From 542d23d7c7f6a9f8586ac1fcef65b7cc58b91a81 Mon Sep 17 00:00:00 2001 From: reidlab Date: Sun, 3 Sep 2023 16:21:24 -0700 Subject: [PATCH 1/5] formatting changes --- readme.md | 1 + src/endpoints/accounts/login_account.rs | 15 +++++++++------ src/endpoints/accounts/register_account.rs | 2 ++ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/readme.md b/readme.md index 4a42832..9f66f88 100644 --- a/readme.md +++ b/readme.md @@ -34,6 +34,7 @@ _these features are implemented_ ## todo +- when gjp2 is finally dropped we should 100% swap so it works in two point two - green name users (fuck green names!!) - move authorization logic to (./src/helpers/accounts.rs)[./src/helpers/accounts.rs] - maybe swap to timestamp type instead of `(TO_CHAR(CURRENT_TIMESTAMP, 'YYYY-MM-DD HH24:MI:SS.MS'))` (thats REALLY ugly!!) \ No newline at end of file diff --git a/src/endpoints/accounts/login_account.rs b/src/endpoints/accounts/login_account.rs index f84fa50..0fc70b4 100644 --- a/src/endpoints/accounts/login_account.rs +++ b/src/endpoints/accounts/login_account.rs @@ -34,18 +34,21 @@ pub fn login_account(input: Form) -> status::Custom<&'static s { use crate::schema::accounts::dsl::*; - let account_id_password_result = accounts + let query_result = accounts .select((id, password)) .filter(username.eq(input.userName.clone())) .get_result::<(i32, String)>(connection); - match account_id_password_result { - Ok(account_id_password) => { - let user_id = helpers::accounts::get_user_id_from_account_id(account_id_password.0); + match query_result { + Ok(( + account_id_val, + password_val + )) => { + let user_id = helpers::accounts::get_user_id_from_account_id(account_id_val); - match verify_password(input.password.clone().as_bytes(), account_id_password.1.as_str()) { + match verify_password(input.password.clone().as_bytes(), password_val.as_str()) { Ok(_) => return status::Custom(Status::Ok, - Box::leak(format!("{},{}", account_id_password.0, user_id).into_boxed_str()) + Box::leak(format!("{},{}", account_id_val, user_id).into_boxed_str()) ), Err(_) => return status::Custom(Status::Ok, "-11") }; diff --git a/src/endpoints/accounts/register_account.rs b/src/endpoints/accounts/register_account.rs index c754a52..92c02f5 100644 --- a/src/endpoints/accounts/register_account.rs +++ b/src/endpoints/accounts/register_account.rs @@ -66,6 +66,7 @@ pub fn register_account(input: Form) -> status::Custom<&'st gjp2: generate_hash(helpers::encryption::get_gjp2(input.password.clone())), email: input.email.clone() }; + inserted_account = diesel::insert_into(accounts) .values(&new_account) .get_result::(connection) @@ -83,6 +84,7 @@ pub fn register_account(input: Form) -> status::Custom<&'st username: input.userName.clone(), registered: 1 }; + diesel::insert_into(users) .values(&new_user) .get_result::(connection) From ef0e48e67361e92e9fddfb3c240488b0b06866b0 Mon Sep 17 00:00:00 2001 From: reidlab Date: Mon, 4 Sep 2023 03:16:11 -0700 Subject: [PATCH 2/5] AUTH REWORK!!!! + add wip level --- Cargo.lock | 7 ++++ Cargo.toml | 1 + readme.md | 6 +-- src/endpoints/accounts/login_account.rs | 35 +++++++++------- src/endpoints/levels.rs | 1 + src/endpoints/levels/upload_level.rs | 51 ++++++++++++++++++++++ src/helpers/accounts.rs | 56 ++++++++++++++++++++++++- src/helpers/encryption.rs | 8 +++- 8 files changed, 144 insertions(+), 21 deletions(-) create mode 100644 src/endpoints/levels/upload_level.rs diff --git a/Cargo.lock b/Cargo.lock index aa19066..0a93b9a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -68,6 +68,12 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +[[package]] +name = "base64" +version = "0.21.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "414dcefbc63d77c526a76b3afcf6fbb9b5e2791c19c3aa2297733208750c6e53" + [[package]] name = "base64ct" version = "1.6.0" @@ -406,6 +412,7 @@ dependencies = [ name = "gdps-server" version = "0.0.0" dependencies = [ + "base64", "diesel", "dotenvy", "maplit", diff --git a/Cargo.toml b/Cargo.toml index 7b492b9..acf5aa9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -4,6 +4,7 @@ version = "0.0.0" edition = "2021" [dependencies] +base64 = "0.21.3" diesel = { version = "=2.1.0", features = ["postgres"] } dotenvy = "0.15.7" maplit = "1.0.2" diff --git a/readme.md b/readme.md index 9f66f88..afe0efa 100644 --- a/readme.md +++ b/readme.md @@ -34,7 +34,7 @@ _these features are implemented_ ## todo -- when gjp2 is finally dropped we should 100% swap so it works in two point two -- green name users (fuck green names!!) -- move authorization logic to (./src/helpers/accounts.rs)[./src/helpers/accounts.rs] +- clean auth function (wtf is that!) +- add udid auth to auth function +- add level parsing - maybe swap to timestamp type instead of `(TO_CHAR(CURRENT_TIMESTAMP, 'YYYY-MM-DD HH24:MI:SS.MS'))` (thats REALLY ugly!!) \ No newline at end of file diff --git a/src/endpoints/accounts/login_account.rs b/src/endpoints/accounts/login_account.rs index 0fc70b4..bda02e3 100644 --- a/src/endpoints/accounts/login_account.rs +++ b/src/endpoints/accounts/login_account.rs @@ -1,4 +1,3 @@ -use password_auth::verify_password; use rocket::form::Form; use rocket::http::Status; use rocket::response::status; @@ -11,7 +10,10 @@ use crate::db; #[derive(FromForm)] pub struct FromLoginAccount { userName: String, - password: String + + password: Option, + gjp: Option, + gjp2: Option, } #[post("/accounts/loginGJAccount.php", data = "")] @@ -22,8 +24,14 @@ pub fn login_account(input: Form) -> status::Custom<&'static s return status::Custom(Status::Ok, "-4") } - if input.password.len() < 6 { - return status::Custom(Status::Ok, "-8") + // gjp2 checks dont matter, its hashed, gjp checks would break bc its base64, and why does this check exist if its just for logging in robtop this is useless it doesnt provide security we already did the security on the register account u fucking faggot im really bored of working on this but im also excited to see if it works deepwoken solos mid dash + match input.password.clone() { + Some(password_val) => { + if password_val.len() < 6 { + return status::Custom(Status::Ok, "-8") + } + }, + None => {} } if input.userName.len() < 3 { @@ -35,23 +43,18 @@ pub fn login_account(input: Form) -> status::Custom<&'static s use crate::schema::accounts::dsl::*; let query_result = accounts - .select((id, password)) + .select(id) .filter(username.eq(input.userName.clone())) - .get_result::<(i32, String)>(connection); + .get_result::(connection); match query_result { - Ok(( - account_id_val, - password_val - )) => { - let user_id = helpers::accounts::get_user_id_from_account_id(account_id_val); + Ok(account_id_val) => { + let user_id_val = helpers::accounts::get_user_id_from_account_id(account_id_val); - match verify_password(input.password.clone().as_bytes(), password_val.as_str()) { - Ok(_) => return status::Custom(Status::Ok, - Box::leak(format!("{},{}", account_id_val, user_id).into_boxed_str()) - ), + match helpers::accounts::auth(account_id_val, input.password.clone(), input.gjp.clone(), input.gjp2.clone()) { + Ok(_) => return status::Custom(Status::Ok, Box::leak(format!("{},{}", user_id_val, account_id_val).into_boxed_str())), Err(_) => return status::Custom(Status::Ok, "-11") - }; + } }, Err(_) => return status::Custom(Status::Ok, "-1") } diff --git a/src/endpoints/levels.rs b/src/endpoints/levels.rs index e69de29..9d965be 100644 --- a/src/endpoints/levels.rs +++ b/src/endpoints/levels.rs @@ -0,0 +1 @@ +pub mod upload_level; \ No newline at end of file diff --git a/src/endpoints/levels/upload_level.rs b/src/endpoints/levels/upload_level.rs new file mode 100644 index 0000000..f254bc1 --- /dev/null +++ b/src/endpoints/levels/upload_level.rs @@ -0,0 +1,51 @@ +// use password_auth::verify_password; +// use rocket::form::Form; +// use rocket::http::Status; +// use rocket::response::status; + +// use diesel::prelude::*; + +// use crate::helpers; +// use crate::db; + +// #[derive(FromForm)] +// pub struct FromLoginAccount { +// accountID: i32, +// gjp: String +// } + +// #[post("/accounts/loginGJAccount.php", data = "")] +// pub fn login_account(input: Form) -> status::Custom<&'static str> { +// let connection = &mut db::establish_connection_pg(); + +// // account verification +// let (user_id, account_id): (i32, i32); + +// { +// use crate::schema::accounts::dsl::*; + +// let query_result = accounts +// .select((id, password)) +// .filter(username.eq(input.userName.clone())) +// .get_result::<(i32, String)>(connection); + +// match query_result { +// Ok(( +// account_id_val, +// password_val +// )) => { +// user_id = helpers::accounts::get_user_id_from_account_id(account_id_val); + +// match verify_password(input.password.clone().as_bytes(), password_val.as_str()) { +// Ok(_) => return status::Custom(Status::Ok, +// Box::leak(format!("{},{}", account_id_val, user_id).into_boxed_str()) +// ), +// Err(_) => return status::Custom(Status::Ok, "-11") +// }; +// }, +// Err(_) => return status::Custom(Status::Ok, "-1") +// } +// } + +// return status::Custom(Status::Ok, "1") +// } \ No newline at end of file diff --git a/src/helpers/accounts.rs b/src/helpers/accounts.rs index 2cd1b08..2f22c9e 100644 --- a/src/helpers/accounts.rs +++ b/src/helpers/accounts.rs @@ -1,6 +1,60 @@ use diesel::prelude::*; +use password_auth::verify_password; -use crate::db; +use crate::{db, helpers}; + +// returns userid, accountid +pub enum AuthError { + WrongPassword, + AccountNotFound +} + +pub fn auth(account_id: i32, password_val: Option, gjp_val: Option, gjp2_val: Option) -> Result<(i32, i32), AuthError> { + use crate::schema::accounts::dsl::*; + + let connection = &mut db::establish_connection_pg(); + + let query_result = accounts + .select((password, gjp2)) + .filter(id.eq(account_id)) + .get_result::<(String, String)>(connection); + + match query_result { + Ok(( + password_queried_val, + gjp2_queried_val + )) => { + match password_val { + Some(password_val) => { + match verify_password(password_val, &password_queried_val) { + Ok(_) => return Ok((get_user_id_from_account_id(account_id), account_id)), + Err(_) => return Err(AuthError::WrongPassword) + } + }, + None => match gjp_val { + Some(gjp_val) => { + match verify_password(helpers::encryption::decode_gjp(gjp_val), &password_queried_val) { + Ok(_) => return Ok((get_user_id_from_account_id(account_id), account_id)), + Err(_) => return Err(AuthError::WrongPassword) + } + }, + None => match gjp2_val { + Some(gjp2_val) => { + match verify_password(gjp2_val, &gjp2_queried_val) { + Ok(_) => return Ok((get_user_id_from_account_id(account_id), account_id)), + Err(_) => return Err(AuthError::WrongPassword) + } + }, + None => { + return Err(AuthError::WrongPassword) + } + } + } + } + }, + Err(_) => return Err(AuthError::AccountNotFound) + } +} pub fn get_user_id_from_account_id(ext_id: i32) -> i32 { use crate::schema::users::dsl::*; diff --git a/src/helpers/encryption.rs b/src/helpers/encryption.rs index fb3f088..19b9e9b 100644 --- a/src/helpers/encryption.rs +++ b/src/helpers/encryption.rs @@ -1,7 +1,7 @@ use sha::sha1::Sha1; use sha::utils::{Digest, DigestExt}; -use password_auth::generate_hash; +use base64::{Engine as _, engine::general_purpose}; pub fn cyclic_xor(data: &[u8], key: &[u8]) -> Vec { data.iter() @@ -21,4 +21,10 @@ pub fn cyclic_xor_string(string: &str, key: &str) -> String { pub fn get_gjp2(password: String) -> String { return Sha1::default().digest(String::from(password + "mI29fmAnxgTs").as_bytes()).to_hex(); +} + +pub fn decode_gjp(gjp: String) -> String { + let base64_decoded = String::from_utf8(general_purpose::STANDARD_NO_PAD.decode(gjp).expect("couldn't decode base64")).expect("invalid UTF-8 sequence (how)"); + let xor_decoded = cyclic_xor_string(&base64_decoded, "37526"); + return xor_decoded } \ No newline at end of file From 9ecb8b4ae832561494e57ae05740fe9bce75431c Mon Sep 17 00:00:00 2001 From: reidlab Date: Mon, 4 Sep 2023 03:18:40 -0700 Subject: [PATCH 3/5] fix auth --- src/helpers/encryption.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helpers/encryption.rs b/src/helpers/encryption.rs index 19b9e9b..ab4ef12 100644 --- a/src/helpers/encryption.rs +++ b/src/helpers/encryption.rs @@ -24,7 +24,7 @@ pub fn get_gjp2(password: String) -> String { } pub fn decode_gjp(gjp: String) -> String { - let base64_decoded = String::from_utf8(general_purpose::STANDARD_NO_PAD.decode(gjp).expect("couldn't decode base64")).expect("invalid UTF-8 sequence (how)"); + let base64_decoded = String::from_utf8(general_purpose::STANDARD.decode(gjp).expect("couldn't decode base64")).expect("invalid UTF-8 sequence (how)"); let xor_decoded = cyclic_xor_string(&base64_decoded, "37526"); return xor_decoded } \ No newline at end of file From 66489506ac24348edcfd697ed251aa9a61176426 Mon Sep 17 00:00:00 2001 From: reidlab Date: Mon, 4 Sep 2023 03:41:32 -0700 Subject: [PATCH 4/5] more level boilerplate --- readme.md | 4 +- src/endpoints/levels/upload_level.rs | 73 +++++++++++----------------- src/main.rs | 4 +- 3 files changed, 34 insertions(+), 47 deletions(-) diff --git a/readme.md b/readme.md index afe0efa..9d7eb6f 100644 --- a/readme.md +++ b/readme.md @@ -34,7 +34,7 @@ _these features are implemented_ ## todo -- clean auth function (wtf is that!) -- add udid auth to auth function +- probably work on the code warnings we get hehe +- green name users... (add udid auth to auth function, use userName instead of accountID in uploading levels, and it goes on and on and on and on...) - add level parsing - maybe swap to timestamp type instead of `(TO_CHAR(CURRENT_TIMESTAMP, 'YYYY-MM-DD HH24:MI:SS.MS'))` (thats REALLY ugly!!) \ No newline at end of file diff --git a/src/endpoints/levels/upload_level.rs b/src/endpoints/levels/upload_level.rs index f254bc1..2444bca 100644 --- a/src/endpoints/levels/upload_level.rs +++ b/src/endpoints/levels/upload_level.rs @@ -1,51 +1,36 @@ -// use password_auth::verify_password; -// use rocket::form::Form; -// use rocket::http::Status; -// use rocket::response::status; +use password_auth::verify_password; +use rocket::form::Form; +use rocket::http::Status; +use rocket::response::status; -// use diesel::prelude::*; +use diesel::prelude::*; -// use crate::helpers; -// use crate::db; +use crate::helpers; +use crate::db; -// #[derive(FromForm)] -// pub struct FromLoginAccount { -// accountID: i32, -// gjp: String -// } - -// #[post("/accounts/loginGJAccount.php", data = "")] -// pub fn login_account(input: Form) -> status::Custom<&'static str> { -// let connection = &mut db::establish_connection_pg(); +#[derive(FromForm)] +pub struct FormUploadLevel { + accountID: i32, -// // account verification -// let (user_id, account_id): (i32, i32); + password: Option, + gjp: Option, + gjp2: Option, +} -// { -// use crate::schema::accounts::dsl::*; +#[post("/uploadGJLevel21.php", data = "")] +pub fn upload_level(input: Form) -> status::Custom<&'static str> { + let connection = &mut db::establish_connection_pg(); -// let query_result = accounts -// .select((id, password)) -// .filter(username.eq(input.userName.clone())) -// .get_result::<(i32, String)>(connection); - -// match query_result { -// Ok(( -// account_id_val, -// password_val -// )) => { -// user_id = helpers::accounts::get_user_id_from_account_id(account_id_val); - -// match verify_password(input.password.clone().as_bytes(), password_val.as_str()) { -// Ok(_) => return status::Custom(Status::Ok, -// Box::leak(format!("{},{}", account_id_val, user_id).into_boxed_str()) -// ), -// Err(_) => return status::Custom(Status::Ok, "-11") -// }; -// }, -// Err(_) => return status::Custom(Status::Ok, "-1") -// } -// } + // account verification + let (user_id_val, account_id_val): (i32, i32); -// return status::Custom(Status::Ok, "1") -// } \ No newline at end of file + match helpers::accounts::auth(input.accountID.clone(), input.password.clone(), input.gjp.clone(), input.gjp2.clone()) { + Ok((user_id, account_id)) => { + user_id_val = user_id; + account_id_val = account_id; + }, + Err(_) => return status::Custom(Status::Ok, "-1") + }; + + return status::Custom(Status::Ok, "1") +} \ No newline at end of file diff --git a/src/main.rs b/src/main.rs index bc0551e..6c30eb8 100644 --- a/src/main.rs +++ b/src/main.rs @@ -32,6 +32,8 @@ fn rocket() -> _ { endpoints::accounts::login_account::login_account, endpoints::accounts::register_account::register_account, - endpoints::users::get_users::get_users + endpoints::users::get_users::get_users, + + endpoints::levels::upload_level::upload_level ]) } \ No newline at end of file From dfcd9e8921c1f9076cd5e5517327ae002b9b6a58 Mon Sep 17 00:00:00 2001 From: reidlab Date: Mon, 4 Sep 2023 03:48:14 -0700 Subject: [PATCH 5/5] `rm .keep` --- src/endpoints/levels/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 src/endpoints/levels/.keep diff --git a/src/endpoints/levels/.keep b/src/endpoints/levels/.keep deleted file mode 100644 index e69de29..0000000