servnest/fn/auth.php

<?php declare(strict_types=1);

const USERNAME_REGEX = '^.{1,1024}$';
const PASSWORD_REGEX = '^(?=.*[\p{Ll}])(?=.*[\p{Lu}])(?=.*[\p{N}]).{8,1024}|.{10,1024}$';

const PLACEHOLDER_USERNAME = 'lain';
const PLACEHOLDER_PASSWORD = '••••••••••••••••••••••••';

// Password storage security
const ALGO_PASSWORD = PASSWORD_ARGON2ID;
const OPTIONS_PASSWORD = [
	'memory_cost' => 65536,
	'time_cost' => 4,
	'threads' => 64,
];

function checkUsernameFormat(string $username): void {
	if (preg_match('/' . USERNAME_REGEX . '/Du', $username) !== 1)
		output(403, 'Username malformed.');
}

function checkPasswordFormat(string $password): void {
	if (preg_match('/' . PASSWORD_REGEX . '/Du', $password) !== 1)
		output(403, 'Password malformed.');
}

function hashUsername(string $username): string {
	return base64_encode(sodium_crypto_pwhash(32, $username, hex2bin(query('select', 'params', ['name' => 'username_salt'], ['value'])[0]), 2**10, 2**14, SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13));
}

function hashPassword(string $password): string {
	return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);
}

function usernameExists(string $username): bool {
	return isset(query('select', 'users', ['username' => $username], ['id'])[0]);
}

function checkPassword(string $id, string $password): bool {
	return password_verify($password, query('select', 'users', ['id' => $id], ['password'])[0]);
}

function outdatedPasswordHash(string $id): bool {
	return password_needs_rehash(query('select', 'users', ['id' => $id], ['password'])[0], ALGO_PASSWORD, OPTIONS_PASSWORD);
}

function changePassword(string $id, string $password): void {
	DB->prepare('UPDATE users SET password = :password WHERE id = :id')
		->execute([':password' => hashPassword($password), ':id' => $id]);
}

function stopSession(): void {
	if (session_status() === PHP_SESSION_ACTIVE)
		session_destroy();
}

function logout(): never {
	stopSession();

	header('Clear-Site-Data: "*"');

	redir();
}

function setupDisplayUsername(string $display_username): void {
	$nonce = random_bytes(24);
	$key = sodium_crypto_aead_xchacha20poly1305_ietf_keygen();
	$cyphertext = sodium_crypto_aead_xchacha20poly1305_ietf_encrypt(
		htmlspecialchars($display_username),
		'',
		$nonce,
		$key
	);

	$_SESSION['display-username-nonce'] = $nonce;
	setcookie(
		'display-username-decryption-key',
		base64_encode($key),
		[
			'expires' => time() + 432000,
			'path' => CONF['common']['prefix'] . '/',
			'secure' => true,
			'httponly' => true,
			'samesite' => 'Strict'
		]
	);
	$_SESSION['display-username-cyphertext'] = $cyphertext;
}

function authDeleteUser(string $user_id): void {
	$user_services = explode(',', query('select', 'users', ['id' => $user_id], ['services'])[0]);

	foreach (SERVICES_USER as $service)
		if (in_array($service, $user_services, true) AND CONF['common']['services'][$service] !== 'enabled')
			output(503, sprintf(_('Your account can\'t be deleted because the %s service is currently unavailable.'), '<em>' . PAGES[$service]['index']['title'] . '</em>'));

	if (in_array('reg', $user_services, true))
		foreach (query('select', 'registry', ['username' => $user_id], ['domain']) as $domain)
			regDeleteDomain($domain, $user_id);

	if (in_array('ns', $user_services, true))
		foreach (query('select', 'zones', ['username' => $user_id], ['zone']) as $zone)
			nsDeleteZone($zone, $user_id);

	if (in_array('ht', $user_services, true)) {
		foreach (query('select', 'sites', ['username' => $user_id]) as $site)
			htDeleteSite($site['address'], $site['type'], $user_id);

		exescape([
			CONF['ht']['sudo_path'],
			'-u',
			CONF['ht']['tor_user'],
		    '--',
			CONF['ht']['rm_path'],
			'-r',
			'--',
			CONF['ht']['tor_keys_path'] . '/' . $user_id,
		], result_code: $code);
		if ($code !== 0)
			output(500, 'Can\'t remove Tor keys directory.');

		removeDirectory(CONF['ht']['tor_config_path'] . '/' . $user_id);

		exescape([
			CONF['ht']['sudo_path'],
			'-u',
			CONF['ht']['sftpgo_user'],
			'--',
			CONF['ht']['rm_path'],
			'-r',
			'--',
			CONF['ht']['ht_path'] . '/fs/' . $user_id
		], result_code: $code);
		if ($code !== 0)
			output(500, 'Can\'t remove user\'s directory.');

		query('delete', 'ssh-keys', ['username' => $user_id]);
	}

	query('delete', 'users', ['id' => $user_id]);
}

function rateLimit(): void {
	if ((PAGE_METADATA['tokens_account_cost'] ?? 0) > 0)
		rateLimitAccount(PAGE_METADATA['tokens_account_cost']);

	if ((PAGE_METADATA['tokens_instance_cost'] ?? 0) > 0)
		rateLimitInstance(PAGE_METADATA['tokens_instance_cost']);
}

const MAX_ACCOUNT_TOKENS = 86400;
function rateLimitAccount(int $requestedTokens): int {
	// Get
	$userData = query('select', 'users', ['id' => $_SESSION['id']]);
	$tokens = $userData[0]['bucket_tokens'];
	$bucketLastUpdate = $userData[0]['bucket_last_update'];

	// Compute
	$tokens = min(MAX_ACCOUNT_TOKENS, $tokens + (time() - $bucketLastUpdate));

	if ($requestedTokens > 0) {
		if ($requestedTokens > $tokens)
			output(453, _('Account rate limit reached, try again later.'));

		$tokens -= $requestedTokens;

		// Update
		DB->prepare('UPDATE users SET bucket_tokens = :bucket_tokens, bucket_last_update = :bucket_last_update WHERE id = :id')
		->execute([
			':bucket_tokens' => $tokens,
			':bucket_last_update' => time(),
			':id' => $_SESSION['id']
		]);
	}

	return $tokens;
}

function rateLimitInstance(int $requestedTokens): void {
	// Get
	$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], ['value'])[0];
	$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], ['value'])[0];

	// Compute
	$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));

	if ($requestedTokens > $tokens)
		output(453, _('Global rate limit reached, try again later.'));

	$tokens -= $requestedTokens;

	// Update
	DB->prepare("UPDATE params SET value = :bucket_tokens WHERE name = 'instance_bucket_tokens';")
	->execute([':bucket_tokens' => $tokens]);

	DB->prepare("UPDATE params SET value = :bucket_last_update WHERE name = 'instance_bucket_last_update';")
	->execute([':bucket_last_update' => time()]);
}
declare(strict_types=1); 2023-07-17 21:15:18 +02:00			`<?php declare(strict_types=1);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00
Use a hash as internal username 2022-11-26 21:45:48 +01:00			`const USERNAME_REGEX = '^.{1,1024}$';`
Minor changes 2022-10-09 23:36:35 +02:00			`const PASSWORD_REGEX = '^(?=.[\p{Ll}])(?=.[\p{Lu}])(?=.*[\p{N}]).{8,1024}\|.{10,1024}$';`
Better segmentation between services 2022-04-23 01:57:43 +02:00
Minor changes 2022-10-09 23:36:35 +02:00			`const PLACEHOLDER_USERNAME = 'lain';`
			`const PLACEHOLDER_PASSWORD = '••••••••••••••••••••••••';`
Update auth forms 2022-06-10 21:14:47 +02:00
Better segmentation between services 2022-04-23 01:57:43 +02:00			`// Password storage security`
Minor changes 2022-10-09 23:36:35 +02:00			`const ALGO_PASSWORD = PASSWORD_ARGON2ID;`
			`const OPTIONS_PASSWORD = [`
Use single quotes instead of double quotes 2022-11-20 15:11:54 +01:00			`'memory_cost' => 65536,`
			`'time_cost' => 4,`
			`'threads' => 64,`
Minor changes 2022-10-09 23:36:35 +02:00			`];`
Better segmentation between services 2022-04-23 01:57:43 +02:00
Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function checkUsernameFormat(string $username): void {`
Internal ID, Argon2 for usernames, username changes 2022-11-30 23:12:42 +01:00			`if (preg_match('/' . USERNAME_REGEX . '/Du', $username) !== 1)`
			`output(403, 'Username malformed.');`
			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function checkPasswordFormat(string $password): void {`
Fix regDeleteDomain security flaw + D regex modifier regDeleteDomain() in fn/reg.php used too loose pattern matching for data deletion, that also deleted other domains that included the deleted domain 2022-11-20 18:17:03 +01:00			`if (preg_match('/' . PASSWORD_REGEX . '/Du', $password) !== 1)`
fn success/userError/serverError > output($code) 2022-09-15 19:17:48 +02:00			`output(403, 'Password malformed.');`
Better segmentation between services 2022-04-23 01:57:43 +02:00			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function hashUsername(string $username): string {`
ns/sync.php: instant sync when adding new sync 2023-10-08 00:50:48 +02:00			`return base64_encode(sodium_crypto_pwhash(32, $username, hex2bin(query('select', 'params', ['name' => 'username_salt'], ['value'])[0]), 210, 214, SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13));`
Better segmentation between services 2022-04-23 01:57:43 +02:00			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function hashPassword(string $password): string {`
2 spaces > tab 2022-04-18 16:05:00 +02:00			`return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function usernameExists(string $username): bool {`
ns/sync.php: instant sync when adding new sync 2023-10-08 00:50:48 +02:00			`return isset(query('select', 'users', ['username' => $username], ['id'])[0]);`
Better segmentation between services 2022-04-23 01:57:43 +02:00			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function checkPassword(string $id, string $password): bool {`
ns/sync.php: instant sync when adding new sync 2023-10-08 00:50:48 +02:00			`return password_verify($password, query('select', 'users', ['id' => $id], ['password'])[0]);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function outdatedPasswordHash(string $id): bool {`
ns/sync.php: instant sync when adding new sync 2023-10-08 00:50:48 +02:00			`return password_needs_rehash(query('select', 'users', ['id' => $id], ['password'])[0], ALGO_PASSWORD, OPTIONS_PASSWORD);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function changePassword(string $id, string $password): void {`
Simplify PDO use 2022-12-13 17:38:54 +01:00			`DB->prepare('UPDATE users SET password = :password WHERE id = :id')`
			`->execute([':password' => hashPassword($password), ':id' => $id]);`
Use Argon2id instead of Bcrypt for password storage (and other things about passwords) 2021-08-05 02:51:21 +02:00			`}`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00
Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function stopSession(): void {`
Check that account still exists when doing something 2022-11-30 23:38:02 +01:00			`if (session_status() === PHP_SESSION_ACTIVE)`
			`session_destroy();`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 21:17:03 +01:00			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function logout(): never {`
Split pages/ between pg-act/ and pg-view/ 2022-12-20 21:17:03 +01:00			`stopSession();`
Check that account still exists when doing something 2022-11-30 23:38:02 +01:00
			`header('Clear-Site-Data: "*"');`

			`redir();`
			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function setupDisplayUsername(string $display_username): void {`
OpenSSL > libsodium, authenticate username, PHP 8.2+ 2023-01-18 16:00:17 +01:00			`$nonce = random_bytes(24);`
			`$key = sodium_crypto_aead_xchacha20poly1305_ietf_keygen();`
			`$cyphertext = sodium_crypto_aead_xchacha20poly1305_ietf_encrypt(`
Encrypt display username, with key in cookie 2023-01-07 23:11:44 +01:00			`htmlspecialchars($display_username),`
Fix deprecation notices 2023-02-07 22:25:16 +01:00			`'',`
OpenSSL > libsodium, authenticate username, PHP 8.2+ 2023-01-18 16:00:17 +01:00			`$nonce,`
			`$key`
Encrypt display username, with key in cookie 2023-01-07 23:11:44 +01:00			`);`

OpenSSL > libsodium, authenticate username, PHP 8.2+ 2023-01-18 16:00:17 +01:00			`$_SESSION['display-username-nonce'] = $nonce;`
Encrypt display username, with key in cookie 2023-01-07 23:11:44 +01:00			`setcookie(`
			`'display-username-decryption-key',`
			`base64_encode($key),`
			`[`
			`'expires' => time() + 432000,`
Describe config.ini in DOCS/configuration.md 2023-01-26 16:22:03 +01:00			`'path' => CONF['common']['prefix'] . '/',`
Encrypt display username, with key in cookie 2023-01-07 23:11:44 +01:00			`'secure' => true,`
			`'httponly' => true,`
			`'samesite' => 'Strict'`
			`]`
			`);`
			`$_SESSION['display-username-cyphertext'] = $cyphertext;`
			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function authDeleteUser(string $user_id): void {`
ns/sync.php: instant sync when adding new sync 2023-10-08 00:50:48 +02:00			`$user_services = explode(',', query('select', 'users', ['id' => $user_id], ['services'])[0]);`
init.php + jobs + job to delete old testing accounts 2023-06-08 17:36:44 +02:00
			`foreach (SERVICES_USER as $service)`
			`if (in_array($service, $user_services, true) AND CONF['common']['services'][$service] !== 'enabled')`
			`output(503, sprintf(_('Your account can\'t be deleted because the %s service is currently unavailable.'), '<em>' . PAGES[$service]['index']['title'] . '</em>'));`

			`if (in_array('reg', $user_services, true))`
ns/sync.php: instant sync when adding new sync 2023-10-08 00:50:48 +02:00			`foreach (query('select', 'registry', ['username' => $user_id], ['domain']) as $domain)`
init.php + jobs + job to delete old testing accounts 2023-06-08 17:36:44 +02:00			`regDeleteDomain($domain, $user_id);`

ns/sync: translations and bugfixes 2023-06-26 04:13:52 +02:00			`if (in_array('ns', $user_services, true))`
ns/sync.php: instant sync when adding new sync 2023-10-08 00:50:48 +02:00			`foreach (query('select', 'zones', ['username' => $user_id], ['zone']) as $zone)`
init.php + jobs + job to delete old testing accounts 2023-06-08 17:36:44 +02:00			`nsDeleteZone($zone, $user_id);`

			`if (in_array('ht', $user_services, true)) {`
			`foreach (query('select', 'sites', ['username' => $user_id]) as $site)`
			`htDeleteSite($site['address'], $site['type'], $user_id);`

Fix important vulnerability in reg/ds.php + exescape In page reg/ds.php, POST parameter 'key' was directly sent to shell, allowing for remote arbitrary commands execution. This commit fixes this vulnerability, and uses a new function to automatically escape every shell command arguments as an additional generic protection. 2023-06-19 02:15:43 +02:00			`exescape([`
			`CONF['ht']['sudo_path'],`
			`'-u',`
			`CONF['ht']['tor_user'],`
			`'--',`
			`CONF['ht']['rm_path'],`
			`'-r',`
			`'--',`
			`CONF['ht']['tor_keys_path'] . '/' . $user_id,`
			`], result_code: $code);`
init.php + jobs + job to delete old testing accounts 2023-06-08 17:36:44 +02:00			`if ($code !== 0)`
			`output(500, 'Can\'t remove Tor keys directory.');`

			`removeDirectory(CONF['ht']['tor_config_path'] . '/' . $user_id);`

Fix important vulnerability in reg/ds.php + exescape In page reg/ds.php, POST parameter 'key' was directly sent to shell, allowing for remote arbitrary commands execution. This commit fixes this vulnerability, and uses a new function to automatically escape every shell command arguments as an additional generic protection. 2023-06-19 02:15:43 +02:00			`exescape([`
			`CONF['ht']['sudo_path'],`
			`'-u',`
			`CONF['ht']['sftpgo_user'],`
			`'--',`
			`CONF['ht']['rm_path'],`
			`'-r',`
			`'--',`
			`CONF['ht']['ht_path'] . '/fs/' . $user_id`
			`], result_code: $code);`
init.php + jobs + job to delete old testing accounts 2023-06-08 17:36:44 +02:00			`if ($code !== 0)`
			`output(500, 'Can\'t remove user\'s directory.');`
Clear entries in ssh-keys when deleting account 2023-06-21 22:08:57 +02:00
			`query('delete', 'ssh-keys', ['username' => $user_id]);`
init.php + jobs + job to delete old testing accounts 2023-06-08 17:36:44 +02:00			`}`

			`query('delete', 'users', ['id' => $user_id]);`
			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function rateLimit(): void {`
check.php: use null coalescing operator ("??") more 2023-08-14 18:20:47 +02:00			`if ((PAGE_METADATA['tokens_account_cost'] ?? 0) > 0)`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00			`rateLimitAccount(PAGE_METADATA['tokens_account_cost']);`

check.php: use null coalescing operator ("??") more 2023-08-14 18:20:47 +02:00			`if ((PAGE_METADATA['tokens_instance_cost'] ?? 0) > 0)`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00			`rateLimitInstance(PAGE_METADATA['tokens_instance_cost']);`
			`}`

Split accounts capabilities; Info about rate limit 2023-05-02 19:30:53 +02:00			`const MAX_ACCOUNT_TOKENS = 86400;`
Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function rateLimitAccount(int $requestedTokens): int {`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00			`// Get`
Internal ID, Argon2 for usernames, username changes 2022-11-30 23:12:42 +01:00			`$userData = query('select', 'users', ['id' => $_SESSION['id']]);`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00			`$tokens = $userData[0]['bucket_tokens'];`
			`$bucketLastUpdate = $userData[0]['bucket_last_update'];`

			`// Compute`
Split accounts capabilities; Info about rate limit 2023-05-02 19:30:53 +02:00			`$tokens = min(MAX_ACCOUNT_TOKENS, $tokens + (time() - $bucketLastUpdate));`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00
Split accounts capabilities; Info about rate limit 2023-05-02 19:30:53 +02:00			`if ($requestedTokens > 0) {`
			`if ($requestedTokens > $tokens)`
			`output(453, _('Account rate limit reached, try again later.'));`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00
Split accounts capabilities; Info about rate limit 2023-05-02 19:30:53 +02:00			`$tokens -= $requestedTokens;`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00
Split accounts capabilities; Info about rate limit 2023-05-02 19:30:53 +02:00			`// Update`
			`DB->prepare('UPDATE users SET bucket_tokens = :bucket_tokens, bucket_last_update = :bucket_last_update WHERE id = :id')`
			`->execute([`
			`':bucket_tokens' => $tokens,`
			`':bucket_last_update' => time(),`
			`':id' => $_SESSION['id']`
			`]);`
			`}`

			`return $tokens;`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00			`}`

Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function rateLimitInstance(int $requestedTokens): void {`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00			`// Get`
ns/sync.php: instant sync when adding new sync 2023-10-08 00:50:48 +02:00			`$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], ['value'])[0];`
			`$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], ['value'])[0];`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00
			`// Compute`
			`$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));`

			`if ($requestedTokens > $tokens)`
OpenSSL > libsodium, authenticate username, PHP 8.2+ 2023-01-18 16:00:17 +01:00			`output(453, _('Global rate limit reached, try again later.'));`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00
			`$tokens -= $requestedTokens;`

			`// Update`
Simplify PDO use 2022-12-13 17:38:54 +01:00			`DB->prepare("UPDATE params SET value = :bucket_tokens WHERE name = 'instance_bucket_tokens';")`
			`->execute([':bucket_tokens' => $tokens]);`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00
Simplify PDO use 2022-12-13 17:38:54 +01:00			`DB->prepare("UPDATE params SET value = :bucket_last_update WHERE name = 'instance_bucket_last_update';")`
			`->execute([':bucket_last_update' => time()]);`
Token bucket rate limiting 2022-09-17 00:49:07 +02:00			`}`