servnest/fn/auth.php

<?php

const USERNAME_REGEX = '^.{1,1024}$';
const PASSWORD_REGEX = '^(?=.*[\p{Ll}])(?=.*[\p{Lu}])(?=.*[\p{N}]).{8,1024}|.{10,1024}$';

const PLACEHOLDER_USERNAME = 'lain';
const PLACEHOLDER_PASSWORD = '••••••••••••••••••••••••';

// Password storage security
const ALGO_PASSWORD = PASSWORD_ARGON2ID;
const OPTIONS_PASSWORD = [
	'memory_cost' => 65536,
	'time_cost' => 4,
	'threads' => 64,
];

function checkUsernameFormat($username) {
	if (preg_match('/' . USERNAME_REGEX . '/Du', $username) !== 1)
		output(403, 'Username malformed.');
}

function checkPasswordFormat($password) {
	if (preg_match('/' . PASSWORD_REGEX . '/Du', $password) !== 1)
		output(403, 'Password malformed.');
}

function hashUsername($username) {
	return base64_encode(sodium_crypto_pwhash(32, $username, hex2bin(query('select', 'params', ['name' => 'username_salt'], 'value')[0]), 2**10, 2**14, SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13));
}

function hashPassword($password) {
	return password_hash($password, ALGO_PASSWORD, OPTIONS_PASSWORD);
}

function usernameExists($username) {
	return isset(query('select', 'users', ['username' => $username], 'id')[0]);
}

function checkPassword($id, $password) {
	return password_verify($password, query('select', 'users', ['id' => $id], 'password')[0]);
}

function outdatedPasswordHash($id) {
	return password_needs_rehash(query('select', 'users', ['id' => $id], 'password')[0], ALGO_PASSWORD, OPTIONS_PASSWORD);
}

function changePassword($id, $password) {
	DB->prepare('UPDATE users SET password = :password WHERE id = :id')
		->execute([':password' => hashPassword($password), ':id' => $id]);
}

function stopSession() {
	if (session_status() === PHP_SESSION_ACTIVE)
		session_destroy();
}

function logout() {
	stopSession();

	header('Clear-Site-Data: "*"');

	redir();
}

function setupDisplayUsername($display_username) {
	$nonce = random_bytes(24);
	$key = sodium_crypto_aead_xchacha20poly1305_ietf_keygen();
	$cyphertext = sodium_crypto_aead_xchacha20poly1305_ietf_encrypt(
		htmlspecialchars($display_username),
		NULL,
		$nonce,
		$key
	);

	$_SESSION['display-username-nonce'] = $nonce;
	setcookie(
		'display-username-decryption-key',
		base64_encode($key),
		[
			'expires' => time() + 432000,
			'path' => CONF['common']['prefix'] . '/',
			'secure' => true,
			'httponly' => true,
			'samesite' => 'Strict'
		]
	);
	$_SESSION['display-username-cyphertext'] = $cyphertext;
}

function rateLimit() {
	if (PAGE_METADATA['tokens_account_cost'] ?? 0 > 0)
		rateLimitAccount(PAGE_METADATA['tokens_account_cost']);

	if (PAGE_METADATA['tokens_instance_cost'] ?? 0 > 0)
		rateLimitInstance(PAGE_METADATA['tokens_instance_cost']);
}

function rateLimitAccount($requestedTokens) {
	// Get
	$userData = query('select', 'users', ['id' => $_SESSION['id']]);
	$tokens = $userData[0]['bucket_tokens'];
	$bucketLastUpdate = $userData[0]['bucket_last_update'];

	// Compute
	$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));

	if ($requestedTokens > $tokens)
		output(453, _('Account rate limit reached, try again later.'));

	$tokens -= $requestedTokens;

	// Update
	DB->prepare('UPDATE users SET bucket_tokens = :bucket_tokens, bucket_last_update = :bucket_last_update WHERE id = :id')
	->execute([
		':bucket_tokens' => $tokens,
		':bucket_last_update' => time(),
		':id' => $_SESSION['id']
	]);
}

function rateLimitInstance($requestedTokens) {
	// Get
	$tokens = query('select', 'params', ['name' => 'instance_bucket_tokens'], 'value')[0];
	$bucketLastUpdate = query('select', 'params', ['name' => 'instance_bucket_last_update'], 'value')[0];

	// Compute
	$tokens = min(86400, $tokens + (time() - $bucketLastUpdate));

	if ($requestedTokens > $tokens)
		output(453, _('Global rate limit reached, try again later.'));

	$tokens -= $requestedTokens;

	// Update
	DB->prepare("UPDATE params SET value = :bucket_tokens WHERE name = 'instance_bucket_tokens';")
	->execute([':bucket_tokens' => $tokens]);

	DB->prepare("UPDATE params SET value = :bucket_last_update WHERE name = 'instance_bucket_last_update';")
	->execute([':bucket_last_update' => time()]);
}