diff --git a/src/server/authserver/Server/AuthSocket.cpp b/src/server/authserver/Server/AuthSocket.cpp index a00127cb1..123439358 100644 --- a/src/server/authserver/Server/AuthSocket.cpp +++ b/src/server/authserver/Server/AuthSocket.cpp @@ -177,13 +177,37 @@ const AuthHandler table[] = #define AUTH_TOTAL_COMMANDS 8 +void AccountInfo::LoadResult(Field* fields) +{ + // 0 1 2 3 4 5 6 + //SELECT a.id, a.username, a.locked, a.lock_country, a.last_ip, a.failed_logins, ab.unbandate > UNIX_TIMESTAMP() OR ab.unbandate = ab.bandate, + // 7 8 + // ab.unbandate = ab.bandate, aa.gmlevel (, more query-specific fields) + //FROM account a LEFT JOIN account_access aa ON a.id = aa.AccountID LEFT JOIN account_banned ab ON ab.id = a.id AND ab.active = 1 WHERE a.username = ? + + Id = fields[0].GetUInt32(); + Login = fields[1].GetString(); + IsLockedToIP = fields[2].GetBool(); + LockCountry = fields[3].GetString(); + LastIP = fields[4].GetString(); + FailedLogins = fields[5].GetUInt32(); + IsBanned = fields[6].GetUInt64() != 0; + IsPermanenetlyBanned = fields[7].GetUInt64() != 0; + SecurityLevel = static_cast(fields[8].GetUInt8()) > SEC_CONSOLE ? SEC_CONSOLE : static_cast(fields[8].GetUInt8()); + + // Use our own uppercasing of the account name instead of using UPPER() in mysql query + // This is how the account was created in the first place and changing it now would result in breaking + // login for all accounts having accented characters in their name + Utf8ToUpperOnlyLatin(Login); +} + // Holds the MD5 hash of client patches present on the server Patcher PatchesCache; // Constructor - set the N and g values for SRP6 AuthSocket::AuthSocket(RealmSocket& socket) : pPatch(nullptr), socket_(socket), _status(STATUS_CHALLENGE), _build(0), - _expversion(0), _accountSecurityLevel(SEC_PLAYER) + _expversion(0) { } @@ -289,30 +313,6 @@ bool AuthSocket::_HandleLogonChallenge() ///- Session is closed unless overriden _status = STATUS_CLOSED; - // pussywizard: logon flood protection: - { - std::lock_guard guard(LastLoginAttemptMutex); - std::string ipaddr = socket().getRemoteAddress(); - uint32 currTime = time(nullptr); - std::map::iterator itr = LastLoginAttemptTimeForIP.find(ipaddr); - if (itr != LastLoginAttemptTimeForIP.end() && itr->second >= currTime) - { - ByteBuffer pkt; - pkt << uint8(AUTH_LOGON_CHALLENGE); - pkt << uint8(0x00); - pkt << uint8(WOW_FAIL_UNKNOWN_ACCOUNT); - socket().send((char const*)pkt.contents(), pkt.size()); - return true; - } - if (LastLoginAttemptCleanTime + 60 < currTime) - { - LastLoginAttemptTimeForIP.clear(); - LastLoginAttemptCleanTime = currTime; - } - else - LastLoginAttemptTimeForIP[ipaddr] = currTime; - } - // Read the first 4 bytes (header) to get the length of the remaining of the packet std::vector buf; buf.resize(4); @@ -351,9 +351,9 @@ bool AuthSocket::_HandleLogonChallenge() EndianConvert(ch->timezone_bias); EndianConvert(ch->ip); - ByteBuffer pkt; + std::string login((char const*)ch->I, ch->I_len); + LOG_DEBUG("server.authserver", "[AuthChallenge] '%s'", login.c_str()); - _login = (const char*)ch->I; _build = ch->build; _expversion = uint8(AuthHelper::IsPostBCAcceptedClientBuild(_build) ? POST_BC_EXP_FLAG : (AuthHelper::IsPreBCAcceptedClientBuild(_build) ? PRE_BC_EXP_FLAG : NO_VALID_EXP_FLAG)); _os = (const char*)ch->os; @@ -364,188 +364,180 @@ bool AuthSocket::_HandleLogonChallenge() // Restore string order as its byte order is reversed std::reverse(_os.begin(), _os.end()); + ByteBuffer pkt; pkt << uint8(AUTH_LOGON_CHALLENGE); pkt << uint8(0x00); + auto SendAuthPacket = [&]() + { + socket().send((char const*)pkt.contents(), pkt.size()); + }; + // Verify that this IP is not in the ip_banned table LoginDatabase.Execute(LoginDatabase.GetPreparedStatement(LOGIN_DEL_EXPIRED_IP_BANS)); - std::string const& ip_address = socket().getRemoteAddress(); - PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_IP_BANNED); - stmt->setString(0, ip_address); + std::string const& ipAddress = socket().getRemoteAddress(); + uint32 port = socket().getRemotePort(); - PreparedQueryResult result = LoginDatabase.Query(stmt); - if (result) + // Get the account details from the account table + // No SQL injection (prepared statement) + auto stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_LOGONCHALLENGE); + stmt->setString(0, login); + + PreparedQueryResult res2 = LoginDatabase.Query(stmt); + if (!res2) //no account { - pkt << uint8(WOW_FAIL_BANNED); -#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("network", "'%s:%d' [AuthChallenge] Banned ip tries to login!", socket().getRemoteAddress().c_str(), socket().getRemotePort()); -#endif + pkt << uint8(WOW_FAIL_UNKNOWN_ACCOUNT); + SendAuthPacket(); + return true; + } + + Field* fields = res2->Fetch(); + + _accountInfo.LoadResult(fields); + + // If the IP is 'locked', check that the player comes indeed from the correct IP address + if (_accountInfo.IsLockedToIP) + { + LOG_DEBUG("server.authserver", "[AuthChallenge] Account '%s' is locked to IP - '%s' is logging in from '%s'", _accountInfo.Login.c_str(), _accountInfo.LastIP.c_str(), ipAddress.c_str()); + + if (_accountInfo.LastIP != ipAddress) + { + LOG_DEBUG("network", "[AuthChallenge] Account IP differs"); + pkt << uint8(WOW_FAIL_LOCKED_ENFORCED); + SendAuthPacket(); + return true; + } } else { - // Get the account details from the account table - // No SQL injection (prepared statement) - stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_LOGONCHALLENGE); - stmt->setString(0, _login); + LOG_DEBUG("network", "[AuthChallenge] Account '%s' is not locked to ip", _accountInfo.Login.c_str()); - PreparedQueryResult res2 = LoginDatabase.Query(stmt); - if (res2) + if (_accountInfo.LockCountry.empty() || _accountInfo.LockCountry == "00") { - Field* fields = res2->Fetch(); + LOG_DEBUG("network", "[AuthChallenge] Account '%s' is not locked to country", _accountInfo.Login.c_str()); + } + else if (!_accountInfo.LockCountry.empty()) + { + uint32 ip = inet_addr(ipAddress.c_str()); + EndianConvertReverse(ip); - // If the IP is 'locked', check that the player comes indeed from the correct IP address - bool locked = false; - if (fields[1].GetUInt8() == 1) // if ip is locked + stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_LOGON_COUNTRY); + stmt->setUInt32(0, ip); + + if (PreparedQueryResult sessionCountryQuery = LoginDatabase.Query(stmt)) { - LOG_DEBUG("network", "[AuthChallenge] Account '%s' is locked to IP - '%s'", _login.c_str(), fields[2].GetCString()); - LOG_DEBUG("network", "[AuthChallenge] Player address is '%s'", ip_address.c_str()); - - if (strcmp(fields[3].GetCString(), ip_address.c_str()) != 0) + std::string loginCountry = (*sessionCountryQuery)[0].GetString(); + LOG_DEBUG("network", "[AuthChallenge] Account '%s' is locked to country: '%s' Player country is '%s'", _accountInfo.Login.c_str(), _accountInfo.LockCountry.c_str(), loginCountry.c_str()); + if (loginCountry != _accountInfo.LockCountry) { - LOG_DEBUG("network", "[AuthChallenge] Account IP differs"); - pkt << uint8(WOW_FAIL_LOCKED_ENFORCED); - locked = true; - } - else - LOG_DEBUG("network", "[AuthChallenge] Account IP matches"); - } - else - { - LOG_DEBUG("network", "[AuthChallenge] Account '%s' is not locked to ip", _login.c_str()); - std::string accountCountry = fields[2].GetString(); - if (accountCountry.empty() || accountCountry == "00") - LOG_DEBUG("network", "[AuthChallenge] Account '%s' is not locked to country", _login.c_str()); - else if (!accountCountry.empty()) - { - uint32 ip = inet_addr(ip_address.c_str()); - EndianConvertReverse(ip); - - stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_LOGON_COUNTRY); - stmt->setUInt32(0, ip); - if (PreparedQueryResult sessionCountryQuery = LoginDatabase.Query(stmt)) - { - std::string loginCountry = (*sessionCountryQuery)[0].GetString(); - LOG_DEBUG("network", "[AuthChallenge] Account '%s' is locked to country: '%s' Player country is '%s'", _login.c_str(), accountCountry.c_str(), loginCountry.c_str()); - if (loginCountry != accountCountry) - { - LOG_DEBUG("network", "[AuthChallenge] Account country differs."); - pkt << uint8(WOW_FAIL_UNLOCKABLE_LOCK); - locked = true; - } - else - LOG_DEBUG("network", "[AuthChallenge] Account country matches"); - } - else - LOG_DEBUG("network", "[AuthChallenge] IP2NATION Table empty"); - } - } - - uint8 securityFlags = 0; - _totpSecret = fields[7].GetBinary(); - - // Check if a TOTP token is needed - if (!_totpSecret || !_totpSecret.value().empty()) - { - securityFlags = 4; - - if (auto const& secret = sSecretMgr->GetSecret(SECRET_TOTP_MASTER_KEY)) - { - bool success = acore::Crypto::AEDecrypt(*_totpSecret, *secret); - if (!success) - { - pkt << uint8(WOW_FAIL_DB_BUSY); - LOG_ERROR("server.authserver", "[AuthChallenge] Account '%s' has invalid ciphertext for TOTP token key stored", _login.c_str()); - locked = true; - } - } - } - - if (!locked) - { - //set expired bans to inactive - LoginDatabase.DirectExecute(LoginDatabase.GetPreparedStatement(LOGIN_UPD_EXPIRED_ACCOUNT_BANS)); - - // If the account is banned, reject the logon attempt - stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_BANNED); - stmt->setUInt32(0, fields[0].GetUInt32()); - - PreparedQueryResult banresult = LoginDatabase.Query(stmt); - if (banresult) - { - if ((*banresult)[0].GetUInt32() == (*banresult)[1].GetUInt32()) - { - pkt << uint8(WOW_FAIL_BANNED); - LOG_DEBUG("network", "'%s:%d' [AuthChallenge] Banned account %s tried to login!", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); - } - else - { - pkt << uint8(WOW_FAIL_SUSPENDED); - LOG_DEBUG("network", "'%s:%d' [AuthChallenge] Temporarily banned account %s tried to login!", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); - } - } - else - { - _srp6.emplace(_login, fields[5].GetBinary(), fields[6].GetBinary()); - - BigNumber unk3; - unk3.SetRand(16 * 8); - - // Fill the response packet with the result - if (AuthHelper::IsAcceptedClientBuild(_build)) - pkt << uint8(WOW_SUCCESS); - else - pkt << uint8(WOW_FAIL_VERSION_INVALID); - - // B may be calculated < 32B so we force minimal length to 32B - pkt.append(_srp6->B); - pkt << uint8(1); - pkt.append(_srp6->g); - pkt << uint8(32); - pkt.append(_srp6->N); - pkt.append(_srp6->s); - pkt.append(unk3.ToByteArray<16>()); - - pkt << uint8(securityFlags); // security flags (0x0...0x04) - - if (securityFlags & 0x01) // PIN input - { - pkt << uint32(0); - pkt << uint64(0) << uint64(0); // 16 bytes hash? - } - - if (securityFlags & 0x02) // Matrix input - { - pkt << uint8(0); - pkt << uint8(0); - pkt << uint8(0); - pkt << uint8(0); - pkt << uint64(0); - } - - if (securityFlags & 0x04) // Security token input - pkt << uint8(1); - - uint8 secLevel = fields[4].GetUInt8(); - _accountSecurityLevel = secLevel <= SEC_ADMINISTRATOR ? AccountTypes(secLevel) : SEC_ADMINISTRATOR; - - _localizationName.resize(4); - for (int i = 0; i < 4; ++i) - _localizationName[i] = ch->country[4 - i - 1]; - - LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s is using '%c%c%c%c' locale (%u)", - socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str(), ch->country[3], ch->country[2], ch->country[1], ch->country[0], GetLocaleByName(_localizationName)); - - ///- All good, await client's proof - _status = STATUS_LOGON_PROOF; + LOG_DEBUG("network", "[AuthChallenge] Account country differs."); + pkt << uint8(WOW_FAIL_UNLOCKABLE_LOCK); + SendAuthPacket(); + return true; } } } - else //no account - pkt << uint8(WOW_FAIL_UNKNOWN_ACCOUNT); } - socket().send((char const*)pkt.contents(), pkt.size()); + // If the account is banned, reject the logon attempt + if (_accountInfo.IsBanned) + { + if (_accountInfo.IsPermanenetlyBanned) + { + pkt << uint8(WOW_FAIL_BANNED); + LOG_DEBUG("server.authserver.banned", "'%s:%d' [AuthChallenge] Banned account %s tried to login!", ipAddress.c_str(), port, _accountInfo.Login.c_str()); + } + else + { + pkt << uint8(WOW_FAIL_SUSPENDED); + LOG_DEBUG("server.authserver.banned", "'%s:%d' [AuthChallenge] Temporarily banned account %s tried to login!", ipAddress.c_str(), port, _accountInfo.Login.c_str()); + } + + SendAuthPacket(); + return true; + } + + uint8 securityFlags = 0; + + // Check if a TOTP token is needed + if (!fields[9].IsNull()) + { + LOG_DEBUG("server.authserver", "[AuthChallenge] Account '%s' using TOTP", _accountInfo.Login.c_str()); + + securityFlags = 4; + _totpSecret = fields[9].GetBinary(); + if (auto const& secret = sSecretMgr->GetSecret(SECRET_TOTP_MASTER_KEY)) + { + bool success = acore::Crypto::AEDecrypt(*_totpSecret, *secret); + if (!success) + { + pkt << uint8(WOW_FAIL_DB_BUSY); + LOG_ERROR("server.authserver", "[AuthChallenge] Account '%s' has invalid ciphertext for TOTP token key stored", _accountInfo.Login.c_str()); + SendAuthPacket(); + return true; + } + } + } + + _srp6.emplace( + _accountInfo.Login, + fields[10].GetBinary(), + fields[11].GetBinary()); + + BigNumber unk3; + unk3.SetRand(16 * 8); + + // Fill the response packet with the result + if (!AuthHelper::IsAcceptedClientBuild(_build)) + { + pkt << uint8(WOW_FAIL_VERSION_INVALID); + SendAuthPacket(); + return true; + } + + pkt << uint8(WOW_SUCCESS); + + // B may be calculated < 32B so we force minimal length to 32B + pkt.append(_srp6->B); + pkt << uint8(1); + pkt.append(_srp6->g); + pkt << uint8(32); + pkt.append(_srp6->N); + pkt.append(_srp6->s); + pkt.append(unk3.ToByteArray<16>()); + + pkt << uint8(securityFlags); // security flags (0x0...0x04) + + if (securityFlags & 0x01) // PIN input + { + pkt << uint32(0); + pkt << uint64(0) << uint64(0); // 16 bytes hash? + } + + if (securityFlags & 0x02) // Matrix input + { + pkt << uint8(0); + pkt << uint8(0); + pkt << uint8(0); + pkt << uint8(0); + pkt << uint64(0); + } + + if (securityFlags & 0x04) // Security token input + pkt << uint8(1); + + _localizationName.resize(4); + for (int i = 0; i < 4; ++i) + _localizationName[i] = ch->country[4 - i - 1]; + + LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s is using locale (%u)", + ipAddress.c_str(), port, _accountInfo.Login.c_str(), GetLocaleByName(_localizationName)); + + ///- All good, await client's proof + _status = STATUS_LOGON_PROOF; + + SendAuthPacket(); return true; } @@ -559,7 +551,9 @@ bool AuthSocket::_HandleLogonProof() sAuthLogonProof_C lp; if (!socket().recv((char*)&lp, sizeof(sAuthLogonProof_C))) + { return false; + } _status = STATUS_CLOSED; @@ -567,9 +561,7 @@ bool AuthSocket::_HandleLogonProof() if (_expversion == NO_VALID_EXP_FLAG) { // Check if we have the appropriate patch on the disk -#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) LOG_DEBUG("network", "Client with invalid version, patching is not implemented"); -#endif socket().shutdown(); return true; } @@ -577,9 +569,7 @@ bool AuthSocket::_HandleLogonProof() if (std::optional K = _srp6->VerifyChallengeResponse(lp.A, lp.clientM)) { _sessionKey = *K; -#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("network", "'%s:%d' User '%s' successfully authenticated", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); -#endif + LOG_DEBUG("network", "'%s:%d' User '%s' successfully authenticated", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _accountInfo.Login.c_str()); // Update the sessionkey, last_ip, last login time and reset number of failed logins in the account table for this account // No SQL injection (escaped user name) and IP address as received by socket @@ -588,7 +578,7 @@ bool AuthSocket::_HandleLogonProof() stmt->setString(1, socket().getRemoteAddress().c_str()); stmt->setUInt32(2, GetLocaleByName(_localizationName)); stmt->setString(3, _os); - stmt->setString(4, _login); + stmt->setString(4, _accountInfo.Login); LoginDatabase.DirectExecute(stmt); // Finish SRP6 and send the final result to the client @@ -614,6 +604,13 @@ bool AuthSocket::_HandleLogonProof() else if (!sentToken && !_totpSecret) tokenSuccess = true; + if (!tokenSuccess) + { + LOG_DEBUG("server.authsrver", "[AuthChallenge] account %s failed token", _accountInfo.Login.c_str()); + char data[4] = { AUTH_LOGON_PROOF, WOW_FAIL_UNKNOWN_ACCOUNT, 3, 0 }; + socket().send(data, sizeof(data)); + } + if (_expversion & POST_BC_EXP_FLAG) // 2.x and 3.x clients { sAuthLogonProof_S proof; @@ -635,12 +632,6 @@ bool AuthSocket::_HandleLogonProof() socket().send((char*)&proof, sizeof(proof)); } - if (!tokenSuccess) - { - char data[4] = { AUTH_LOGON_PROOF, WOW_FAIL_UNKNOWN_ACCOUNT, 3, 0 }; - socket().send(data, sizeof(data)); - } - ///- Set _status to authed! _status = STATUS_AUTHED; } @@ -650,7 +641,7 @@ bool AuthSocket::_HandleLogonProof() socket().send(data, sizeof(data)); #if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s tried to login with invalid password!", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); + LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s tried to login with invalid password!", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _accountInfo.Login.c_str()); #endif uint32 MaxWrongPassCount = sConfigMgr->GetOption("WrongPass.MaxCount", 0); @@ -659,7 +650,7 @@ bool AuthSocket::_HandleLogonProof() if (sConfigMgr->GetOption("WrongPass.Logging", false)) { PreparedStatement* logstmt = LoginDatabase.GetPreparedStatement(LOGIN_INS_FALP_IP_LOGGING); - logstmt->setString(0, _login); + logstmt->setString(0, _accountInfo.Login); logstmt->setString(1, socket().getRemoteAddress()); logstmt->setString(2, "Logged on failed AccountLogin due wrong password"); @@ -670,11 +661,11 @@ bool AuthSocket::_HandleLogonProof() { //Increment number of failed logins by one and if it reaches the limit temporarily ban that account or IP PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_FAILEDLOGINS); - stmt->setString(0, _login); + stmt->setString(0, _accountInfo.Login); LoginDatabase.Execute(stmt); stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_FAILEDLOGINS); - stmt->setString(0, _login); + stmt->setString(0, _accountInfo.Login); if (PreparedQueryResult loginfail = LoginDatabase.Query(stmt)) { @@ -694,7 +685,7 @@ bool AuthSocket::_HandleLogonProof() LoginDatabase.Execute(stmt); #if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s got banned for '%u' seconds because it failed to authenticate '%u' times", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str(), WrongPassBanTime, failed_logins); + LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s got banned for '%u' seconds because it failed to authenticate '%u' times", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _accountInfo.Login.c_str(), WrongPassBanTime, failed_logins); #endif } else @@ -706,7 +697,7 @@ bool AuthSocket::_HandleLogonProof() #if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) LOG_DEBUG("network", "'%s:%d' [AuthChallenge] IP %s got banned for '%u' seconds because account %s failed to authenticate '%u' times", - socket().getRemoteAddress().c_str(), socket().getRemotePort(), socket().getRemoteAddress().c_str(), WrongPassBanTime, _login.c_str(), failed_logins); + socket().getRemoteAddress().c_str(), socket().getRemotePort(), socket().getRemoteAddress().c_str(), WrongPassBanTime, _accountInfo.Login.c_str(), failed_logins); #endif } } @@ -757,20 +748,24 @@ bool AuthSocket::_HandleReconnectChallenge() LOG_DEBUG("network", "[ReconnectChallenge] name(%d): '%s'", ch->I_len, ch->I); #endif - _login = (const char*)ch->I; + std::string login((char const*)ch->I, ch->I_len); + + auto* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_RECONNECTCHALLENGE); + stmt->setString(0, login); - PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_SESSIONKEY); - stmt->setString(0, _login); PreparedQueryResult result = LoginDatabase.Query(stmt); // Stop if the account is not found if (!result) { - LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login and we cannot find his session key in the database.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); + LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login and we cannot find his session key in the database.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), login.c_str()); socket().shutdown(); return false; } + Field* fields = result->Fetch(); + _accountInfo.LoadResult(fields); + // Reinitialize build, expansion and the account securitylevel _build = ch->build; _expversion = uint8(AuthHelper::IsPostBCAcceptedClientBuild(_build) ? POST_BC_EXP_FLAG : (AuthHelper::IsPreBCAcceptedClientBuild(_build) ? PRE_BC_EXP_FLAG : NO_VALID_EXP_FLAG)); @@ -782,11 +777,7 @@ bool AuthSocket::_HandleReconnectChallenge() // Restore string order as its byte order is reversed std::reverse(_os.begin(), _os.end()); - Field* fields = result->Fetch(); - uint8 secLevel = fields[2].GetUInt8(); - _accountSecurityLevel = secLevel <= SEC_ADMINISTRATOR ? AccountTypes(secLevel) : SEC_ADMINISTRATOR; - - _sessionKey = fields[0].GetBinary(); + _sessionKey = fields[9].GetBinary(); acore::Crypto::GetRandomBytes(_reconnectProof); ///- All good, await client's proof @@ -815,14 +806,14 @@ bool AuthSocket::_HandleReconnectProof() _status = STATUS_CLOSED; - if (_login.empty()) + if (_accountInfo.Login.empty()) return false; BigNumber t1; t1.SetBinary(lp.R1, 16); acore::Crypto::SHA1 sha; - sha.UpdateData(_login); + sha.UpdateData(_accountInfo.Login); sha.UpdateData(t1.ToByteArray<16>()); sha.UpdateData(_reconnectProof); sha.UpdateData(_sessionKey); @@ -844,7 +835,7 @@ bool AuthSocket::_HandleReconnectProof() } else { - LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login, but session is invalid.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); + LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login, but session is invalid.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _accountInfo.Login.c_str()); socket().shutdown(); return false; } @@ -886,11 +877,12 @@ bool AuthSocket::_HandleRealmList() // Get the user id (else close the connection) // No SQL injection (prepared statement) PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_ID_BY_NAME); - stmt->setString(0, _login); + stmt->setString(0, _accountInfo.Login); + PreparedQueryResult result = LoginDatabase.Query(stmt); if (!result) { - LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login but we cannot find him in the database.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); + LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login but we cannot find him in the database.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _accountInfo.Login.c_str()); socket().shutdown(); return false; } @@ -939,7 +931,7 @@ bool AuthSocket::_HandleRealmList() // We don't need the port number from which client connects with but the realm's port clientAddr.set_port_number(realm.ExternalAddress.get_port_number()); - uint8 lock = (realm.allowedSecurityLevel > _accountSecurityLevel) ? 1 : 0; + uint8 lock = (realm.allowedSecurityLevel > _accountInfo.SecurityLevel) ? 1 : 0; uint8 AmountOfCharacters = 0; stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_NUM_CHARS_ON_REALM); diff --git a/src/server/authserver/Server/AuthSocket.h b/src/server/authserver/Server/AuthSocket.h index 26913aac9..06f835454 100644 --- a/src/server/authserver/Server/AuthSocket.h +++ b/src/server/authserver/Server/AuthSocket.h @@ -14,6 +14,7 @@ #include "SRP6.h" class ACE_INET_Addr; +class Fields; struct Realm; enum eStatus @@ -26,6 +27,21 @@ enum eStatus STATUS_CLOSED }; +struct AccountInfo +{ + void LoadResult(Field* fields); + + uint32 Id = 0; + std::string Login; + bool IsLockedToIP = false; + std::string LockCountry; + std::string LastIP; + uint32 FailedLogins = 0; + bool IsBanned = false; + bool IsPermanenetlyBanned = false; + AccountTypes SecurityLevel = SEC_PLAYER; +}; + // Handle login commands class AuthSocket: public RealmSocket::Session { @@ -65,7 +81,7 @@ private: eStatus _status; - std::string _login; + AccountInfo _accountInfo; Optional> _totpSecret; // Since GetLocaleByName() is _NOT_ bijective, we have to store the locale as a string. Otherwise we can't differ @@ -74,7 +90,6 @@ private: std::string _os; uint16 _build; uint8 _expversion; - AccountTypes _accountSecurityLevel; }; #endif diff --git a/src/server/database/Database/Implementation/LoginDatabase.cpp b/src/server/database/Database/Implementation/LoginDatabase.cpp index f9d43bcf9..4d9305bbc 100644 --- a/src/server/database/Database/Implementation/LoginDatabase.cpp +++ b/src/server/database/Database/Implementation/LoginDatabase.cpp @@ -11,6 +11,16 @@ void LoginDatabaseConnection::DoPrepareStatements() if (!m_reconnecting) m_stmts.resize(MAX_LOGINDATABASE_STATEMENTS); + PrepareStatement(LOGIN_SEL_LOGONCHALLENGE, "SELECT a.id, a.username, a.locked, a.lock_country, a.last_ip, a.failed_logins, ab.unbandate > UNIX_TIMESTAMP() OR ab.unbandate = ab.bandate, " + "ab.unbandate = ab.bandate, aa.gmlevel, a.totp_secret, a.salt, a.verifier " + "FROM account a LEFT JOIN account_access aa ON a.id = aa.id LEFT JOIN account_banned ab ON ab.id = a.id AND ab.active = 1 WHERE a.username = ?", CONNECTION_SYNCH); + PrepareStatement(LOGIN_SEL_RECONNECTCHALLENGE, "SELECT a.id, UPPER(a.username), a.locked, a.lock_country, a.last_ip, a.failed_logins, ab.unbandate > UNIX_TIMESTAMP() OR ab.unbandate = ab.bandate, " + "ab.unbandate = ab.bandate, aa.gmlevel, a.session_key " + "FROM account a LEFT JOIN account_access aa ON a.id = aa.id LEFT JOIN account_banned ab ON ab.id = a.id AND ab.active = 1 WHERE a.username = ? AND a.session_key IS NOT NULL", CONNECTION_SYNCH); + PrepareStatement(LOGIN_SEL_ACCOUNT_INFO_BY_NAME, "SELECT a.id, a.session_key, a.last_ip, a.locked, a.lock_country, a.expansion, a.mutetime, a.locale, a.recruiter, a.os, a.totaltime, " + "aa.gmlevel, ab.unbandate > UNIX_TIMESTAMP() OR ab.unbandate = ab.bandate, r.id FROM account a LEFT JOIN account_access aa ON a.id = aa.id AND aa.RealmID IN (-1, ?) " + "LEFT JOIN account_banned ab ON a.id = ab.id AND ab.active = 1 LEFT JOIN account r ON a.id = r.recruiter WHERE a.username = ? " + "AND a.session_key IS NOT NULL ORDER BY aa.RealmID DESC LIMIT 1", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_REALMLIST, "SELECT id, name, address, localAddress, localSubnetMask, port, icon, flag, timezone, allowedSecurityLevel, population, gamebuild FROM realmlist WHERE flag <> 3 ORDER BY name", CONNECTION_SYNCH); PrepareStatement(LOGIN_DEL_EXPIRED_IP_BANS, "DELETE FROM ip_banned WHERE unbandate<>bandate AND unbandate<=UNIX_TIMESTAMP()", CONNECTION_ASYNC); PrepareStatement(LOGIN_UPD_EXPIRED_ACCOUNT_BANS, "UPDATE account_banned SET active = 0 WHERE active = 1 AND unbandate<>bandate AND unbandate<=UNIX_TIMESTAMP()", CONNECTION_SYNCH); @@ -23,16 +33,13 @@ void LoginDatabaseConnection::DoPrepareStatements() PrepareStatement(LOGIN_SEL_ACCOUNT_BANNED_BY_USERNAME, "SELECT account.id, username FROM account, account_banned WHERE account.id = account_banned.id AND active = 1 AND username LIKE CONCAT('%%', ?, '%%') GROUP BY account.id", CONNECTION_SYNCH); PrepareStatement(LOGIN_INS_ACCOUNT_AUTO_BANNED, "INSERT INTO account_banned VALUES (?, UNIX_TIMESTAMP(), UNIX_TIMESTAMP()+?, 'Trinity realmd', 'Failed login autoban', 1)", CONNECTION_ASYNC); PrepareStatement(LOGIN_DEL_ACCOUNT_BANNED, "DELETE FROM account_banned WHERE id = ?", CONNECTION_ASYNC); - PrepareStatement(LOGIN_SEL_SESSIONKEY, "SELECT a.session_key, a.id, aa.gmlevel FROM account a LEFT JOIN account_access aa ON (a.id = aa.id) WHERE username = ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_UPD_LOGON, "UPDATE account SET salt = ?, verifier = ? WHERE id = ?", CONNECTION_ASYNC); PrepareStatement(LOGIN_UPD_LOGONPROOF, "UPDATE account SET session_key = ?, last_ip = ?, last_login = NOW(), locale = ?, failed_logins = 0, os = ? WHERE username = ?", CONNECTION_SYNCH); - PrepareStatement(LOGIN_SEL_LOGONCHALLENGE, "SELECT a.id, a.locked, a.lock_country, a.last_ip, aa.gmlevel, a.salt, a.verifier, a.totp_secret FROM account a LEFT JOIN account_access aa ON (a.id = aa.id) WHERE a.username = ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_LOGON_COUNTRY, "SELECT country FROM ip2nation WHERE ip < ? ORDER BY ip DESC LIMIT 0,1", CONNECTION_SYNCH); PrepareStatement(LOGIN_UPD_FAILEDLOGINS, "UPDATE account SET failed_logins = failed_logins + 1 WHERE username = ?", CONNECTION_ASYNC); PrepareStatement(LOGIN_SEL_FAILEDLOGINS, "SELECT id, failed_logins FROM account WHERE username = ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_ACCOUNT_ID_BY_NAME, "SELECT id FROM account WHERE username = ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_ACCOUNT_LIST_BY_NAME, "SELECT id, username FROM account WHERE username = ?", CONNECTION_SYNCH); - PrepareStatement(LOGIN_SEL_ACCOUNT_INFO_BY_NAME, "SELECT id, session_key, last_ip, locked, lock_country, expansion, mutetime, locale, recruiter, os, totaltime FROM account WHERE username = ? AND session_key IS NOT NULL", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_ACCOUNT_LIST_BY_EMAIL, "SELECT id, username FROM account WHERE email = ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_NUM_CHARS_ON_REALM, "SELECT numchars FROM realmcharacters WHERE realmid = ? AND acctid= ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_ACCOUNT_BY_IP, "SELECT id, username FROM account WHERE last_ip = ?", CONNECTION_SYNCH); diff --git a/src/server/database/Database/Implementation/LoginDatabase.h b/src/server/database/Database/Implementation/LoginDatabase.h index c9409f532..7f88158da 100644 --- a/src/server/database/Database/Implementation/LoginDatabase.h +++ b/src/server/database/Database/Implementation/LoginDatabase.h @@ -41,10 +41,10 @@ enum LoginDatabaseStatements LOGIN_SEL_ACCOUNT_BANNED_BY_USERNAME, LOGIN_INS_ACCOUNT_AUTO_BANNED, LOGIN_DEL_ACCOUNT_BANNED, - LOGIN_SEL_SESSIONKEY, LOGIN_UPD_LOGON, LOGIN_UPD_LOGONPROOF, LOGIN_SEL_LOGONCHALLENGE, + LOGIN_SEL_RECONNECTCHALLENGE, LOGIN_SEL_LOGON_COUNTRY, LOGIN_UPD_FAILEDLOGINS, LOGIN_SEL_FAILEDLOGINS, diff --git a/src/server/game/Server/WorldSocket.cpp b/src/server/game/Server/WorldSocket.cpp index 23ffd0c34..14dc4aa49 100644 --- a/src/server/game/Server/WorldSocket.cpp +++ b/src/server/game/Server/WorldSocket.cpp @@ -90,6 +90,58 @@ struct ClientPktHeader #pragma pack(pop) #endif +struct AccountInfo +{ + uint32 Id; + ::SessionKey SessionKey; + std::string LastIP; + bool IsLockedToIP; + std::string LockCountry; + uint8 Expansion; + int64 MuteTime; + LocaleConstant Locale; + uint32 Recruiter; + std::string OS; + bool IsRectuiter; + AccountTypes Security; + bool IsBanned; + uint32 TotalTime; + + explicit AccountInfo(Field* fields) + { + // 0 1 2 3 4 5 6 7 8 9 10 11 + // SELECT a.id, a.sessionkey, a.last_ip, a.locked, a.lock_country, a.expansion, a.mutetime, a.locale, a.recruiter, a.os, a.totaltime, aa.gmLevel, + // 12 13 + // ab.unbandate > UNIX_TIMESTAMP() OR ab.unbandate = ab.bandate, r.id + // FROM account a + // LEFT JOIN account_access aa ON a.id = aa.AccountID AND aa.RealmID IN (-1, ?) + // LEFT JOIN account_banned ab ON a.id = ab.id + // LEFT JOIN account r ON a.id = r.recruiter + // WHERE a.username = ? ORDER BY aa.RealmID DESC LIMIT 1 + Id = fields[0].GetUInt32(); + SessionKey = fields[1].GetBinary(); + LastIP = fields[2].GetString(); + IsLockedToIP = fields[3].GetBool(); + LockCountry = fields[4].GetString(); + Expansion = fields[5].GetUInt8(); + MuteTime = fields[6].GetInt64(); + Locale = LocaleConstant(fields[7].GetUInt8()); + Recruiter = fields[8].GetUInt32(); + OS = fields[9].GetString(); + TotalTime = fields[10].GetUInt32(); + Security = AccountTypes(fields[11].GetUInt8()); + IsBanned = fields[12].GetUInt64() != 0; + IsRectuiter = fields[13].GetUInt32() != 0; + + uint32 world_expansion = sWorld->getIntConfig(CONFIG_EXPANSION); + if (Expansion > world_expansion) + Expansion = world_expansion; + + if (Locale >= TOTAL_LOCALES) + Locale = LOCALE_enUS; + } +}; + WorldSocket::WorldSocket(void): WorldHandler(), m_LastPingTime(SystemTimePoint::min()), m_OverSpeedPings(0), m_Session(0), m_RecvWPct(0), m_RecvPct(), m_Header(sizeof (ClientPktHeader)), @@ -734,18 +786,11 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) uint32 loginServerID, loginServerType, regionID, battlegroupID, realm; uint64 DosResponse; uint32 BuiltNumberClient; - uint32 id, security; - uint32 TotalTime = 0; - bool skipQueue = false; - //uint8 expansion = 0; - LocaleConstant locale; - std::string account; + std::string accountName; WorldPacket packet, SendAddonPacked; std::array clientSeed; acore::Crypto::SHA1::Digest digest; - bool wardenActive = sWorld->getBoolConfig(CONFIG_WARDEN_ENABLED); - if (sWorld->IsClosed()) { packet.Initialize(SMSG_AUTH_RESPONSE, 1); @@ -759,7 +804,7 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) // Read the content of the packet recvPacket >> BuiltNumberClient; // for now no use recvPacket >> loginServerID; - recvPacket >> account; + recvPacket >> accountName; recvPacket >> loginServerType; recvPacket.read(clientSeed); recvPacket >> regionID; @@ -769,15 +814,15 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) recvPacket.read(digest); #if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("server", "WorldSocket::HandleAuthSession: client %u, loginServerID %u, account %s, loginServerType %u", - BuiltNumberClient, loginServerID, account.c_str(), loginServerType); + LOG_DEBUG("server", "WorldSocket::HandleAuthSession: client %u, loginServerID %u, accountName %s, loginServerType %u", + BuiltNumberClient, loginServerID, accountName.c_str(), loginServerType); #endif // Get the account information from the realmd database // 0 1 2 3 4 5 6 7 8 9 10 // SELECT id, sessionkey, last_ip, locked, lock_country, expansion, mutetime, locale, recruiter, os, totaltime FROM account WHERE username = ? - PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_INFO_BY_NAME); - - stmt->setString(0, account); + auto* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_INFO_BY_NAME); + stmt->setInt32(0, int32(realmID)); + stmt->setString(1, accountName); PreparedQueryResult result = LoginDatabase.Query(stmt); @@ -785,8 +830,8 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) if (!result) { // We can not log here, as we do not know the account. Thus, no accountId. - packet.Initialize (SMSG_AUTH_RESPONSE, 1); - packet << uint8 (AUTH_UNKNOWN_ACCOUNT); + packet.Initialize(SMSG_AUTH_RESPONSE, 1); + packet << uint8(AUTH_UNKNOWN_ACCOUNT); SendPacket(packet); @@ -794,136 +839,55 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) return -1; } - Field* fields = result->Fetch(); - - uint8 expansion = fields[5].GetUInt8(); - uint32 world_expansion = sWorld->getIntConfig(CONFIG_EXPANSION); - if (expansion > world_expansion) - expansion = world_expansion; + AccountInfo account(result->Fetch()); // For hook purposes, we get Remoteaddress at this point std::string address = GetRemoteAddress(); // Originally, this variable should be called address, but for some reason, that variable name was already on the core. // As we don't know if attempted login process by ip works, we update last_attempt_ip right away stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_LAST_ATTEMPT_IP); - stmt->setString(0, address); - stmt->setString(1, account); + stmt->setString(1, accountName); LoginDatabase.Execute(stmt); // This also allows to check for possible "hack" attempts on account - // id has to be fetched at this point, so that first actual account response that fails can be logged - id = fields[0].GetUInt32(); + // even if auth credentials are bad, try using the session key we have - client cannot read auth response error without it + m_Crypt.Init(account.SessionKey); - ///- Re-check ip locking (same check as in realmd). - if (fields[3].GetUInt8() == 1) // if ip is locked - { - if (strcmp (fields[2].GetCString(), address.c_str())) - { - packet.Initialize (SMSG_AUTH_RESPONSE, 1); - packet << uint8 (AUTH_FAILED); - SendPacket(packet); - - LOG_INFO("server", "WorldSocket::HandleAuthSession: Sent Auth Response (Account IP differs. Original IP: %s, new IP: %s).", fields[2].GetCString(), address.c_str()); - // We could log on hook only instead of an additional db log, however action logger is config based. Better keep DB logging as well - sScriptMgr->OnFailedAccountLogin(id); - return -1; - } - } - - /* - if (security > SEC_ADMINISTRATOR) // prevent invalid security settings in DB - security = SEC_ADMINISTRATOR; - */ - - SessionKey sessionKey = fields[1].GetBinary(); - - int64 mutetime = fields[6].GetInt64(); - //! Negative mutetime indicates amount of seconds to be muted effective on next login - which is now. - if (mutetime < 0) - { - mutetime = time(nullptr) + llabs(mutetime); - - PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_MUTE_TIME_LOGIN); - - stmt->setInt64(0, mutetime); - stmt->setUInt32(1, id); - - LoginDatabase.Execute(stmt); - } - - locale = LocaleConstant (fields[7].GetUInt8()); - if (locale >= TOTAL_LOCALES) - locale = LOCALE_enUS; - - uint32 recruiter = fields[8].GetUInt32(); - std::string os = fields[9].GetString(); - TotalTime = fields[10].GetUInt32(); - - // Must be done before WorldSession is created - if (wardenActive && os != "Win" && os != "OSX") + // First reject the connection if packet contains invalid data or realm state doesn't allow logging in + if (sWorld->IsClosed()) { packet.Initialize(SMSG_AUTH_RESPONSE, 1); packet << uint8(AUTH_REJECT); SendPacket(packet); - LOG_ERROR("server", "WorldSocket::HandleAuthSession: Client %s attempted to log in using invalid client OS (%s).", address.c_str(), os.c_str()); + LOG_ERROR("server", "WorldSocket::HandleAuthSession: World closed, denying client (%s).", address.c_str()); + sScriptMgr->OnFailedAccountLogin(account.Id); return -1; } - // Checks gmlevel per Realm - stmt = LoginDatabase.GetPreparedStatement(LOGIN_GET_GMLEVEL_BY_REALMID); - - stmt->setUInt32(0, id); - stmt->setInt32(1, int32(realmID)); - - result = LoginDatabase.Query(stmt); - - if (!result) - security = 0; - else + if (realm != realmID) { - fields = result->Fetch(); - security = fields[0].GetUInt8(); - skipQueue = true; - } - - // Re-check account ban (same check as in realmd) - stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_BANS); - - stmt->setUInt32(0, id); - stmt->setString(1, address); - - PreparedQueryResult banresult = LoginDatabase.Query(stmt); - - if (banresult) // if account banned - { - packet.Initialize (SMSG_AUTH_RESPONSE, 1); - packet << uint8 (AUTH_BANNED); + packet.Initialize(SMSG_AUTH_RESPONSE, 1); + packet << uint8(REALM_LIST_REALM_NOT_FOUND); SendPacket(packet); - LOG_ERROR("server", "WorldSocket::HandleAuthSession: Sent Auth Response (Account banned)."); - sScriptMgr->OnFailedAccountLogin(id); + LOG_ERROR("server", "WorldSocket::HandleAuthSession: Client %s requested connecting with realm id %u but this realm has id %u set in config.", + address.c_str(), realm, realmID); + sScriptMgr->OnFailedAccountLogin(account.Id); return -1; } - // Check locked state for server - AccountTypes allowedAccountType = sWorld->GetPlayerSecurityLimit(); -#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("network", "Allowed Level: %u Player Level %u", allowedAccountType, AccountTypes(security)); -#endif - if (AccountTypes(security) < allowedAccountType) + // Must be done before WorldSession is created + bool wardenActive = sWorld->getBoolConfig(CONFIG_WARDEN_ENABLED); + if (wardenActive && account.OS != "Win" && account.OS != "OSX") { - WorldPacket Packet (SMSG_AUTH_RESPONSE, 1); - Packet << uint8 (AUTH_UNAVAILABLE); - + packet.Initialize(SMSG_AUTH_RESPONSE, 1); + packet << uint8(AUTH_REJECT); SendPacket(packet); - -#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("server", "WorldSocket::HandleAuthSession: User tries to login but his security level is not enough"); -#endif - sScriptMgr->OnFailedAccountLogin(id); + LOG_ERROR("network", "WorldSocket::HandleAuthSession: Client %s attempted to log in using invalid client OS (%s).", address.c_str(), account.OS.c_str()); + sScriptMgr->OnFailedAccountLogin(account.Id); return -1; } @@ -931,89 +895,105 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) uint8 t[4] = { 0x00, 0x00, 0x00, 0x00 }; acore::Crypto::SHA1 sha; - sha.UpdateData (account); + sha.UpdateData(accountName); sha.UpdateData(t); sha.UpdateData(clientSeed); sha.UpdateData(m_Seed); - sha.UpdateData(sessionKey); + sha.UpdateData(account.SessionKey); sha.Finalize(); if (sha.GetDigest() != digest) { - packet.Initialize (SMSG_AUTH_RESPONSE, 1); - packet << uint8 (AUTH_FAILED); + packet.Initialize(SMSG_AUTH_RESPONSE, 1); + packet << uint8(AUTH_FAILED); SendPacket(packet); - LOG_ERROR("server", "WorldSocket::HandleAuthSession: Authentication failed for account: %u ('%s') address: %s", id, account.c_str(), address.c_str()); + LOG_ERROR("server", "WorldSocket::HandleAuthSession: Authentication failed for account: %u ('%s') address: %s", account.Id, accountName.c_str(), address.c_str()); return -1; } -#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("server", "WorldSocket::HandleAuthSession: Client '%s' authenticated successfully from %s.", - account.c_str(), - address.c_str()); -#endif - // Check if this user is by any chance a recruiter - stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_RECRUITER); + /*if (IpLocationRecord const* location = sIPLocation->GetLocationRecord(address)) + _ipCountry = location->CountryCode;*/ - stmt->setUInt32(0, id); + ///- Re-check ip locking (same check as in auth). + if (account.IsLockedToIP) + { + if (account.LastIP != address) + { + packet.Initialize(SMSG_AUTH_RESPONSE, 1); + packet << uint8(AUTH_FAILED); + SendPacket(packet); + LOG_DEBUG("network", "WorldSocket::HandleAuthSession: Sent Auth Response (Account IP differs. Original IP: %s, new IP: %s).", account.LastIP.c_str(), address.c_str()); + // We could log on hook only instead of an additional db log, however action logger is config based. Better keep DB logging as well + sScriptMgr->OnFailedAccountLogin(account.Id); + return -1; + } + } + //else if (!account.LockCountry.empty() && account.LockCountry != "00" && !_ipCountry.empty()) + //{ + // if (account.LockCountry != _ipCountry) + // { + // packet.Initialize(SMSG_AUTH_RESPONSE, 1); + // packet << uint8(AUTH_REJECT); + // LOG_DEBUG("network", "WorldSocket::HandleAuthSession: Sent Auth Response (Account country differs. Original country: %s, new country: %s).", account.LockCountry.c_str(), _ipCountry.c_str()); + // // We could log on hook only instead of an additional db log, however action logger is config based. Better keep DB logging as well + // sScriptMgr->OnFailedAccountLogin(account.Id); + // return -1; + // } + //} - result = LoginDatabase.Query(stmt); + if (account.IsBanned) + { + packet.Initialize(SMSG_AUTH_RESPONSE, 1); + packet << uint8(AUTH_BANNED); + SendPacket(packet); + LOG_ERROR("network", "WorldSocket::HandleAuthSession: Sent Auth Response (Account banned)."); + sScriptMgr->OnFailedAccountLogin(account.Id); + return -1; + } - bool isRecruiter = false; - if (result) - isRecruiter = true; + // Check locked state for server + AccountTypes allowedAccountType = sWorld->GetPlayerSecurityLimit(); + LOG_DEBUG("network", "Allowed Level: %u Player Level %u", allowedAccountType, account.Security); + if (allowedAccountType > SEC_PLAYER && account.Security < allowedAccountType) + { + packet.Initialize(SMSG_AUTH_RESPONSE, 1); + packet << uint8(AUTH_UNAVAILABLE); + LOG_DEBUG("network", "WorldSocket::HandleAuthSession: User tries to login but his security level is not enough"); + sScriptMgr->OnFailedAccountLogin(account.Id); + return -1; + } + + LOG_DEBUG("network", "WorldSocket::HandleAuthSession: Client '%s' authenticated successfully from %s.", accountName.c_str(), address.c_str()); // Update the last_ip in the database as it was successful for login stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_LAST_IP); - stmt->setString(0, address); - stmt->setString(1, account); - + stmt->setString(1, accountName); LoginDatabase.Execute(stmt); - sScriptMgr->OnLastIpUpdate(id, address); + sScriptMgr->OnLastIpUpdate(account.Id, address); + + bool skipQueue = false; + + if (account.Security > SEC_PLAYER) + skipQueue = true; // NOTE ATM the socket is single-threaded, have this in mind ... - ACE_NEW_RETURN(m_Session, WorldSession(id, this, AccountTypes(security), expansion, mutetime, locale, recruiter, isRecruiter, skipQueue, TotalTime), -1); - - m_Crypt.Init(sessionKey); - - // First reject the connection if packet contains invalid data or realm state doesn't allow logging in - if (sWorld->IsClosed()) - { - packet.Initialize (SMSG_AUTH_RESPONSE, 1); - packet << uint8 (AUTH_REJECT); - SendPacket(packet); - - LOG_ERROR("server", "WorldSocket::HandleAuthSession: World closed, denying client (%s).", address.c_str()); - sScriptMgr->OnFailedAccountLogin(id); - return -1; - } - - if (realm != realmID) - { - packet.Initialize (SMSG_AUTH_RESPONSE, 1); - packet << uint8 (REALM_LIST_REALM_NOT_FOUND); - SendPacket(packet); - - LOG_ERROR("server", "WorldSocket::HandleAuthSession: Client %s requested connecting with realm id %u but this realm has id %u set in config.", - address.c_str(), realm, realmID); - sScriptMgr->OnFailedAccountLogin(id); - return -1; - } + ACE_NEW_RETURN(m_Session, + WorldSession(account.Id, this, AccountTypes(account.Security), account.Expansion, account.MuteTime, account.Locale, account.Recruiter, account.IsRectuiter, skipQueue, account.TotalTime), -1); m_Session->LoadGlobalAccountData(); m_Session->LoadTutorialsData(); m_Session->ReadAddonsInfo(recvPacket); // At this point, we can safely hook a successful login - sScriptMgr->OnAccountLogin(id); + sScriptMgr->OnAccountLogin(account.Id); // Initialize Warden system only if it is enabled by config if (wardenActive) - m_Session->InitWarden(sessionKey, os); + m_Session->InitWarden(account.SessionKey, account.OS); // Sleep this Network thread for uint32 sleepTime = sWorld->getIntConfig(CONFIG_SESSION_ADD_DELAY);