diff options
| author | Yohann Ferreira <yohann_dot_ferreira_at_orange_dot_efer> | 2010-11-09 23:37:22 +0100 |
|---|---|---|
| committer | Yohann Ferreira <yohann_dot_ferreira_at_orange_dot_efer> | 2010-11-09 23:37:22 +0100 |
| commit | 8369416cdfd2782860032bc524b5c58c0f1c06a7 (patch) | |
| tree | fc6fe85961d594564b55b8faeeae52494d21bedd /src | |
| parent | 2a56e837b5d0c7ac2611e1941dd1447f704145ed (diff) | |
| download | manaserv-8369416cdfd2782860032bc524b5c58c0f1c06a7.tar.gz manaserv-8369416cdfd2782860032bc524b5c58c0f1c06a7.tar.xz manaserv-8369416cdfd2782860032bc524b5c58c0f1c06a7.zip | |
Fixed unregistering on the server-side.
When registering or logging, The client is hashing the password
for sending it safely. And the server is hashing it also
to store it the same way. Hence, the password ends hashed twice,
which is correct because the server can't trust the client anyway.
At unregister attempt, the server wasn't hashing the password
before comparing it.
Also while on it, I made the corresponding SQL query use the try catch
method and only delete the account in memory when it's also done
on the Db.
Reviewed-by: thorbjorn, Freeyorp.
Diffstat (limited to 'src')
| -rw-r--r-- | src/account-server/accounthandler.cpp | 7 | ||||
| -rw-r--r-- | src/account-server/storage.cpp | 22 |
2 files changed, 20 insertions, 9 deletions
diff --git a/src/account-server/accounthandler.cpp b/src/account-server/accounthandler.cpp index 8fa0576..d76a6b1 100644 --- a/src/account-server/accounthandler.cpp +++ b/src/account-server/accounthandler.cpp @@ -535,8 +535,6 @@ void AccountHandler::handleUnregisterMessage(AccountClient &client, MessageIn &msg) { LOG_DEBUG("AccountHandler::handleUnregisterMessage"); - std::string username = msg.readString(); - std::string password = msg.readString(); MessageOut reply(APMSG_UNREGISTER_RESPONSE); @@ -547,6 +545,9 @@ void AccountHandler::handleUnregisterMessage(AccountClient &client, return; } + std::string username = msg.readString(); + std::string password = msg.readString(); + if (stringFilter->findDoubleQuotes(username)) { reply.writeInt8(ERRMSG_INVALID_ARGUMENT); @@ -557,7 +558,7 @@ void AccountHandler::handleUnregisterMessage(AccountClient &client, // See whether the account exists Account *acc = storage->getAccount(username); - if (!acc || acc->getPassword() != password) + if (!acc || acc->getPassword() != sha256(password)) { reply.writeInt8(ERRMSG_INVALID_ARGUMENT); client.send(reply); diff --git a/src/account-server/storage.cpp b/src/account-server/storage.cpp index 84dfedc..20f9fe5 100644 --- a/src/account-server/storage.cpp +++ b/src/account-server/storage.cpp @@ -1037,14 +1037,24 @@ void Storage::flush(Account *account) */ void Storage::delAccount(Account *account) { - account->setCharacters(Characters()); + // Sync the account info into the database. flush(account); - // delete the account. - std::ostringstream sql; - sql << "delete from " << ACCOUNTS_TBL_NAME - << " where id = '" << account->getID() << "';"; - mDb->execSql(sql.str()); + try + { + // Delete the account. + std::ostringstream sql; + sql << "delete from " << ACCOUNTS_TBL_NAME + << " where id = '" << account->getID() << "';"; + mDb->execSql(sql.str()); + + // Remove the account's characters. + account->setCharacters(Characters()); + } + catch (const std::exception &e) + { + LOG_ERROR("ERROR in DALStorage::delAccount: " << e.what()); + } } /** |