SESSION['display-username'] = htmlspecialchars($_POST['username']);
 	$_SESSION['type'] = 'testing';
 
 	redir();
@@ -48,18 +51,15 @@ if (processForm(false)) {
 
 <form method="post">
 
-	<details>
-		<summary><label for="username">Identifiant</label></summary>
-		Uniquement composé de lettres minuscules.
-	</details>
-	<input id="username" minlength="1" maxlength="64" pattern="<?= USERNAME_REGEX ?>" required="" name="username" type="text" placeholder="<?= PLACEHOLDER_USERNAME ?>"><br>
+	<label for="username">Identifiant</label>
+	<br>
+	<input id="username" minlength="1" maxlength="1024" pattern="<?= USERNAME_REGEX ?>" required="" name="username" type="text" placeholder="<?= PLACEHOLDER_USERNAME ?>"><br>
 
 	<details>
 		<summary><label for="password">Clé de passe</label></summary>
-		<p>Une clé de passe sécurisée est trop compliquée à deviner pour une attaque qui testerais automatiquement plein de clés de passe tout en connaissant d'autres informations et secrets sur vous.</p>
+		<p>Une clé de passe sécurisée est trop compliquée à deviner pour une attaque qui testerait automatiquement plein de clés de passe tout en connaissant d'autres informations et secrets sur vous.</p>
 		<p>Minimum 8 caractères si elle contient minuscule, majuscule et chiffre, ou minimum 10 caractères sinon.</p>
 	</details>
-
 	<input autocomplete="new-password" id="password" minlength="8" maxlength="1024" pattern="<?= PASSWORD_REGEX ?>" required="" name="password" type="password" placeholder="<?= PLACEHOLDER_PASSWORD ?>"><br>
 
 	<input type="submit">

router.php

@@ -92,7 +92,7 @@ foreach (glob('css/*.css') as $cssPath)
 		<header>
 			<p>
 <?php if (isset($_SESSION['username'])) { ?>
-				<?= ($_SESSION['type'] === 'trusted') ? '<span title="Compte confiancé">👤</span>' : '<span title="Compte de test">⏳</span>' ?> <strong><?= $_SESSION['username'] ?></strong> <a class="auth" href="<?= CONF['common']['prefix'] ?>/auth/logout">Se déconnecter</a>
+				<?= ($_SESSION['type'] === 'trusted') ? '<span title="Compte confiancé">👤</span>' : '<span title="Compte de test">⏳</span>' ?> <strong><?= $_SESSION['display-username'] ?></strong> <a class="auth" href="<?= CONF['common']['prefix'] ?>/auth/logout">Se déconnecter</a>
 <?php } else { ?>
 				<span aria-hidden="true">👻 </span><em>Anonyme</em> <a class="auth" href="<?= redirUrl('auth/login') ?>">Se connecter</a>
 <?php } ?>

sftpgo-auth.php

@@ -2,15 +2,17 @@
 
 require 'router.php';
 
-$authData = json_decode(file_get_contents('php://input'), true);
+$auth_data = json_decode(file_get_contents('php://input'), true);
 
-if (userExist($authData['username']) === true AND checkPassword($authData['username'], $authData['password']) === true) {
-	$quotaSize = (query('select', 'users', ['username' => $authData['username']], 'type')[0] === 'trusted') ? CONF['ht']['user_quota_trusted'] : CONF['ht']['user_quota_testing'];
+$internal_username = hash('sha256', $auth_data['username']);
+
+if (userExist($internal_username) === true AND checkPassword($internal_username, $auth_data['password']) === true) {
 	echo '
 	{
 		"status": 1,
-		"username": "' . $authData['username'] . '",
-		"quota_size": ' . $quotaSize . ',
+		"username": ' . json_encode($auth_data['username']) . ',
+		"home_dir": "' . CONF['ht']['ht_path'] . '/' . $internal_username . '",
+		"quota_size": ' . ((query('select', 'users', ['username' => $internal_username], 'type')[0] === 'trusted') ? CONF['ht']['user_quota_trusted'] : CONF['ht']['user_quota_testing']) . ',
 		"permissions": {
 			"/": [
 				"*"