From fe6db2ff96f85ae998e8729ddf7a05aa36da8b6d Mon Sep 17 00:00:00 2001 From: Kitzunu <24550914+Kitzunu@users.noreply.github.com> Date: Thu, 20 May 2021 23:23:50 +0200 Subject: [PATCH] Revert "feat(Core/Auth): add AccountInfo helper (#5640)" (#5971) This reverts commit e50754d804987ec93792b6a4d113913ab018189b. --- src/server/authserver/Server/AuthSocket.cpp | 434 +++++++++--------- src/server/authserver/Server/AuthSocket.h | 19 +- .../Database/Implementation/LoginDatabase.cpp | 13 +- .../Database/Implementation/LoginDatabase.h | 2 +- src/server/game/Server/WorldSocket.cpp | 324 +++++++------ 5 files changed, 399 insertions(+), 393 deletions(-) diff --git a/src/server/authserver/Server/AuthSocket.cpp b/src/server/authserver/Server/AuthSocket.cpp index 123439358..a00127cb1 100644 --- a/src/server/authserver/Server/AuthSocket.cpp +++ b/src/server/authserver/Server/AuthSocket.cpp @@ -177,37 +177,13 @@ const AuthHandler table[] = #define AUTH_TOTAL_COMMANDS 8 -void AccountInfo::LoadResult(Field* fields) -{ - // 0 1 2 3 4 5 6 - //SELECT a.id, a.username, a.locked, a.lock_country, a.last_ip, a.failed_logins, ab.unbandate > UNIX_TIMESTAMP() OR ab.unbandate = ab.bandate, - // 7 8 - // ab.unbandate = ab.bandate, aa.gmlevel (, more query-specific fields) - //FROM account a LEFT JOIN account_access aa ON a.id = aa.AccountID LEFT JOIN account_banned ab ON ab.id = a.id AND ab.active = 1 WHERE a.username = ? - - Id = fields[0].GetUInt32(); - Login = fields[1].GetString(); - IsLockedToIP = fields[2].GetBool(); - LockCountry = fields[3].GetString(); - LastIP = fields[4].GetString(); - FailedLogins = fields[5].GetUInt32(); - IsBanned = fields[6].GetUInt64() != 0; - IsPermanenetlyBanned = fields[7].GetUInt64() != 0; - SecurityLevel = static_cast(fields[8].GetUInt8()) > SEC_CONSOLE ? SEC_CONSOLE : static_cast(fields[8].GetUInt8()); - - // Use our own uppercasing of the account name instead of using UPPER() in mysql query - // This is how the account was created in the first place and changing it now would result in breaking - // login for all accounts having accented characters in their name - Utf8ToUpperOnlyLatin(Login); -} - // Holds the MD5 hash of client patches present on the server Patcher PatchesCache; // Constructor - set the N and g values for SRP6 AuthSocket::AuthSocket(RealmSocket& socket) : pPatch(nullptr), socket_(socket), _status(STATUS_CHALLENGE), _build(0), - _expversion(0) + _expversion(0), _accountSecurityLevel(SEC_PLAYER) { } @@ -313,6 +289,30 @@ bool AuthSocket::_HandleLogonChallenge() ///- Session is closed unless overriden _status = STATUS_CLOSED; + // pussywizard: logon flood protection: + { + std::lock_guard guard(LastLoginAttemptMutex); + std::string ipaddr = socket().getRemoteAddress(); + uint32 currTime = time(nullptr); + std::map::iterator itr = LastLoginAttemptTimeForIP.find(ipaddr); + if (itr != LastLoginAttemptTimeForIP.end() && itr->second >= currTime) + { + ByteBuffer pkt; + pkt << uint8(AUTH_LOGON_CHALLENGE); + pkt << uint8(0x00); + pkt << uint8(WOW_FAIL_UNKNOWN_ACCOUNT); + socket().send((char const*)pkt.contents(), pkt.size()); + return true; + } + if (LastLoginAttemptCleanTime + 60 < currTime) + { + LastLoginAttemptTimeForIP.clear(); + LastLoginAttemptCleanTime = currTime; + } + else + LastLoginAttemptTimeForIP[ipaddr] = currTime; + } + // Read the first 4 bytes (header) to get the length of the remaining of the packet std::vector buf; buf.resize(4); @@ -351,9 +351,9 @@ bool AuthSocket::_HandleLogonChallenge() EndianConvert(ch->timezone_bias); EndianConvert(ch->ip); - std::string login((char const*)ch->I, ch->I_len); - LOG_DEBUG("server.authserver", "[AuthChallenge] '%s'", login.c_str()); + ByteBuffer pkt; + _login = (const char*)ch->I; _build = ch->build; _expversion = uint8(AuthHelper::IsPostBCAcceptedClientBuild(_build) ? POST_BC_EXP_FLAG : (AuthHelper::IsPreBCAcceptedClientBuild(_build) ? PRE_BC_EXP_FLAG : NO_VALID_EXP_FLAG)); _os = (const char*)ch->os; @@ -364,180 +364,188 @@ bool AuthSocket::_HandleLogonChallenge() // Restore string order as its byte order is reversed std::reverse(_os.begin(), _os.end()); - ByteBuffer pkt; pkt << uint8(AUTH_LOGON_CHALLENGE); pkt << uint8(0x00); - auto SendAuthPacket = [&]() - { - socket().send((char const*)pkt.contents(), pkt.size()); - }; - // Verify that this IP is not in the ip_banned table LoginDatabase.Execute(LoginDatabase.GetPreparedStatement(LOGIN_DEL_EXPIRED_IP_BANS)); - std::string const& ipAddress = socket().getRemoteAddress(); - uint32 port = socket().getRemotePort(); + std::string const& ip_address = socket().getRemoteAddress(); + PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_IP_BANNED); + stmt->setString(0, ip_address); - // Get the account details from the account table - // No SQL injection (prepared statement) - auto stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_LOGONCHALLENGE); - stmt->setString(0, login); - - PreparedQueryResult res2 = LoginDatabase.Query(stmt); - if (!res2) //no account + PreparedQueryResult result = LoginDatabase.Query(stmt); + if (result) { - pkt << uint8(WOW_FAIL_UNKNOWN_ACCOUNT); - SendAuthPacket(); - return true; - } - - Field* fields = res2->Fetch(); - - _accountInfo.LoadResult(fields); - - // If the IP is 'locked', check that the player comes indeed from the correct IP address - if (_accountInfo.IsLockedToIP) - { - LOG_DEBUG("server.authserver", "[AuthChallenge] Account '%s' is locked to IP - '%s' is logging in from '%s'", _accountInfo.Login.c_str(), _accountInfo.LastIP.c_str(), ipAddress.c_str()); - - if (_accountInfo.LastIP != ipAddress) - { - LOG_DEBUG("network", "[AuthChallenge] Account IP differs"); - pkt << uint8(WOW_FAIL_LOCKED_ENFORCED); - SendAuthPacket(); - return true; - } + pkt << uint8(WOW_FAIL_BANNED); +#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) + LOG_DEBUG("network", "'%s:%d' [AuthChallenge] Banned ip tries to login!", socket().getRemoteAddress().c_str(), socket().getRemotePort()); +#endif } else { - LOG_DEBUG("network", "[AuthChallenge] Account '%s' is not locked to ip", _accountInfo.Login.c_str()); + // Get the account details from the account table + // No SQL injection (prepared statement) + stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_LOGONCHALLENGE); + stmt->setString(0, _login); - if (_accountInfo.LockCountry.empty() || _accountInfo.LockCountry == "00") + PreparedQueryResult res2 = LoginDatabase.Query(stmt); + if (res2) { - LOG_DEBUG("network", "[AuthChallenge] Account '%s' is not locked to country", _accountInfo.Login.c_str()); - } - else if (!_accountInfo.LockCountry.empty()) - { - uint32 ip = inet_addr(ipAddress.c_str()); - EndianConvertReverse(ip); + Field* fields = res2->Fetch(); - stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_LOGON_COUNTRY); - stmt->setUInt32(0, ip); - - if (PreparedQueryResult sessionCountryQuery = LoginDatabase.Query(stmt)) + // If the IP is 'locked', check that the player comes indeed from the correct IP address + bool locked = false; + if (fields[1].GetUInt8() == 1) // if ip is locked { - std::string loginCountry = (*sessionCountryQuery)[0].GetString(); - LOG_DEBUG("network", "[AuthChallenge] Account '%s' is locked to country: '%s' Player country is '%s'", _accountInfo.Login.c_str(), _accountInfo.LockCountry.c_str(), loginCountry.c_str()); - if (loginCountry != _accountInfo.LockCountry) + LOG_DEBUG("network", "[AuthChallenge] Account '%s' is locked to IP - '%s'", _login.c_str(), fields[2].GetCString()); + LOG_DEBUG("network", "[AuthChallenge] Player address is '%s'", ip_address.c_str()); + + if (strcmp(fields[3].GetCString(), ip_address.c_str()) != 0) { - LOG_DEBUG("network", "[AuthChallenge] Account country differs."); - pkt << uint8(WOW_FAIL_UNLOCKABLE_LOCK); - SendAuthPacket(); - return true; + LOG_DEBUG("network", "[AuthChallenge] Account IP differs"); + pkt << uint8(WOW_FAIL_LOCKED_ENFORCED); + locked = true; + } + else + LOG_DEBUG("network", "[AuthChallenge] Account IP matches"); + } + else + { + LOG_DEBUG("network", "[AuthChallenge] Account '%s' is not locked to ip", _login.c_str()); + std::string accountCountry = fields[2].GetString(); + if (accountCountry.empty() || accountCountry == "00") + LOG_DEBUG("network", "[AuthChallenge] Account '%s' is not locked to country", _login.c_str()); + else if (!accountCountry.empty()) + { + uint32 ip = inet_addr(ip_address.c_str()); + EndianConvertReverse(ip); + + stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_LOGON_COUNTRY); + stmt->setUInt32(0, ip); + if (PreparedQueryResult sessionCountryQuery = LoginDatabase.Query(stmt)) + { + std::string loginCountry = (*sessionCountryQuery)[0].GetString(); + LOG_DEBUG("network", "[AuthChallenge] Account '%s' is locked to country: '%s' Player country is '%s'", _login.c_str(), accountCountry.c_str(), loginCountry.c_str()); + if (loginCountry != accountCountry) + { + LOG_DEBUG("network", "[AuthChallenge] Account country differs."); + pkt << uint8(WOW_FAIL_UNLOCKABLE_LOCK); + locked = true; + } + else + LOG_DEBUG("network", "[AuthChallenge] Account country matches"); + } + else + LOG_DEBUG("network", "[AuthChallenge] IP2NATION Table empty"); + } + } + + uint8 securityFlags = 0; + _totpSecret = fields[7].GetBinary(); + + // Check if a TOTP token is needed + if (!_totpSecret || !_totpSecret.value().empty()) + { + securityFlags = 4; + + if (auto const& secret = sSecretMgr->GetSecret(SECRET_TOTP_MASTER_KEY)) + { + bool success = acore::Crypto::AEDecrypt(*_totpSecret, *secret); + if (!success) + { + pkt << uint8(WOW_FAIL_DB_BUSY); + LOG_ERROR("server.authserver", "[AuthChallenge] Account '%s' has invalid ciphertext for TOTP token key stored", _login.c_str()); + locked = true; + } + } + } + + if (!locked) + { + //set expired bans to inactive + LoginDatabase.DirectExecute(LoginDatabase.GetPreparedStatement(LOGIN_UPD_EXPIRED_ACCOUNT_BANS)); + + // If the account is banned, reject the logon attempt + stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_BANNED); + stmt->setUInt32(0, fields[0].GetUInt32()); + + PreparedQueryResult banresult = LoginDatabase.Query(stmt); + if (banresult) + { + if ((*banresult)[0].GetUInt32() == (*banresult)[1].GetUInt32()) + { + pkt << uint8(WOW_FAIL_BANNED); + LOG_DEBUG("network", "'%s:%d' [AuthChallenge] Banned account %s tried to login!", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); + } + else + { + pkt << uint8(WOW_FAIL_SUSPENDED); + LOG_DEBUG("network", "'%s:%d' [AuthChallenge] Temporarily banned account %s tried to login!", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); + } + } + else + { + _srp6.emplace(_login, fields[5].GetBinary(), fields[6].GetBinary()); + + BigNumber unk3; + unk3.SetRand(16 * 8); + + // Fill the response packet with the result + if (AuthHelper::IsAcceptedClientBuild(_build)) + pkt << uint8(WOW_SUCCESS); + else + pkt << uint8(WOW_FAIL_VERSION_INVALID); + + // B may be calculated < 32B so we force minimal length to 32B + pkt.append(_srp6->B); + pkt << uint8(1); + pkt.append(_srp6->g); + pkt << uint8(32); + pkt.append(_srp6->N); + pkt.append(_srp6->s); + pkt.append(unk3.ToByteArray<16>()); + + pkt << uint8(securityFlags); // security flags (0x0...0x04) + + if (securityFlags & 0x01) // PIN input + { + pkt << uint32(0); + pkt << uint64(0) << uint64(0); // 16 bytes hash? + } + + if (securityFlags & 0x02) // Matrix input + { + pkt << uint8(0); + pkt << uint8(0); + pkt << uint8(0); + pkt << uint8(0); + pkt << uint64(0); + } + + if (securityFlags & 0x04) // Security token input + pkt << uint8(1); + + uint8 secLevel = fields[4].GetUInt8(); + _accountSecurityLevel = secLevel <= SEC_ADMINISTRATOR ? AccountTypes(secLevel) : SEC_ADMINISTRATOR; + + _localizationName.resize(4); + for (int i = 0; i < 4; ++i) + _localizationName[i] = ch->country[4 - i - 1]; + + LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s is using '%c%c%c%c' locale (%u)", + socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str(), ch->country[3], ch->country[2], ch->country[1], ch->country[0], GetLocaleByName(_localizationName)); + + ///- All good, await client's proof + _status = STATUS_LOGON_PROOF; } } } + else //no account + pkt << uint8(WOW_FAIL_UNKNOWN_ACCOUNT); } - // If the account is banned, reject the logon attempt - if (_accountInfo.IsBanned) - { - if (_accountInfo.IsPermanenetlyBanned) - { - pkt << uint8(WOW_FAIL_BANNED); - LOG_DEBUG("server.authserver.banned", "'%s:%d' [AuthChallenge] Banned account %s tried to login!", ipAddress.c_str(), port, _accountInfo.Login.c_str()); - } - else - { - pkt << uint8(WOW_FAIL_SUSPENDED); - LOG_DEBUG("server.authserver.banned", "'%s:%d' [AuthChallenge] Temporarily banned account %s tried to login!", ipAddress.c_str(), port, _accountInfo.Login.c_str()); - } - - SendAuthPacket(); - return true; - } - - uint8 securityFlags = 0; - - // Check if a TOTP token is needed - if (!fields[9].IsNull()) - { - LOG_DEBUG("server.authserver", "[AuthChallenge] Account '%s' using TOTP", _accountInfo.Login.c_str()); - - securityFlags = 4; - _totpSecret = fields[9].GetBinary(); - if (auto const& secret = sSecretMgr->GetSecret(SECRET_TOTP_MASTER_KEY)) - { - bool success = acore::Crypto::AEDecrypt(*_totpSecret, *secret); - if (!success) - { - pkt << uint8(WOW_FAIL_DB_BUSY); - LOG_ERROR("server.authserver", "[AuthChallenge] Account '%s' has invalid ciphertext for TOTP token key stored", _accountInfo.Login.c_str()); - SendAuthPacket(); - return true; - } - } - } - - _srp6.emplace( - _accountInfo.Login, - fields[10].GetBinary(), - fields[11].GetBinary()); - - BigNumber unk3; - unk3.SetRand(16 * 8); - - // Fill the response packet with the result - if (!AuthHelper::IsAcceptedClientBuild(_build)) - { - pkt << uint8(WOW_FAIL_VERSION_INVALID); - SendAuthPacket(); - return true; - } - - pkt << uint8(WOW_SUCCESS); - - // B may be calculated < 32B so we force minimal length to 32B - pkt.append(_srp6->B); - pkt << uint8(1); - pkt.append(_srp6->g); - pkt << uint8(32); - pkt.append(_srp6->N); - pkt.append(_srp6->s); - pkt.append(unk3.ToByteArray<16>()); - - pkt << uint8(securityFlags); // security flags (0x0...0x04) - - if (securityFlags & 0x01) // PIN input - { - pkt << uint32(0); - pkt << uint64(0) << uint64(0); // 16 bytes hash? - } - - if (securityFlags & 0x02) // Matrix input - { - pkt << uint8(0); - pkt << uint8(0); - pkt << uint8(0); - pkt << uint8(0); - pkt << uint64(0); - } - - if (securityFlags & 0x04) // Security token input - pkt << uint8(1); - - _localizationName.resize(4); - for (int i = 0; i < 4; ++i) - _localizationName[i] = ch->country[4 - i - 1]; - - LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s is using locale (%u)", - ipAddress.c_str(), port, _accountInfo.Login.c_str(), GetLocaleByName(_localizationName)); - - ///- All good, await client's proof - _status = STATUS_LOGON_PROOF; - - SendAuthPacket(); + socket().send((char const*)pkt.contents(), pkt.size()); return true; } @@ -551,9 +559,7 @@ bool AuthSocket::_HandleLogonProof() sAuthLogonProof_C lp; if (!socket().recv((char*)&lp, sizeof(sAuthLogonProof_C))) - { return false; - } _status = STATUS_CLOSED; @@ -561,7 +567,9 @@ bool AuthSocket::_HandleLogonProof() if (_expversion == NO_VALID_EXP_FLAG) { // Check if we have the appropriate patch on the disk +#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) LOG_DEBUG("network", "Client with invalid version, patching is not implemented"); +#endif socket().shutdown(); return true; } @@ -569,7 +577,9 @@ bool AuthSocket::_HandleLogonProof() if (std::optional K = _srp6->VerifyChallengeResponse(lp.A, lp.clientM)) { _sessionKey = *K; - LOG_DEBUG("network", "'%s:%d' User '%s' successfully authenticated", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _accountInfo.Login.c_str()); +#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) + LOG_DEBUG("network", "'%s:%d' User '%s' successfully authenticated", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); +#endif // Update the sessionkey, last_ip, last login time and reset number of failed logins in the account table for this account // No SQL injection (escaped user name) and IP address as received by socket @@ -578,7 +588,7 @@ bool AuthSocket::_HandleLogonProof() stmt->setString(1, socket().getRemoteAddress().c_str()); stmt->setUInt32(2, GetLocaleByName(_localizationName)); stmt->setString(3, _os); - stmt->setString(4, _accountInfo.Login); + stmt->setString(4, _login); LoginDatabase.DirectExecute(stmt); // Finish SRP6 and send the final result to the client @@ -604,13 +614,6 @@ bool AuthSocket::_HandleLogonProof() else if (!sentToken && !_totpSecret) tokenSuccess = true; - if (!tokenSuccess) - { - LOG_DEBUG("server.authsrver", "[AuthChallenge] account %s failed token", _accountInfo.Login.c_str()); - char data[4] = { AUTH_LOGON_PROOF, WOW_FAIL_UNKNOWN_ACCOUNT, 3, 0 }; - socket().send(data, sizeof(data)); - } - if (_expversion & POST_BC_EXP_FLAG) // 2.x and 3.x clients { sAuthLogonProof_S proof; @@ -632,6 +635,12 @@ bool AuthSocket::_HandleLogonProof() socket().send((char*)&proof, sizeof(proof)); } + if (!tokenSuccess) + { + char data[4] = { AUTH_LOGON_PROOF, WOW_FAIL_UNKNOWN_ACCOUNT, 3, 0 }; + socket().send(data, sizeof(data)); + } + ///- Set _status to authed! _status = STATUS_AUTHED; } @@ -641,7 +650,7 @@ bool AuthSocket::_HandleLogonProof() socket().send(data, sizeof(data)); #if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s tried to login with invalid password!", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _accountInfo.Login.c_str()); + LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s tried to login with invalid password!", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); #endif uint32 MaxWrongPassCount = sConfigMgr->GetOption("WrongPass.MaxCount", 0); @@ -650,7 +659,7 @@ bool AuthSocket::_HandleLogonProof() if (sConfigMgr->GetOption("WrongPass.Logging", false)) { PreparedStatement* logstmt = LoginDatabase.GetPreparedStatement(LOGIN_INS_FALP_IP_LOGGING); - logstmt->setString(0, _accountInfo.Login); + logstmt->setString(0, _login); logstmt->setString(1, socket().getRemoteAddress()); logstmt->setString(2, "Logged on failed AccountLogin due wrong password"); @@ -661,11 +670,11 @@ bool AuthSocket::_HandleLogonProof() { //Increment number of failed logins by one and if it reaches the limit temporarily ban that account or IP PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_FAILEDLOGINS); - stmt->setString(0, _accountInfo.Login); + stmt->setString(0, _login); LoginDatabase.Execute(stmt); stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_FAILEDLOGINS); - stmt->setString(0, _accountInfo.Login); + stmt->setString(0, _login); if (PreparedQueryResult loginfail = LoginDatabase.Query(stmt)) { @@ -685,7 +694,7 @@ bool AuthSocket::_HandleLogonProof() LoginDatabase.Execute(stmt); #if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s got banned for '%u' seconds because it failed to authenticate '%u' times", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _accountInfo.Login.c_str(), WrongPassBanTime, failed_logins); + LOG_DEBUG("network", "'%s:%d' [AuthChallenge] account %s got banned for '%u' seconds because it failed to authenticate '%u' times", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str(), WrongPassBanTime, failed_logins); #endif } else @@ -697,7 +706,7 @@ bool AuthSocket::_HandleLogonProof() #if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) LOG_DEBUG("network", "'%s:%d' [AuthChallenge] IP %s got banned for '%u' seconds because account %s failed to authenticate '%u' times", - socket().getRemoteAddress().c_str(), socket().getRemotePort(), socket().getRemoteAddress().c_str(), WrongPassBanTime, _accountInfo.Login.c_str(), failed_logins); + socket().getRemoteAddress().c_str(), socket().getRemotePort(), socket().getRemoteAddress().c_str(), WrongPassBanTime, _login.c_str(), failed_logins); #endif } } @@ -748,24 +757,20 @@ bool AuthSocket::_HandleReconnectChallenge() LOG_DEBUG("network", "[ReconnectChallenge] name(%d): '%s'", ch->I_len, ch->I); #endif - std::string login((char const*)ch->I, ch->I_len); - - auto* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_RECONNECTCHALLENGE); - stmt->setString(0, login); + _login = (const char*)ch->I; + PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_SESSIONKEY); + stmt->setString(0, _login); PreparedQueryResult result = LoginDatabase.Query(stmt); // Stop if the account is not found if (!result) { - LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login and we cannot find his session key in the database.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), login.c_str()); + LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login and we cannot find his session key in the database.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); socket().shutdown(); return false; } - Field* fields = result->Fetch(); - _accountInfo.LoadResult(fields); - // Reinitialize build, expansion and the account securitylevel _build = ch->build; _expversion = uint8(AuthHelper::IsPostBCAcceptedClientBuild(_build) ? POST_BC_EXP_FLAG : (AuthHelper::IsPreBCAcceptedClientBuild(_build) ? PRE_BC_EXP_FLAG : NO_VALID_EXP_FLAG)); @@ -777,7 +782,11 @@ bool AuthSocket::_HandleReconnectChallenge() // Restore string order as its byte order is reversed std::reverse(_os.begin(), _os.end()); - _sessionKey = fields[9].GetBinary(); + Field* fields = result->Fetch(); + uint8 secLevel = fields[2].GetUInt8(); + _accountSecurityLevel = secLevel <= SEC_ADMINISTRATOR ? AccountTypes(secLevel) : SEC_ADMINISTRATOR; + + _sessionKey = fields[0].GetBinary(); acore::Crypto::GetRandomBytes(_reconnectProof); ///- All good, await client's proof @@ -806,14 +815,14 @@ bool AuthSocket::_HandleReconnectProof() _status = STATUS_CLOSED; - if (_accountInfo.Login.empty()) + if (_login.empty()) return false; BigNumber t1; t1.SetBinary(lp.R1, 16); acore::Crypto::SHA1 sha; - sha.UpdateData(_accountInfo.Login); + sha.UpdateData(_login); sha.UpdateData(t1.ToByteArray<16>()); sha.UpdateData(_reconnectProof); sha.UpdateData(_sessionKey); @@ -835,7 +844,7 @@ bool AuthSocket::_HandleReconnectProof() } else { - LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login, but session is invalid.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _accountInfo.Login.c_str()); + LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login, but session is invalid.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); socket().shutdown(); return false; } @@ -877,12 +886,11 @@ bool AuthSocket::_HandleRealmList() // Get the user id (else close the connection) // No SQL injection (prepared statement) PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_ID_BY_NAME); - stmt->setString(0, _accountInfo.Login); - + stmt->setString(0, _login); PreparedQueryResult result = LoginDatabase.Query(stmt); if (!result) { - LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login but we cannot find him in the database.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _accountInfo.Login.c_str()); + LOG_ERROR("server", "'%s:%d' [ERROR] user %s tried to login but we cannot find him in the database.", socket().getRemoteAddress().c_str(), socket().getRemotePort(), _login.c_str()); socket().shutdown(); return false; } @@ -931,7 +939,7 @@ bool AuthSocket::_HandleRealmList() // We don't need the port number from which client connects with but the realm's port clientAddr.set_port_number(realm.ExternalAddress.get_port_number()); - uint8 lock = (realm.allowedSecurityLevel > _accountInfo.SecurityLevel) ? 1 : 0; + uint8 lock = (realm.allowedSecurityLevel > _accountSecurityLevel) ? 1 : 0; uint8 AmountOfCharacters = 0; stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_NUM_CHARS_ON_REALM); diff --git a/src/server/authserver/Server/AuthSocket.h b/src/server/authserver/Server/AuthSocket.h index 06f835454..26913aac9 100644 --- a/src/server/authserver/Server/AuthSocket.h +++ b/src/server/authserver/Server/AuthSocket.h @@ -14,7 +14,6 @@ #include "SRP6.h" class ACE_INET_Addr; -class Fields; struct Realm; enum eStatus @@ -27,21 +26,6 @@ enum eStatus STATUS_CLOSED }; -struct AccountInfo -{ - void LoadResult(Field* fields); - - uint32 Id = 0; - std::string Login; - bool IsLockedToIP = false; - std::string LockCountry; - std::string LastIP; - uint32 FailedLogins = 0; - bool IsBanned = false; - bool IsPermanenetlyBanned = false; - AccountTypes SecurityLevel = SEC_PLAYER; -}; - // Handle login commands class AuthSocket: public RealmSocket::Session { @@ -81,7 +65,7 @@ private: eStatus _status; - AccountInfo _accountInfo; + std::string _login; Optional> _totpSecret; // Since GetLocaleByName() is _NOT_ bijective, we have to store the locale as a string. Otherwise we can't differ @@ -90,6 +74,7 @@ private: std::string _os; uint16 _build; uint8 _expversion; + AccountTypes _accountSecurityLevel; }; #endif diff --git a/src/server/database/Database/Implementation/LoginDatabase.cpp b/src/server/database/Database/Implementation/LoginDatabase.cpp index 4d9305bbc..f9d43bcf9 100644 --- a/src/server/database/Database/Implementation/LoginDatabase.cpp +++ b/src/server/database/Database/Implementation/LoginDatabase.cpp @@ -11,16 +11,6 @@ void LoginDatabaseConnection::DoPrepareStatements() if (!m_reconnecting) m_stmts.resize(MAX_LOGINDATABASE_STATEMENTS); - PrepareStatement(LOGIN_SEL_LOGONCHALLENGE, "SELECT a.id, a.username, a.locked, a.lock_country, a.last_ip, a.failed_logins, ab.unbandate > UNIX_TIMESTAMP() OR ab.unbandate = ab.bandate, " - "ab.unbandate = ab.bandate, aa.gmlevel, a.totp_secret, a.salt, a.verifier " - "FROM account a LEFT JOIN account_access aa ON a.id = aa.id LEFT JOIN account_banned ab ON ab.id = a.id AND ab.active = 1 WHERE a.username = ?", CONNECTION_SYNCH); - PrepareStatement(LOGIN_SEL_RECONNECTCHALLENGE, "SELECT a.id, UPPER(a.username), a.locked, a.lock_country, a.last_ip, a.failed_logins, ab.unbandate > UNIX_TIMESTAMP() OR ab.unbandate = ab.bandate, " - "ab.unbandate = ab.bandate, aa.gmlevel, a.session_key " - "FROM account a LEFT JOIN account_access aa ON a.id = aa.id LEFT JOIN account_banned ab ON ab.id = a.id AND ab.active = 1 WHERE a.username = ? AND a.session_key IS NOT NULL", CONNECTION_SYNCH); - PrepareStatement(LOGIN_SEL_ACCOUNT_INFO_BY_NAME, "SELECT a.id, a.session_key, a.last_ip, a.locked, a.lock_country, a.expansion, a.mutetime, a.locale, a.recruiter, a.os, a.totaltime, " - "aa.gmlevel, ab.unbandate > UNIX_TIMESTAMP() OR ab.unbandate = ab.bandate, r.id FROM account a LEFT JOIN account_access aa ON a.id = aa.id AND aa.RealmID IN (-1, ?) " - "LEFT JOIN account_banned ab ON a.id = ab.id AND ab.active = 1 LEFT JOIN account r ON a.id = r.recruiter WHERE a.username = ? " - "AND a.session_key IS NOT NULL ORDER BY aa.RealmID DESC LIMIT 1", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_REALMLIST, "SELECT id, name, address, localAddress, localSubnetMask, port, icon, flag, timezone, allowedSecurityLevel, population, gamebuild FROM realmlist WHERE flag <> 3 ORDER BY name", CONNECTION_SYNCH); PrepareStatement(LOGIN_DEL_EXPIRED_IP_BANS, "DELETE FROM ip_banned WHERE unbandate<>bandate AND unbandate<=UNIX_TIMESTAMP()", CONNECTION_ASYNC); PrepareStatement(LOGIN_UPD_EXPIRED_ACCOUNT_BANS, "UPDATE account_banned SET active = 0 WHERE active = 1 AND unbandate<>bandate AND unbandate<=UNIX_TIMESTAMP()", CONNECTION_SYNCH); @@ -33,13 +23,16 @@ void LoginDatabaseConnection::DoPrepareStatements() PrepareStatement(LOGIN_SEL_ACCOUNT_BANNED_BY_USERNAME, "SELECT account.id, username FROM account, account_banned WHERE account.id = account_banned.id AND active = 1 AND username LIKE CONCAT('%%', ?, '%%') GROUP BY account.id", CONNECTION_SYNCH); PrepareStatement(LOGIN_INS_ACCOUNT_AUTO_BANNED, "INSERT INTO account_banned VALUES (?, UNIX_TIMESTAMP(), UNIX_TIMESTAMP()+?, 'Trinity realmd', 'Failed login autoban', 1)", CONNECTION_ASYNC); PrepareStatement(LOGIN_DEL_ACCOUNT_BANNED, "DELETE FROM account_banned WHERE id = ?", CONNECTION_ASYNC); + PrepareStatement(LOGIN_SEL_SESSIONKEY, "SELECT a.session_key, a.id, aa.gmlevel FROM account a LEFT JOIN account_access aa ON (a.id = aa.id) WHERE username = ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_UPD_LOGON, "UPDATE account SET salt = ?, verifier = ? WHERE id = ?", CONNECTION_ASYNC); PrepareStatement(LOGIN_UPD_LOGONPROOF, "UPDATE account SET session_key = ?, last_ip = ?, last_login = NOW(), locale = ?, failed_logins = 0, os = ? WHERE username = ?", CONNECTION_SYNCH); + PrepareStatement(LOGIN_SEL_LOGONCHALLENGE, "SELECT a.id, a.locked, a.lock_country, a.last_ip, aa.gmlevel, a.salt, a.verifier, a.totp_secret FROM account a LEFT JOIN account_access aa ON (a.id = aa.id) WHERE a.username = ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_LOGON_COUNTRY, "SELECT country FROM ip2nation WHERE ip < ? ORDER BY ip DESC LIMIT 0,1", CONNECTION_SYNCH); PrepareStatement(LOGIN_UPD_FAILEDLOGINS, "UPDATE account SET failed_logins = failed_logins + 1 WHERE username = ?", CONNECTION_ASYNC); PrepareStatement(LOGIN_SEL_FAILEDLOGINS, "SELECT id, failed_logins FROM account WHERE username = ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_ACCOUNT_ID_BY_NAME, "SELECT id FROM account WHERE username = ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_ACCOUNT_LIST_BY_NAME, "SELECT id, username FROM account WHERE username = ?", CONNECTION_SYNCH); + PrepareStatement(LOGIN_SEL_ACCOUNT_INFO_BY_NAME, "SELECT id, session_key, last_ip, locked, lock_country, expansion, mutetime, locale, recruiter, os, totaltime FROM account WHERE username = ? AND session_key IS NOT NULL", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_ACCOUNT_LIST_BY_EMAIL, "SELECT id, username FROM account WHERE email = ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_NUM_CHARS_ON_REALM, "SELECT numchars FROM realmcharacters WHERE realmid = ? AND acctid= ?", CONNECTION_SYNCH); PrepareStatement(LOGIN_SEL_ACCOUNT_BY_IP, "SELECT id, username FROM account WHERE last_ip = ?", CONNECTION_SYNCH); diff --git a/src/server/database/Database/Implementation/LoginDatabase.h b/src/server/database/Database/Implementation/LoginDatabase.h index 7f88158da..c9409f532 100644 --- a/src/server/database/Database/Implementation/LoginDatabase.h +++ b/src/server/database/Database/Implementation/LoginDatabase.h @@ -41,10 +41,10 @@ enum LoginDatabaseStatements LOGIN_SEL_ACCOUNT_BANNED_BY_USERNAME, LOGIN_INS_ACCOUNT_AUTO_BANNED, LOGIN_DEL_ACCOUNT_BANNED, + LOGIN_SEL_SESSIONKEY, LOGIN_UPD_LOGON, LOGIN_UPD_LOGONPROOF, LOGIN_SEL_LOGONCHALLENGE, - LOGIN_SEL_RECONNECTCHALLENGE, LOGIN_SEL_LOGON_COUNTRY, LOGIN_UPD_FAILEDLOGINS, LOGIN_SEL_FAILEDLOGINS, diff --git a/src/server/game/Server/WorldSocket.cpp b/src/server/game/Server/WorldSocket.cpp index 14dc4aa49..23ffd0c34 100644 --- a/src/server/game/Server/WorldSocket.cpp +++ b/src/server/game/Server/WorldSocket.cpp @@ -90,58 +90,6 @@ struct ClientPktHeader #pragma pack(pop) #endif -struct AccountInfo -{ - uint32 Id; - ::SessionKey SessionKey; - std::string LastIP; - bool IsLockedToIP; - std::string LockCountry; - uint8 Expansion; - int64 MuteTime; - LocaleConstant Locale; - uint32 Recruiter; - std::string OS; - bool IsRectuiter; - AccountTypes Security; - bool IsBanned; - uint32 TotalTime; - - explicit AccountInfo(Field* fields) - { - // 0 1 2 3 4 5 6 7 8 9 10 11 - // SELECT a.id, a.sessionkey, a.last_ip, a.locked, a.lock_country, a.expansion, a.mutetime, a.locale, a.recruiter, a.os, a.totaltime, aa.gmLevel, - // 12 13 - // ab.unbandate > UNIX_TIMESTAMP() OR ab.unbandate = ab.bandate, r.id - // FROM account a - // LEFT JOIN account_access aa ON a.id = aa.AccountID AND aa.RealmID IN (-1, ?) - // LEFT JOIN account_banned ab ON a.id = ab.id - // LEFT JOIN account r ON a.id = r.recruiter - // WHERE a.username = ? ORDER BY aa.RealmID DESC LIMIT 1 - Id = fields[0].GetUInt32(); - SessionKey = fields[1].GetBinary(); - LastIP = fields[2].GetString(); - IsLockedToIP = fields[3].GetBool(); - LockCountry = fields[4].GetString(); - Expansion = fields[5].GetUInt8(); - MuteTime = fields[6].GetInt64(); - Locale = LocaleConstant(fields[7].GetUInt8()); - Recruiter = fields[8].GetUInt32(); - OS = fields[9].GetString(); - TotalTime = fields[10].GetUInt32(); - Security = AccountTypes(fields[11].GetUInt8()); - IsBanned = fields[12].GetUInt64() != 0; - IsRectuiter = fields[13].GetUInt32() != 0; - - uint32 world_expansion = sWorld->getIntConfig(CONFIG_EXPANSION); - if (Expansion > world_expansion) - Expansion = world_expansion; - - if (Locale >= TOTAL_LOCALES) - Locale = LOCALE_enUS; - } -}; - WorldSocket::WorldSocket(void): WorldHandler(), m_LastPingTime(SystemTimePoint::min()), m_OverSpeedPings(0), m_Session(0), m_RecvWPct(0), m_RecvPct(), m_Header(sizeof (ClientPktHeader)), @@ -786,11 +734,18 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) uint32 loginServerID, loginServerType, regionID, battlegroupID, realm; uint64 DosResponse; uint32 BuiltNumberClient; - std::string accountName; + uint32 id, security; + uint32 TotalTime = 0; + bool skipQueue = false; + //uint8 expansion = 0; + LocaleConstant locale; + std::string account; WorldPacket packet, SendAddonPacked; std::array clientSeed; acore::Crypto::SHA1::Digest digest; + bool wardenActive = sWorld->getBoolConfig(CONFIG_WARDEN_ENABLED); + if (sWorld->IsClosed()) { packet.Initialize(SMSG_AUTH_RESPONSE, 1); @@ -804,7 +759,7 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) // Read the content of the packet recvPacket >> BuiltNumberClient; // for now no use recvPacket >> loginServerID; - recvPacket >> accountName; + recvPacket >> account; recvPacket >> loginServerType; recvPacket.read(clientSeed); recvPacket >> regionID; @@ -814,15 +769,15 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) recvPacket.read(digest); #if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) - LOG_DEBUG("server", "WorldSocket::HandleAuthSession: client %u, loginServerID %u, accountName %s, loginServerType %u", - BuiltNumberClient, loginServerID, accountName.c_str(), loginServerType); + LOG_DEBUG("server", "WorldSocket::HandleAuthSession: client %u, loginServerID %u, account %s, loginServerType %u", + BuiltNumberClient, loginServerID, account.c_str(), loginServerType); #endif // Get the account information from the realmd database // 0 1 2 3 4 5 6 7 8 9 10 // SELECT id, sessionkey, last_ip, locked, lock_country, expansion, mutetime, locale, recruiter, os, totaltime FROM account WHERE username = ? - auto* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_INFO_BY_NAME); - stmt->setInt32(0, int32(realmID)); - stmt->setString(1, accountName); + PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_INFO_BY_NAME); + + stmt->setString(0, account); PreparedQueryResult result = LoginDatabase.Query(stmt); @@ -830,8 +785,8 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) if (!result) { // We can not log here, as we do not know the account. Thus, no accountId. - packet.Initialize(SMSG_AUTH_RESPONSE, 1); - packet << uint8(AUTH_UNKNOWN_ACCOUNT); + packet.Initialize (SMSG_AUTH_RESPONSE, 1); + packet << uint8 (AUTH_UNKNOWN_ACCOUNT); SendPacket(packet); @@ -839,55 +794,136 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) return -1; } - AccountInfo account(result->Fetch()); + Field* fields = result->Fetch(); + + uint8 expansion = fields[5].GetUInt8(); + uint32 world_expansion = sWorld->getIntConfig(CONFIG_EXPANSION); + if (expansion > world_expansion) + expansion = world_expansion; // For hook purposes, we get Remoteaddress at this point std::string address = GetRemoteAddress(); // Originally, this variable should be called address, but for some reason, that variable name was already on the core. // As we don't know if attempted login process by ip works, we update last_attempt_ip right away stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_LAST_ATTEMPT_IP); + stmt->setString(0, address); - stmt->setString(1, accountName); + stmt->setString(1, account); LoginDatabase.Execute(stmt); // This also allows to check for possible "hack" attempts on account - // even if auth credentials are bad, try using the session key we have - client cannot read auth response error without it - m_Crypt.Init(account.SessionKey); + // id has to be fetched at this point, so that first actual account response that fails can be logged + id = fields[0].GetUInt32(); - // First reject the connection if packet contains invalid data or realm state doesn't allow logging in - if (sWorld->IsClosed()) + ///- Re-check ip locking (same check as in realmd). + if (fields[3].GetUInt8() == 1) // if ip is locked { - packet.Initialize(SMSG_AUTH_RESPONSE, 1); - packet << uint8(AUTH_REJECT); - SendPacket(packet); + if (strcmp (fields[2].GetCString(), address.c_str())) + { + packet.Initialize (SMSG_AUTH_RESPONSE, 1); + packet << uint8 (AUTH_FAILED); + SendPacket(packet); - LOG_ERROR("server", "WorldSocket::HandleAuthSession: World closed, denying client (%s).", address.c_str()); - sScriptMgr->OnFailedAccountLogin(account.Id); - return -1; + LOG_INFO("server", "WorldSocket::HandleAuthSession: Sent Auth Response (Account IP differs. Original IP: %s, new IP: %s).", fields[2].GetCString(), address.c_str()); + // We could log on hook only instead of an additional db log, however action logger is config based. Better keep DB logging as well + sScriptMgr->OnFailedAccountLogin(id); + return -1; + } } - if (realm != realmID) - { - packet.Initialize(SMSG_AUTH_RESPONSE, 1); - packet << uint8(REALM_LIST_REALM_NOT_FOUND); - SendPacket(packet); + /* + if (security > SEC_ADMINISTRATOR) // prevent invalid security settings in DB + security = SEC_ADMINISTRATOR; + */ - LOG_ERROR("server", "WorldSocket::HandleAuthSession: Client %s requested connecting with realm id %u but this realm has id %u set in config.", - address.c_str(), realm, realmID); - sScriptMgr->OnFailedAccountLogin(account.Id); - return -1; + SessionKey sessionKey = fields[1].GetBinary(); + + int64 mutetime = fields[6].GetInt64(); + //! Negative mutetime indicates amount of seconds to be muted effective on next login - which is now. + if (mutetime < 0) + { + mutetime = time(nullptr) + llabs(mutetime); + + PreparedStatement* stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_MUTE_TIME_LOGIN); + + stmt->setInt64(0, mutetime); + stmt->setUInt32(1, id); + + LoginDatabase.Execute(stmt); } + locale = LocaleConstant (fields[7].GetUInt8()); + if (locale >= TOTAL_LOCALES) + locale = LOCALE_enUS; + + uint32 recruiter = fields[8].GetUInt32(); + std::string os = fields[9].GetString(); + TotalTime = fields[10].GetUInt32(); + // Must be done before WorldSession is created - bool wardenActive = sWorld->getBoolConfig(CONFIG_WARDEN_ENABLED); - if (wardenActive && account.OS != "Win" && account.OS != "OSX") + if (wardenActive && os != "Win" && os != "OSX") { packet.Initialize(SMSG_AUTH_RESPONSE, 1); packet << uint8(AUTH_REJECT); SendPacket(packet); - LOG_ERROR("network", "WorldSocket::HandleAuthSession: Client %s attempted to log in using invalid client OS (%s).", address.c_str(), account.OS.c_str()); - sScriptMgr->OnFailedAccountLogin(account.Id); + + LOG_ERROR("server", "WorldSocket::HandleAuthSession: Client %s attempted to log in using invalid client OS (%s).", address.c_str(), os.c_str()); + return -1; + } + + // Checks gmlevel per Realm + stmt = LoginDatabase.GetPreparedStatement(LOGIN_GET_GMLEVEL_BY_REALMID); + + stmt->setUInt32(0, id); + stmt->setInt32(1, int32(realmID)); + + result = LoginDatabase.Query(stmt); + + if (!result) + security = 0; + else + { + fields = result->Fetch(); + security = fields[0].GetUInt8(); + skipQueue = true; + } + + // Re-check account ban (same check as in realmd) + stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_BANS); + + stmt->setUInt32(0, id); + stmt->setString(1, address); + + PreparedQueryResult banresult = LoginDatabase.Query(stmt); + + if (banresult) // if account banned + { + packet.Initialize (SMSG_AUTH_RESPONSE, 1); + packet << uint8 (AUTH_BANNED); + SendPacket(packet); + + LOG_ERROR("server", "WorldSocket::HandleAuthSession: Sent Auth Response (Account banned)."); + sScriptMgr->OnFailedAccountLogin(id); + return -1; + } + + // Check locked state for server + AccountTypes allowedAccountType = sWorld->GetPlayerSecurityLimit(); +#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) + LOG_DEBUG("network", "Allowed Level: %u Player Level %u", allowedAccountType, AccountTypes(security)); +#endif + if (AccountTypes(security) < allowedAccountType) + { + WorldPacket Packet (SMSG_AUTH_RESPONSE, 1); + Packet << uint8 (AUTH_UNAVAILABLE); + + SendPacket(packet); + +#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) + LOG_DEBUG("server", "WorldSocket::HandleAuthSession: User tries to login but his security level is not enough"); +#endif + sScriptMgr->OnFailedAccountLogin(id); return -1; } @@ -895,105 +931,89 @@ int WorldSocket::HandleAuthSession(WorldPacket& recvPacket) uint8 t[4] = { 0x00, 0x00, 0x00, 0x00 }; acore::Crypto::SHA1 sha; - sha.UpdateData(accountName); + sha.UpdateData (account); sha.UpdateData(t); sha.UpdateData(clientSeed); sha.UpdateData(m_Seed); - sha.UpdateData(account.SessionKey); + sha.UpdateData(sessionKey); sha.Finalize(); if (sha.GetDigest() != digest) { - packet.Initialize(SMSG_AUTH_RESPONSE, 1); - packet << uint8(AUTH_FAILED); + packet.Initialize (SMSG_AUTH_RESPONSE, 1); + packet << uint8 (AUTH_FAILED); SendPacket(packet); - LOG_ERROR("server", "WorldSocket::HandleAuthSession: Authentication failed for account: %u ('%s') address: %s", account.Id, accountName.c_str(), address.c_str()); + LOG_ERROR("server", "WorldSocket::HandleAuthSession: Authentication failed for account: %u ('%s') address: %s", id, account.c_str(), address.c_str()); return -1; } - /*if (IpLocationRecord const* location = sIPLocation->GetLocationRecord(address)) - _ipCountry = location->CountryCode;*/ +#if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS) + LOG_DEBUG("server", "WorldSocket::HandleAuthSession: Client '%s' authenticated successfully from %s.", + account.c_str(), + address.c_str()); +#endif + // Check if this user is by any chance a recruiter + stmt = LoginDatabase.GetPreparedStatement(LOGIN_SEL_ACCOUNT_RECRUITER); - ///- Re-check ip locking (same check as in auth). - if (account.IsLockedToIP) - { - if (account.LastIP != address) - { - packet.Initialize(SMSG_AUTH_RESPONSE, 1); - packet << uint8(AUTH_FAILED); - SendPacket(packet); - LOG_DEBUG("network", "WorldSocket::HandleAuthSession: Sent Auth Response (Account IP differs. Original IP: %s, new IP: %s).", account.LastIP.c_str(), address.c_str()); - // We could log on hook only instead of an additional db log, however action logger is config based. Better keep DB logging as well - sScriptMgr->OnFailedAccountLogin(account.Id); - return -1; - } - } - //else if (!account.LockCountry.empty() && account.LockCountry != "00" && !_ipCountry.empty()) - //{ - // if (account.LockCountry != _ipCountry) - // { - // packet.Initialize(SMSG_AUTH_RESPONSE, 1); - // packet << uint8(AUTH_REJECT); - // LOG_DEBUG("network", "WorldSocket::HandleAuthSession: Sent Auth Response (Account country differs. Original country: %s, new country: %s).", account.LockCountry.c_str(), _ipCountry.c_str()); - // // We could log on hook only instead of an additional db log, however action logger is config based. Better keep DB logging as well - // sScriptMgr->OnFailedAccountLogin(account.Id); - // return -1; - // } - //} + stmt->setUInt32(0, id); - if (account.IsBanned) - { - packet.Initialize(SMSG_AUTH_RESPONSE, 1); - packet << uint8(AUTH_BANNED); - SendPacket(packet); - LOG_ERROR("network", "WorldSocket::HandleAuthSession: Sent Auth Response (Account banned)."); - sScriptMgr->OnFailedAccountLogin(account.Id); - return -1; - } + result = LoginDatabase.Query(stmt); - // Check locked state for server - AccountTypes allowedAccountType = sWorld->GetPlayerSecurityLimit(); - LOG_DEBUG("network", "Allowed Level: %u Player Level %u", allowedAccountType, account.Security); - if (allowedAccountType > SEC_PLAYER && account.Security < allowedAccountType) - { - packet.Initialize(SMSG_AUTH_RESPONSE, 1); - packet << uint8(AUTH_UNAVAILABLE); - LOG_DEBUG("network", "WorldSocket::HandleAuthSession: User tries to login but his security level is not enough"); - sScriptMgr->OnFailedAccountLogin(account.Id); - return -1; - } - - LOG_DEBUG("network", "WorldSocket::HandleAuthSession: Client '%s' authenticated successfully from %s.", accountName.c_str(), address.c_str()); + bool isRecruiter = false; + if (result) + isRecruiter = true; // Update the last_ip in the database as it was successful for login stmt = LoginDatabase.GetPreparedStatement(LOGIN_UPD_LAST_IP); + stmt->setString(0, address); - stmt->setString(1, accountName); + stmt->setString(1, account); + LoginDatabase.Execute(stmt); - sScriptMgr->OnLastIpUpdate(account.Id, address); - - bool skipQueue = false; - - if (account.Security > SEC_PLAYER) - skipQueue = true; + sScriptMgr->OnLastIpUpdate(id, address); // NOTE ATM the socket is single-threaded, have this in mind ... - ACE_NEW_RETURN(m_Session, - WorldSession(account.Id, this, AccountTypes(account.Security), account.Expansion, account.MuteTime, account.Locale, account.Recruiter, account.IsRectuiter, skipQueue, account.TotalTime), -1); + ACE_NEW_RETURN(m_Session, WorldSession(id, this, AccountTypes(security), expansion, mutetime, locale, recruiter, isRecruiter, skipQueue, TotalTime), -1); + + m_Crypt.Init(sessionKey); + + // First reject the connection if packet contains invalid data or realm state doesn't allow logging in + if (sWorld->IsClosed()) + { + packet.Initialize (SMSG_AUTH_RESPONSE, 1); + packet << uint8 (AUTH_REJECT); + SendPacket(packet); + + LOG_ERROR("server", "WorldSocket::HandleAuthSession: World closed, denying client (%s).", address.c_str()); + sScriptMgr->OnFailedAccountLogin(id); + return -1; + } + + if (realm != realmID) + { + packet.Initialize (SMSG_AUTH_RESPONSE, 1); + packet << uint8 (REALM_LIST_REALM_NOT_FOUND); + SendPacket(packet); + + LOG_ERROR("server", "WorldSocket::HandleAuthSession: Client %s requested connecting with realm id %u but this realm has id %u set in config.", + address.c_str(), realm, realmID); + sScriptMgr->OnFailedAccountLogin(id); + return -1; + } m_Session->LoadGlobalAccountData(); m_Session->LoadTutorialsData(); m_Session->ReadAddonsInfo(recvPacket); // At this point, we can safely hook a successful login - sScriptMgr->OnAccountLogin(account.Id); + sScriptMgr->OnAccountLogin(id); // Initialize Warden system only if it is enabled by config if (wardenActive) - m_Session->InitWarden(account.SessionKey, account.OS); + m_Session->InitWarden(sessionKey, os); // Sleep this Network thread for uint32 sleepTime = sWorld->getIntConfig(CONFIG_SESSION_ADD_DELAY);