servnest/fn/auth.php

<?php

const USERNAME_REGEX = '^[\p{L}\p{N}_-]{1,64}$';
const PASSWORD_REGEX = '^(?=.*[\p{Ll}])(?=.*[\p{Lu}])(?=.*[\p{N}]).{8,1024}|.{10,1024}$';

const PLACEHOLDER_USERNAME = 'lain';
const PLACEHOLDER_PASSWORD = '••••••••••••••••••••••••';

// Password storage security
const ALGO_PASSWORD = PASSWORD_ARGON2ID;
const OPTIONS_PASSWORD = [
	'memory_cost' => 65536,
	'time_cost' => 4,
	'threads' => 64,
];

function checkPasswordFormat($password) {
	if (preg_match('/' . PASSWORD_REGEX . '/u', $password) !== 1)
		output(403, 'Password malformed.');
}

function checkUsernameFormat($username) {
	if (preg_match('/' . USERNAME_REGEX . '/u', $username) !== 1)
		output(403, 'Username malformed.');
}

function hashPassword($password) {
	return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);
}

function userExist($username) {
	return isset(query('select', 'users', ['username' => $username], 'username')[0]);
}

function checkPassword($username, $password) {
	return password_verify($password, query('select', 'users', ['username' => $username], 'password')[0]);
}

function outdatedPasswordHash($username) {
	return password_needs_rehash(query('select', 'users', ['username' => $username], 'password')[0], ALGO_PASSWORD, OPTIONS_PASSWORD);
}

function changePassword($username, $password) {
	$db = new PDO('sqlite:' . DB_PATH);

	$stmt = $db->prepare('UPDATE users SET password = :password WHERE username = :username');

	$stmt->bindValue(':username', $username);
	$stmt->bindValue(':password', hashPassword($password));

	$stmt->execute();
}

function rateLimit() {
	if (PAGE_METADATA['tokens_account_cost'] ?? 0 > 0)
		rateLimitAccount(PAGE_METADATA['tokens_account_cost']);

	if (PAGE_METADATA['tokens_instance_cost'] ?? 0 > 0)
		rateLimitInstance(PAGE_METADATA['tokens_instance_cost']);
}

function rateLimitAccount($requestedTokens) {
	// Get
	$userData = query('select', 'users', ['username' => $_SESSION['username']]);
	$tokens = $userData[0]['bucket_tokens'];
	$bucketLastUpdate = $userData[0]['bucket_last_update'];

	// Compute
	$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));

	if ($requestedTokens > $tokens)
		output(453, 'Limite d\'actions par compte atteinte. Réessayez plus tard.');

	$tokens -= $requestedTokens;

	// Update
	$db = new PDO('sqlite:' . DB_PATH);
	$stmt = $db->prepare('UPDATE users SET bucket_tokens = :bucket_tokens, bucket_last_update = :bucket_last_update WHERE username = :username');
	$stmt->bindValue(':username', $_SESSION['username']);
	$stmt->bindValue(':bucket_tokens', $tokens);
	$stmt->bindValue(':bucket_last_update', time());
	$stmt->execute();
}

function rateLimitInstance($requestedTokens) {
	// Get
	$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], 'value')[0];
	$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], 'value')[0];

	// Compute
	$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));

	if ($requestedTokens > $tokens)
		output(453, 'Limite d\'actions globale atteinte. Réessayez plus tard.');

	$tokens -= $requestedTokens;

	// Update
	$db = new PDO('sqlite:' . DB_PATH);
	$stmt = $db->prepare("UPDATE params SET value = :bucket_tokens WHERE name = 'instance_bucket_tokens';");
	$stmt->bindValue(':bucket_tokens', $tokens);
	$stmt->execute();

	$stmt = $db->prepare("UPDATE params SET value = :bucket_last_update WHERE name = 'instance_bucket_last_update';");
	$stmt->bindValue(':bucket_last_update', time());
	$stmt->execute();
}
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`<?php`

Minor changes 2022-10-09 23:36:35 +02:00			`const USERNAME_REGEX = '^[\p{L}\p{N}_-]{1,64}$';`
			`const PASSWORD_REGEX = '^(?=.[\p{Ll}])(?=.[\p{Lu}])(?=.*[\p{N}]).{8,1024}\|.{10,1024}$';`
Better segmentation between services 2022-04-23 01:57:43 +02:00
Minor changes 2022-10-09 23:36:35 +02:00			`const PLACEHOLDER_USERNAME = 'lain';`
			`const PLACEHOLDER_PASSWORD = '••••••••••••••••••••••••';`
Update auth forms 2022-06-10 21:14:47 +02:00
Better segmentation between services 2022-04-23 01:57:43 +02:00			`// Password storage security`
Minor changes 2022-10-09 23:36:35 +02:00			`const ALGO_PASSWORD = PASSWORD_ARGON2ID;`
			`const OPTIONS_PASSWORD = [`
Use single quotes instead of double quotes 2022-11-20 15:11:54 +01:00			`'memory_cost' => 65536,`
			`'time_cost' => 4,`
			`'threads' => 64,`
Minor changes 2022-10-09 23:36:35 +02:00			`];`
Better segmentation between services 2022-04-23 01:57:43 +02:00
			`function checkPasswordFormat($password) {`
Use single quotes instead of double quotes 2022-11-20 15:11:54 +01:00			`if (preg_match('/' . PASSWORD_REGEX . '/u', $password) !== 1)`
fn success/userError/serverError > output($code) 2022-09-15 19:17:48 +02:00			`output(403, 'Password malformed.');`
Better segmentation between services 2022-04-23 01:57:43 +02:00			`}`

			`function checkUsernameFormat($username) {`
Use single quotes instead of double quotes 2022-11-20 15:11:54 +01:00			`if (preg_match('/' . USERNAME_REGEX . '/u', $username) !== 1)`
fn success/userError/serverError > output($code) 2022-09-15 19:17:48 +02:00			`output(403, 'Username malformed.');`
Better segmentation between services 2022-04-23 01:57:43 +02:00			`}`

Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`function hashPassword($password) {`
2 spaces > tab 2022-04-18 16:05:00 +02:00			`return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`}`

Better segmentation between services 2022-04-23 01:57:43 +02:00			`function userExist($username) {`
Add form to delete account Move service-specific deletion code to functions 2022-06-18 04:22:05 +02:00			`return isset(query('select', 'users', ['username' => $username], 'username')[0]);`
Better segmentation between services 2022-04-23 01:57:43 +02:00			`}`

Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`function checkPassword($username, $password) {`
Use the query() function more 2022-06-12 01:31:16 +02:00			`return password_verify($password, query('select', 'users', ['username' => $username], 'password')[0]);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`}`

			`function outdatedPasswordHash($username) {`
Use the query() function more 2022-06-12 01:31:16 +02:00			`return password_needs_rehash(query('select', 'users', ['username' => $username], 'password')[0], ALGO_PASSWORD, OPTIONS_PASSWORD);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`}`

			`function changePassword($username, $password) {`
2 spaces > tab 2022-04-18 16:05:00 +02:00			`$db = new PDO('sqlite:' . DB_PATH);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00
Use single quotes instead of double quotes 2022-11-20 15:11:54 +01:00			`$stmt = $db->prepare('UPDATE users SET password = :password WHERE username = :username');`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00
del-http-onion.php + query() 2022-06-11 23:42:48 +02:00			`$stmt->bindValue(':username', $username);`
Use the query() function more 2022-06-12 01:31:16 +02:00			`$stmt->bindValue(':password', hashPassword($password));`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00
2 spaces > tab 2022-04-18 16:05:00 +02:00			`$stmt->execute();`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`}`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00
			`function rateLimit() {`
			`if (PAGE_METADATA['tokens_account_cost'] ?? 0 > 0)`
			`rateLimitAccount(PAGE_METADATA['tokens_account_cost']);`

			`if (PAGE_METADATA['tokens_instance_cost'] ?? 0 > 0)`
			`rateLimitInstance(PAGE_METADATA['tokens_instance_cost']);`
			`}`

			`function rateLimitAccount($requestedTokens) {`
			`// Get`
			`$userData = query('select', 'users', ['username' => $_SESSION['username']]);`
			`$tokens = $userData[0]['bucket_tokens'];`
			`$bucketLastUpdate = $userData[0]['bucket_last_update'];`

			`// Compute`
			`$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));`

			`if ($requestedTokens > $tokens)`
			`output(453, 'Limite d\'actions par compte atteinte. Réessayez plus tard.');`

			`$tokens -= $requestedTokens;`

			`// Update`
			`$db = new PDO('sqlite:' . DB_PATH);`
Use single quotes instead of double quotes 2022-11-20 15:11:54 +01:00			`$stmt = $db->prepare('UPDATE users SET bucket_tokens = :bucket_tokens, bucket_last_update = :bucket_last_update WHERE username = :username');`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00			`$stmt->bindValue(':username', $_SESSION['username']);`
			`$stmt->bindValue(':bucket_tokens', $tokens);`
			`$stmt->bindValue(':bucket_last_update', time());`
			`$stmt->execute();`
			`}`

			`function rateLimitInstance($requestedTokens) {`
			`// Get`
			`$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], 'value')[0];`
			`$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], 'value')[0];`

			`// Compute`
			`$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));`

			`if ($requestedTokens > $tokens)`
			`output(453, 'Limite d\'actions globale atteinte. Réessayez plus tard.');`

			`$tokens -= $requestedTokens;`

			`// Update`
			`$db = new PDO('sqlite:' . DB_PATH);`
			`$stmt = $db->prepare("UPDATE params SET value = :bucket_tokens WHERE name = 'instance_bucket_tokens';");`
			`$stmt->bindValue(':bucket_tokens', $tokens);`
			`$stmt->execute();`

			`$stmt = $db->prepare("UPDATE params SET value = :bucket_last_update WHERE name = 'instance_bucket_last_update';");`
			`$stmt->bindValue(':bucket_last_update', time());`
			`$stmt->execute();`
			`}`