servnest/fn/auth.php

120 lines
3.7 KiB
PHP

<?php
const USERNAME_REGEX = '^.{1,1024}$';
const PASSWORD_REGEX = '^(?=.*[\p{Ll}])(?=.*[\p{Lu}])(?=.*[\p{N}]).{8,1024}|.{10,1024}$';
const PLACEHOLDER_USERNAME = 'lain';
const PLACEHOLDER_PASSWORD = '••••••••••••••••••••••••';
// Password storage security
const ALGO_PASSWORD = PASSWORD_ARGON2ID;
const OPTIONS_PASSWORD = [
'memory_cost' => 65536,
'time_cost' => 4,
'threads' => 64,
];
function checkUsernameFormat($username) {
if (preg_match('/' . USERNAME_REGEX . '/Du', $username) !== 1)
output(403, 'Username malformed.');
}
function checkPasswordFormat($password) {
if (preg_match('/' . PASSWORD_REGEX . '/Du', $password) !== 1)
output(403, 'Password malformed.');
}
function hashUsername($username) {
return base64_encode(sodium_crypto_pwhash(32, $username, hex2bin(query('select', 'params', ['name' => 'username_salt'], 'value')[0]), 2**10, 2**14, SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13));
}
function hashPassword($password) {
return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);
}
function usernameExists($username) {
return isset(query('select', 'users', ['username' => $username], 'id')[0]);
}
function checkPassword($id, $password) {
return password_verify($password, query('select', 'users', ['id' => $id], 'password')[0]);
}
function outdatedPasswordHash($id) {
return password_needs_rehash(query('select', 'users', ['id' => $id], 'password')[0], ALGO_PASSWORD, OPTIONS_PASSWORD);
}
function changePassword($id, $password) {
$db = new PDO('sqlite:' . DB_PATH);
$stmt = $db->prepare('UPDATE users SET password = :password WHERE id = :id');
$stmt->bindValue(':id', $id);
$stmt->bindValue(':password', hashPassword($password));
$stmt->execute();
}
function logout() {
if (session_status() === PHP_SESSION_ACTIVE)
session_destroy();
header('Clear-Site-Data: "*"');
redir();
}
function rateLimit() {
if (PAGE_METADATA['tokens_account_cost'] ?? 0 > 0)
rateLimitAccount(PAGE_METADATA['tokens_account_cost']);
if (PAGE_METADATA['tokens_instance_cost'] ?? 0 > 0)
rateLimitInstance(PAGE_METADATA['tokens_instance_cost']);
}
function rateLimitAccount($requestedTokens) {
// Get
$userData = query('select', 'users', ['id' => $_SESSION['id']]);
$tokens = $userData[0]['bucket_tokens'];
$bucketLastUpdate = $userData[0]['bucket_last_update'];
// Compute
$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));
if ($requestedTokens > $tokens)
output(453, 'Limite d\'actions par compte atteinte. Réessayez plus tard.');
$tokens -= $requestedTokens;
// Update
$db = new PDO('sqlite:' . DB_PATH);
$stmt = $db->prepare('UPDATE users SET bucket_tokens = :bucket_tokens, bucket_last_update = :bucket_last_update WHERE id = :id');
$stmt->bindValue(':id', $_SESSION['id']);
$stmt->bindValue(':bucket_tokens', $tokens);
$stmt->bindValue(':bucket_last_update', time());
$stmt->execute();
}
function rateLimitInstance($requestedTokens) {
// Get
$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], 'value')[0];
$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], 'value')[0];
// Compute
$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));
if ($requestedTokens > $tokens)
output(453, 'Limite d\'actions globale atteinte. Réessayez plus tard.');
$tokens -= $requestedTokens;
// Update
$db = new PDO('sqlite:' . DB_PATH);
$stmt = $db->prepare("UPDATE params SET value = :bucket_tokens WHERE name = 'instance_bucket_tokens';");
$stmt->bindValue(':bucket_tokens', $tokens);
$stmt->execute();
$stmt = $db->prepare("UPDATE params SET value = :bucket_last_update WHERE name = 'instance_bucket_last_update';");
$stmt->bindValue(':bucket_last_update', time());
$stmt->execute();
}