winix/functions/login.cpp

/*
 * This file is a part of Winix
 * and is not publicly distributed
 * 
 * Copyright (c) 2008-2012, Tomasz Sowa
 * All rights reserved.
 * 
 */

#include "core/sessionmanager.h"
#include "login.h"
#include "utf8/utf8.h"



namespace Fun
{

Login::Login()
{
	fun.url  = L"login";
	need_ssl = true;
}


void Login::ClearTmpStruct()
{
	system->crypt.ClearString(pass_decrypted);
	system->crypt.ClearString(pass_hashed);
	system->crypt.ClearString(up.pass);
	system->crypt.ClearString(up.pass_encrypted);
	system->crypt.ClearString(up2.pass);
	system->crypt.ClearString(up2.pass_encrypted);
}



bool Login::CheckPasswords(const std::wstring & password)
{
	if( !up.pass_encrypted.empty() )
	{
		if( system->crypt.RSA(false, config->pass_rsa_private_key, up.pass_encrypted, pass_decrypted) )
		{
			PT::UTF8ToWide(pass_decrypted, up.pass);
		}
		else
		{
			log << log1 << "Login: I cannot decrypt a stored password, login failure" << logend;
			return false;
		}
	}

	pass_hashed   = password;
	up2.pass_type = up.pass_type;
	up2.pass      = password;

	if( up.pass_hash_salted )
		salt = config->pass_hash_salt;
	else
		salt.clear();

	if( !system->crypt.PassHash(salt, up2) )
	{
		log << log1 << "Login: I cannot hash a password, login failure" << logend;
		return false;
	}

	bool result = (up.pass == up2.pass);

	if( !result )
		log << log2 << "Login: incorrect login/password" << logend;

return result;
}



/*
	this method is checking whether there is a person with that login and password
	in the database

	return true if it has found one and sets it user_id
*/
bool Login::CheckUserPass(const std::wstring & login, const std::wstring & password, long & user_id)
{
bool result;

	if( db->GetUserPass(login, user_id, up) )
	{
		result = CheckPasswords(password);
	}
	else
	{
		log << log2 << "Login: there is no a user name: " << login << logend;
		result = false;
	}

	ClearTmpStruct();

return result;
}



void Login::AddBanInfo()
{
	IPBan * ip_ban = cur->session->ip_ban;

	if( !ip_ban )
		ip_ban = &session_manager->AddIPToBanList(cur->request->ip);

	ip_ban->last_used = cur->request->start_time;

	if( ip_ban->expires != 0 && cur->request->start_time >= ip_ban->expires )
	{
		// the 'ip block' has expired
		ip_ban->ClearAfterRemovingBan();
		log << log3 << "Login: removing the IP block for logging" << logend;
	}

	if( ip_ban->incorrect_login_events < config->incorrect_login_cannot_login_treshold )
		ip_ban->incorrect_login_events += 1;

	if( ip_ban->incorrect_login_events >= config->incorrect_login_cannot_login_treshold )
	{
		log << log2 << "Login: too many incorrect login attempts from this IP" << logend;

		if( config->incorrect_login_cannot_login_mode == 0 )
		{
			// don't set WINIX_IPBAN_FLAG_ACTIVE here for IPBan::IsIPBanned() to return false (in CannotLoginFrom)
			ip_ban->expires = cur->request->start_time + (time_t)config->incorrect_login_cannot_login_delay;
			PT::Date date(ip_ban->expires);
			log << log2 << "Login: logging from this IP address has been blocked until to: " << date << " UTC" << logend;
		}
		else
		if( config->incorrect_login_cannot_login_mode == 1 )
		{
			ip_ban->SetFlag(WINIX_IPBAN_FLAG_ACTIVE);
			ip_ban->AddNextBanLevel(cur->request->start_time + (time_t)config->ban_level_1_delay,
									cur->request->start_time + (time_t)config->ban_level_2_delay,
									cur->request->start_time + (time_t)config->ban_level_3_delay);
			PT::Date date(ip_ban->expires);
			log << log2 << "Login: this IP address has been banned until to: " << date << " UTC" << logend;
		}
	}
}


bool Login::ShouldUseCaptchaForCurrentIP()
{
	if( cur->session->ip_ban )
		return ShouldUseCaptchaFor(*cur->session->ip_ban);

return false;
}


bool Login::ShouldUseCaptchaFor(const IPBan & ipban)
{
	if( ipban.expires != 0 && cur->request->start_time >= ipban.expires )
		return false; // the 'ip block' has expired (but incorrect_login_events has the old value)

return ipban.incorrect_login_events >= config->incorrect_login_captcha_treshold;
}


bool Login::CannotLoginFromCurrentIP()
{
	if( cur->session->ip_ban )
		return CannotLoginFrom(*cur->session->ip_ban);

return false;
}


bool Login::CannotLoginFrom(const IPBan & ipban)
{
	if( ipban.IsIPBanned() )
		return true;

	if( ipban.expires != 0 &&
		cur->request->start_time < ipban.expires &&
		ipban.incorrect_login_events >= config->incorrect_login_cannot_login_treshold )
		return true;

return false;
}



bool Login::CheckAbuse()
{
	time_t diff = (time_t)config->incorrect_login_min_time_between_get_post;

	if( cur->session->last_time_get + diff > cur->request->start_time )
	{
		log << log2 << "Login: the minimum time between GET and POST have not passed" << logend;
		return false;
	}

	if( ShouldUseCaptchaForCurrentIP() )
	{
		if( !system->rebus.CheckRebus() )
		{
			return false;
		}
	}

return true;
}


bool Login::LoginUser(const std::wstring & login, const std::wstring & password, bool remember_me, bool use_ses_log)
{
long user_id;

	if( cur->session->id == 0 )
	{
		log << log2 << "Login: can't login in a temporary session (skipped)" << logend;
		return false;
	}

	if( CannotLoginFromCurrentIP() )
	{
		log << log2 << "Login: you cannot login from this IP address" << logend;
		return false;
	}

	if( login.empty() )
	{
		log << log3 << "Login: login is empty (skipping)" << logend;
		return false;
	}

	if( !CheckAbuse() )
	{
		AddBanInfo();
		return false;
	}


	if( CheckUserPass(login, password, user_id) )
	{
		if( system->users.LoginUser(user_id, remember_me, use_ses_log) )
		{
			if( cur->session->ip_ban )
				cur->session->ip_ban->incorrect_login_events = 0;

			return true;
		}
	}
	else
	{
		AddBanInfo();
	}

return false;
}


void Login::MakePost()
{
	const std::wstring & login = cur->request->PostVar(L"login");
	const std::wstring & pass  = cur->request->PostVar(L"password");
	const std::wstring & remem = cur->request->PostVar(L"rememberme");

	if( LoginUser(login, pass, !remem.empty(), true) )
		system->RedirectToLastItem();
}


void Login::MakeGet()
{
}


} // namespace