From e62fc0f95949222c4fa2825d59da7755a51c4889 Mon Sep 17 00:00:00 2001 From: Sarjuuk Date: Sun, 14 Sep 2014 00:32:36 +0200 Subject: [PATCH] Auth: fixed auth against auth.account --- includes/user.class.php | 30 ++++++++++++++++-------------- pages/account.php | 3 +++ 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/includes/user.class.php b/includes/user.class.php index ee55c6de..6f93abdd 100644 --- a/includes/user.class.php +++ b/includes/user.class.php @@ -65,7 +65,7 @@ class User if (AUTH_MODE_SELF && $query['passHash'] != $_SESSION['hash']) { self::destroy(); - return; + return false; } self::$id = intval($query['id']); @@ -232,21 +232,22 @@ class User if (!DB::isConnectable(DB_AUTH)) return AUTH_INTERNAL_ERR; - $wow = DB::Auth()->selectRow('SELECT a.id, a.sha_pass_hash, ab.active AS hasBan FROM account a LEFT JOIN account_banned ab ON ab.id = a.id AND active <> 0 WHERE username = ? DESC LIMIT 1', $name); + $wow = DB::Auth()->selectRow('SELECT a.id, a.sha_pass_hash, ab.active AS hasBan FROM account a LEFT JOIN account_banned ab ON ab.id = a.id AND active <> 0 WHERE username = ? LIMIT 1', $name); if (!$wow) return AUTH_WRONGUSER; self::$passHash = $wow['sha_pass_hash']; - if (!self::verifySHA1($pass)) + if (!self::verifySHA1($name, $pass)) return AUTH_WRONGPASS; if ($wow['hasBan']) return AUTH_BANNED; - if (!self::checkOrCreateInDB($wow['id'], $name)) + if ($_ = self::checkOrCreateInDB($wow['id'], $name)) + $user = $_; + else return AUTH_INTERNAL_ERR; - $user = $wow['id']; break; } case AUTH_MODE_EXTERNAL: @@ -259,10 +260,11 @@ class User if ($result == AUTH_OK && $extId) { - if (!self::checkOrCreateInDB($extId, $name)) + if ($_ = self::checkOrCreateInDB($extId, $name)) + $user = $_; + else return AUTH_INTERNAL_ERR; - $user = $extId; break; } @@ -283,10 +285,10 @@ class User // create a linked account for our settings if nessecary private static function checkOrCreateInDB($extId, $name) { - if (DB::Aowow()->selectCell('SELECT 1 FROM ?_account WHERE extId = ?d', $extId)) - return true; + if ($_ = DB::Aowow()->selectCell('SELECT id FROM ?_account WHERE extId = ?d', $extId)) + return $_; - $newId = DB::Aowow()->query('INSERT INTO ?_account (extId, user, displayName, lastIP, locale, status) VALUES (?d, ?, ?, ?, ?d, ?d)', + $newId = DB::Aowow()->query('INSERT IGNORE INTO ?_account (extId, user, displayName, prevIP, locale, status) VALUES (?d, ?, ?, ?, ?d, ?d)', $extId, $name, Util::ucFirst($name), @@ -323,14 +325,14 @@ class User } // sha1 used by TC / MaNGOS - private static function hashSHA1($pass) + private static function hashSHA1($name, $pass) { - return sha1(strtoupper(self::$user).':'.strtoupper($pass)); + return sha1(strtoupper($name).':'.strtoupper($pass)); } - private static function verifySHA1($pass) + private static function verifySHA1($name, $pass) { - return self::$passHash == self::hashSHA1($pass); + return self::$passHash == self::hashSHA1($name, $pass); } public static function save() diff --git a/pages/account.php b/pages/account.php index 37d4a229..7de80af7 100644 --- a/pages/account.php +++ b/pages/account.php @@ -347,6 +347,9 @@ Markup.printHtml("description text here", "description-generic", { allow: Markup case AUTH_IPBANNED: User::destroy(); return sprintf(Lang::$account['loginExceeded'], Util::formatTime(CFG_FAILED_AUTH_EXCLUSION * 1000)); + case AUTH_INTERNAL_ERR: + User::destroy(); + return Lang::$account['intError']; default: return; }